Re: Outside Users RDP into WS2008???

Hi JDamien,

I'm sorry to hear that you suffered from hurricane Ike.
Like Meinholf said, allowing access to a DC to people who shouldn't be there is calling for trouble. However, not all of us work for hi tech/government/financial and other companies requiring hi security.
So, if that's what you want proceed as follows:

1. Create groups
Open Active Directory Users and Computers
Create one global security group. Name it G-Consultants
Create one domain local security group. Name it DL-Consultants

2. Apply A-G-DL-P strategy
It means 'Add user accounts (A) to global group (G). Add global group (G) to domain local group (DL). Assign permissions (or user rights in our case) (P) on a resource to domain local group (DL)'.

a) add any user account belonging to your consultants to become member of G-Consultants group.
b) add 'G-Consultants' to be a member of 'DL-Consultants'
c) add 'G-Consultants' to be a member of Builtin local group 'Remote Desktop Users'

3. Assign User Right to allow log on locally
Open 'Domain Controller Security Policy'
Navigate to Local Policy / User Rigths Assignment
Double click 'Allow Log on locally.
Add 'DL-Consultants' to the list.

4. Remove consultants from administrators and/or Domain Admins group on a DC
Open properties of each consultant's user account.
Make sure that it is not member of the Administrators or Domain Admins group

5. Assign necessary permissions.
On folders and network shares used by consultants, assign appropriate permissions to DL-Consultants group. Change and modify permissions are prefered over full control.

6. Configure Terminal Service session limits.
Open Terminal services Configuration
Open Properties of Connections / RDP-Tcp.
Open Sessions tab.
Check 'Override User settings'
End disconnected session: 10 minutes (or your choice).

7. Test the solution

Good luck

"J Damien" <JDamien@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:D7AC093F-E0FE-48DF-AF17-F94316EC3BAC@xxxxxxxxxxxxxxxx
Thanks for quick reply. I'm 2yr CNS grad with minimal "real-world"
experience. I'm responsible for our companies networking, server mgt.
hardware maintenance, DNS and implementing e2k7 for the first time. I'm in
way over my head, due to our original sys admin never returning after
hurricane Ike evacuation. My boss insisted we setup our environment like
this. I'm just trying to make a bad choice into a better bad choice. If
that's possible... Is there any suggestions you might have? I'd be
appreciative of any help.


"Meinolf Weber [MVP-DS]" wrote:

Hello J,

Do NOT allow user to logon remotely in the domain controller. A DC is the
heart of your domain and should not be accessed from users. For software
or TS use member servers.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Gurus... I need help w/our companies primary DC permission settings.
> Our company retains services from outside users (cpa's, bookeepers,
> etc) that RDP into our DC to maintain our company financials using
> QuickBooks software. I want to know if I can assign permissions for
> them to be able to access only the drives assigned/needed for QBooks
> and NAS backup. Without causing too many login problems on their
> side. Also, will RDP users who fail to logout after their session
> ends, impact our network's performance? Any help is greatly
> appreciated.
>
> JD
>




.

Relevant Pages

  • Re: Changing groups
    ... pleaderb, sue, frank, ed are members of group projectb ... Everyone is a member of group user. ... depending on the file's permissions they can read and write the ... I do this all the time, using Samba. ...
    (Debian-User)
  • Re: How to remove a user from a mail group (Tried to search...)
    ... If you're using Distribution Groups, these cannot show up in any ACLs ... If it is a Security Group, you'll need to figure out the what different ... resources the group could have permissions on. ... I go to "member of" tab. ...
    (microsoft.public.exchange.admin)
  • Re: How to use a Group Distribution list inorder to send and received messages
    ... In the Permissions list, locate Send As, and then click to select the ... permission of the user account that is a member of one of administrative ... groups will be reset to match the ACL of the AdminSDHolder thread. ... Directory domain controller that holds the primary domain controller ...
    (microsoft.public.exchange.admin)
  • Re: How to use a Group Distribution list inorder to send and received messages
    ... In the Permissions list, locate Send As, and then click to select the ... permission of the user account that is a member of one of administrative ... groups will be reset to match the ACL of the AdminSDHolder thread. ... Directory domain controller that holds the primary domain controller ...
    (microsoft.public.exchange.admin)
  • Re: Login in dynamically
    ... different from or nothing to do with the provisions of Access ULS. ... I mean, there's enough damn security permissions to set, how many do you want ... security as per transaction and not per application session. ...
    (microsoft.public.access.security)
Loading