Re: Preventing logon to local accounts

Hi Becky,

I totally understand....Go to your server or a workstation right click
computer, select manage, where it says computer management right click this
and choose connect to computer, from here you enter the workstation name,
once connected, expand local users and groups, then select groups, open
remote desktop users.


Also what is the status of the firewall on the workstation?


Regards,

Jamie

"BeckyBoo123" wrote:

Hi,

I have changed that back to the default level now and tried again. It still
didn't work.

I logged into the work station (whilst sat in front of it) and checked that
remote user connections is enabled, it is but the "select users" box is
greyed out. Is there a way of adding this to the policy, instead of changing
the policy so it lets me check on the local machine that the user is listed?

Hope you can understand that, I am starting to confuse myself now!

"JAMiE132" wrote:

>>>>>> You can use "Allow log on locally" Group Policy setting (Computer
Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignments) and replace local Users with
Domain Users in the listing of groups in this category. Just make
sure you test this on target PCs to avoid any collateral
damage...

Perhaps you need to put this back to the default, domain users group are by
default a member of the local users on a workstation, this doesnt mean they
can logon locally, as long as they only have a domain user account.

If you have rdp enabled and the group specified in the remote desktop users
group on the local machine then there should be no problem. I recommend that
you reverse the change above, check that rdp is enabled on the workstation,
right click computer, properties, remote tab, from here check that the box
for remote desktop is ticked, then make sure the group is added.


Regards,

Jamie

"BeckyBoo123" wrote:

Hi Guys, thanks for the advise. I am on information overload now!

Connecting to what? Do you have a terminal server? That would be a
good idea if you have a lot of remote users.

Ok, just to sum it all up, (I think this is right) we have 2 AD server's and
6 Terminal Servers. We have several hundred PC users which connect to TS's
for access to our profit system. Users also use their PC's for email access
and other things locally, however we are trying to gradually add these PC's
to the domain.
So, certain users use VPN to connect up from home. They can connect to the
TS applications with no problem, and they can connect up to their local
account by using RDC, but on the test machine that I have connected to the
domain and removed the local account on, I can't connect to it via RDC
(emulating the method they would use from home).

You can use "Allow log on locally" Group Policy setting (Computer
Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignments) and replace local Users with
Domain Users in the listing of groups in this category. Just make
sure you test this on target PCs to avoid any collateral
damage...

This was originally set to list the specific user only, so I have now
changed it to display the domain user.

Create a GPO, filter this with a security group that contains the
workstations that you would like to enable RDP.

Enable RDP on the selected workstations:

1. In the group policy object, click to expand Computer Configuration,click
to expand Administrative Templates, click to expand Windows Components, >>>>and
then click to expand Terminal Services.

2. Double-click the "Allow users to connect remotely using Terminal
Services" policy.

3. Set the policy to Enable, and then click OK


however instead of visiting each workstation


goto windows settings/security settings/restricted groups/right click add
new group/add your global security group that contains the users that you
want to access the workstations using rdp/Select this group is a member
of:choose remote desktop user

This setting was already in place, but I checked it and it all looks in order.

The only things that I have noticed is that the Domain computer in question
is activley a member of 2 groups, RDP's and Desktop users (desktop users is
the policy I have been working on to customize the domain PC's).

Could this be the cause?





.

Relevant Pages

  • Re: Preventing logon to local accounts
    ... The firewall is disabled on the workstation. ... once connected, expand local users and groups, then select groups, open ... Domain Users in the listing of groups in this category. ... If you have rdp enabled and the group specified in the remote desktop users ...
    (microsoft.public.windows.server.active_directory)
  • Re: Preventing logon to local accounts
    ... If you have group policy management console installed on your DC then you ... The firewall is disabled on the workstation. ... once connected, expand local users and groups, then select groups, open ... Domain Users in the listing of groups in this category. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Preventing logon to local accounts
    ... yours was I was recommend a global security group, ... meant nesting the Domain Users group in the universal group is the ... Add the RD Users group to the local Remote Desktop Users group ... with their workstation at 3AM on Saturday). ...
    (microsoft.public.windows.server.active_directory)
  • Re: SBS 2003 Premium Setup of end users.
    ... In the Local Users & Groups | Groups | Administrators ... I saw an entry for domain users and I deleted it. ... SBS needs a user to have local admin permissions on the workstation to ... That hard drive currently resides on the Workstation1 unit as a spare ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 Premium Setup of end users.
    ... Domain Admins are domain administrators, ... if you don't see the "Domain Users group" inside ... SBS needs a user to have local admin permissions on the workstation to ...
    (microsoft.public.windows.server.sbs)