Re: Assiging permissions for a group to logon to a domain controll

Hi thanks for your prompt reply, but it still doesn't seem to work :^(

At the moment I have change the gpo...

Windows Settings>Security Settings>Locla Policies>User Rights
Assignment>Allow log on through Terminal Services....

I added a group called joebloggsadmin as well as the domain administrators,
but it doesn't seem to budge.
I performed a gpresult and the results stated that the group applied was
applied to the machine.

Help! Please


"Robert Li [MSFT]" wrote:

Hi Bennie,

Thanks for posting in our newsgroup and also for Lanwench's input.

From your description, I know that you want to allow a security group to
log onto the domain controller via TS. If I am off-base, please don't
hesitate to let me know.

To let the user (group) logon to the SBS server through terminal service
(remote Desktop), at least a user must have the following permissions

I. Allow logon through Terminal Services.

To grant a user this permission, open the default ''Default Domain
Controller Policy'' from Group Policy Management and then navigate to the
following location:

Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Allow logon through Terminal Services

Add your specified user in it and define this policy

II. Allow logon to Terminal Server

To grant a user these permissions, start either the Active Directory Users
and Computers snap-in or the Local Users And Groups snap-in, open the
user''s properties, click the Terminal Services Profile tab, and don't
select Deny this user permissions to log on to any Terminal Server

III. Guest Access: Logon to the RDP-TCP connection

To grant guests Logon rights to the RDP-TCP connection, start the
''Terminal Services Configuration'' snap-in, open the RDP-TCP properties
page. In the permission tab, add your specified users, and grant
appropriate missions, so that the user has at least Logon rights.

IV. Please confirm that users are not in the ''Deny logon through Terminal
Services'' group policy.

The ''Deny logon through Terminal Services'' is in the same location as
''allow logon through Terminal Services'' Please confirm the users need to
access server remotely are not defined in the policy.

For the detailed information, you could refer to the following KB article.

278433 Accessing Terminal Services Using New User Rights Options
http://support.microsoft.com/?id=278433

841188 "The local policy of this system does not permit you to logon
http://support.microsoft.com/?id=841188

Hope the information helps.

If you need further assistance, please don't hesitate to let me know.

Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================

This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
<From: "Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
<References: <4FA7AB14-9B95-47A6-B0E5-68B7970F0643@xxxxxxxxxxxxx>
<Subject: Re: Assiging permissions for a group to logon to a domain
controller
<Date: Thu, 17 May 2007 09:32:51 -0400
<Lines: 18
<X-Priority: 3
<X-MSMail-Priority: Normal
<X-Newsreader: Microsoft Outlook Express 6.00.2900.3028
<X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
<X-RFC2646: Format=Flowed; Original
<Message-ID: <#PdM9NKmHHA.3496@xxxxxxxxxxxxxxxxxxxx>
<Newsgroups: microsoft.public.windows.server.sbs
<NNTP-Posting-Host: cpe-24-193-56-181.nyc.res.rr.com 24.193.56.181
<Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:37468
<X-Tomcat-NG: microsoft.public.windows.server.sbs
<
<bennie <bennie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
<> I need to allow a security group to log onto the domain controller
<> via TS but it says only administrator has permission.
<> What is the best way to assign the permission for a group I have
<> created to log onto the server via TS - Via Group Policy or adding
<> the security group to the administrators group?
<>
<> If it's GPO could you point me in the right direction please
<>
<> Thanks!
<
<If this is your SBS box, why is it you want this group to have those
rights,
<and what is it supposed to do?
<
<The "Domain Power Users" group has the right to log in to SBS via RD
(don't
<use the term TS; that means something else in W2003 and up).
<
<
<


.

Relevant Pages

  • Re: Prevent changes to Administrator password
    ... What I am trying to do is give Taz1972 some options to minimize the risk or make it harder for a lower-level DA to reset the password for the EA account. ... Restricted Admins group to mitigate against what you propose Deji. ... also need to make sure the DAs in question cannot elevate their rights to EA, ... > By adding the Deny Write Permissions ACE, ...
    (microsoft.public.windows.server.active_directory)
  • Re: security flaw
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... > SELECT permission denied on object 'authors', database 'pubs', owner ... > Go to Security Folder and check the users permissions there as well as its ... For information about the Microsoft Strategic Technology ...
    (microsoft.public.sqlserver.security)
  • Re: Rights Problem with IWAM and IUSR Accounts
    ... > account name for newsgroup participation only.<< ... > © 2002 Microsoft Corporation. ... All rights reserved. ... > | Access Permissions and the Edit Default button. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Prevent changes to Administrator password
    ... What I am trying to do is give Taz1972 some options to minimize the risk or make it harder for a lower-level DA to reset the password for the EA account. ... * This posting is provided "AS IS" with no warranties and confers no rights! ... > By adding the Deny Write Permissions ACE, ... > permission to modify the ACL on AdminSDHolder. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Why is Fedora not a Free GNU/Linux distributions?
    ... Taking away legitimate rights, yes, that would be immoral. ... specifically to be incompatible with the GPL, ... Software license) doesn't take away any right you had. ... There are other permissions that enable you to copy and distribute the ...
    (Fedora)
Loading