Re: Which rights are required for TS to work on a DC that is running Server 2003?

The two rights you mention below were absent from the list of
privileges returned by this command when I ran it on a DC. Any idea
why?

On Nov 28, 1:10 pm, "Ivan Brugiolo [MSFT]"
<ivanb...@xxxxxxxxxxxxxxxxxxxx> wrote:
On a DC, you need to remove the Administrators from the
SeDenyRemoteInteractiveLogonRight user-right assignment and grant them the
SeRemoteInteractiveLogonRight user-right.

The quickest way to check group membership and user-rights it to inspect the
output of

c:\debuggers>cdb.exe -c ".logopen token.txt;!token -n;.logclose;q"
notepad.exe

assuming you have the debuger package installed in c:\debuggers.

--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified athttp://www.microsoft.com/info/cpyright.htm

<robpimen...@xxxxxxxxx> wrote in messagenews:1164731291.917200.256230@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



Hi,

I've read conflicting information as to whether or not the "Allow Log
on Locally" user right is
required in order to use TS on a Domain Controller running Server 2003.

This posts suggest that it is required:
http://groups-beta.google.com/group/microsoft.public.windows.terminal...

This KB article also says its required (at least for Win2k):
http://support.microsoft.com/kb/247989

However, a snippet from this article suggests that if "Allow Log on
through Terminal Services" is set, that it will suffice, even for a DC:

"Allow log on locally
This policy setting specifies which users can start interactive
sessions on the domain controller. Users who do not have this right are
still able to start a remote interactive session on the domain
controller if they have been assigned the Allow logon through Terminal
Services user right."

http://www.microsoft.com/technet/security/prodtech/windowsserver2003/...

Can someone please clarify, which of the two rights are required for TS
to work on a DC?

Thanks,
Rob- Hide quoted text -- Show quoted text -

.

Relevant Pages

  • Re: Which rights are required for TS to work on a DC that is running Server 2003?
    ... SeDenyRemoteInteractiveLogonRight user-right assignment and grant them the ... SeRemoteInteractiveLogonRight user-right. ... required in order to use TS on a Domain Controller running Server 2003. ... still able to start a remote interactive session on the domain ...
    (microsoft.public.windows.terminal_services)
  • Re: Which rights are required for TS to work on a DC that is running Server 2003?
    ... "Allow Log on through Terminal Services" should be enough. ... This posting is provided "AS IS" with no warranties, and confers no rights. ... required in order to use TS on a Domain Controller running Server 2003. ... still able to start a remote interactive session on the domain ...
    (microsoft.public.windows.terminal_services)
  • Re: remote desktop rights on domain controller
    ... First of for domain controllers user rights must be configured in Domain ... Controller Security Policy - not local policy. ... The user right for logon ... Group on the domain controller if using Windows 2003. ...
    (microsoft.public.windows.server.security)
  • Re: User Rights In Active Directory
    ... Regular domain users should not have any ability to do any modifying with AD ... unless you have delegated them authority for such via AD permissions to the ... To see what user rights that a user/group has to domain ... rights are defined for the domain controller container. ...
    (microsoft.public.security)
  • Re: Domain
    ... Kyle Lang ... This posting is provided "As Is" with no warranties, and confers no rights. ... > 1- I have to give for the new Domain Controller a static ... >>>>install it as a domain controller in domainB, ...
    (microsoft.public.win2000.setup)