Re: shadow console connection through terminal connection on server 20
- From: "George Valkov" <a@xxxxx>
- Date: Fri, 8 Jun 2007 20:09:24 +0300
<mrhanman@xxxxxxxxx> wrote in message
news:1181227553.081930.224210@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
| On Jun 7, 4:57 am, "George Valkov" <a...@xxxxx> wrote:
| > <mrhanman at gmail.com> wrote:
| >
| > | On Jun 6, 5:49 pm, "Vera Noest [MVP]" <vera.no...@remove-|
this.hem.utfors.se> wrote:
| >
| > | > mrhan...@xxxxxxxxx wrote on 07 jun 2007 in
| > | > microsoft.public.windows.terminal_services:
| > | >
| > | >
| > | >
| > | > > On Jun 6, 5:06 pm, "George Valkov" <a...@xxxxx> wrote:
| > | > >> "Andy Boatman" wrote:
| > | >
| > | > >> |i have a server 2003 box i am trying to remote admin with a
| > | > >> |terminal
| > | > >> services
| > | > >> | connection, then i'm opening a command prompt and typing
| > | > >> | "shadow 0." i
| > | > >> then
| > | > >> | get an error 7051. i followed the instructions here to fix
| > | > >> | that error:
| > | > >> |
| > | > >> |http://support.microsoft.com/kb/278845
| > | > >> |
| > | > >> | i know this is possible to do because i have another sbs 2003
| > | > >> | (which is
| > | > >> the
| > | > >> | domain controller) and it works fine with it. the console
| > | > >> | connection i'm trying to shadow is the administrator account.
| > | > >> | while the server is joined
| > | > >> to
| > | > >> | the domain, it is the local admin account that is logged in.
| > | > >> | i've set the gpol on both servers to reflect the changes
| > | > >> | mentioned above, but the
| > | > >> problem
| > | > >> | still remains. i got it to work briefly after making some
| > | > >> | gpol changes
| > | > >> and
| > | > >> | rebooting, but after an hour or so, it reverted back to the
| > | > >> | original behavior. i'm at a loss. i can't explain why it
| > | > >> | works on one server and
| > | > >> not
| > | > >> | on the other, nor why it worked briefly imediately after a
| > | > >> | reboot and the stopped. any help would be greatly
| > | > >> | appreciated.
| > | > >> |
| > | > >> | on a side note, how to you hit "ctrl-alt-del" to logon in a
| > | > >> | shadow
| > | > >> session?
| > | > >> | i know it's "ctrl-alt-enter" with a terminal connection, but
| > | > >> | this doesn't work when shadowing a session. again, thanks
| > | > >> | for your help.
| > | >
| > | > >> Hello Andy! I do not know how it is when shadowing a session,
| > | > >> but on a normal terminal session it is ctrl-alt-end. Good luck!
| > | >
| > | > >> George Valkov
| > | >
| > | > > thanks for correcting me george; i appreciate it. does anyone
| > | > > else have an idea about hte rest of it?
| > | >
| > | > Have you checked all of the Group Policies that are affecting this
| > | > Terminal Server? Maybe you configured shadowing permissions in a
| > | > local policy, and then they were overridden again by a policy
| > | > higher up in the hierarchy?
| > | > And which account are you using when you try to shadow the console
| > | > session?
| > | > _________________________________________________________
| > | > Vera Noest
| > | > MCSE, CCEA, Microsoft MVP - Terminal Server
| > | > TS troubleshooting: http://ts.veranoest.net
| > | > ___ please respond in newsgroup, NOT by private email ___
| > |
| > | i checked the policy both on the server i'm trying to control, and on
| > | the sole domain controller on the network. i've tried using the local
| > | administrator account and my personal local account, neither with
| > | consistent results. the server is a member of the domain (if i
| > | understand correctly), but the user that is logged in (that i'm trying
| > | to shadow) is the local administrator account. it had occurred to me
| > | that the policy could be overwritten by the DC, which could explain
| > | why it worked momentarily after a reboot (before the policy was
| > | refreshed from the DC). however, i set the same policy on the DC and
| > | got the same result (that is, shadowing didn't work). of course, it
| > | is entirely possible that i don't know enough about gpedit.msc to
| > | properly set things up, but i followed the instructions from the link
| > | in my first post to the letter. though, i did set it to enable remote
| > | control without user permission, instead of with. i'm sure that had
| > | no bearing on the outcome.
| > |
| > | thanks for your response.
| >
| > I have no idea if this will work, but you can give it a try via "Local
| > Security Policy" on the domain controller:
| > copy %SystemRoot%\system32\secpol.msc to the domain controller. It
should be
| > available on some standalone server. Then try configuring that setting
from
| > secpol.msc on the domain controller.
|
| secpol.msc is available on both the domain controller, and the server
| i can't seem to shadow. i've gone through the settings on each, and,
| to be honest, i'm not seeing a policy that would restrict shadowing of
| any particular account. then again, my knowledge of policies is
| marginal, at best. what should i change?
|
| again, thanks everyone for your responses.
I had an old virtual machine left from the service pack 2 beta testing.
Windows 2003 EE SP2-build2825 R2.
It was a domain member, I used to auto-login to it via cached credentials,
because I had deleted the domain controller's virtual machine image
(don't be surprised it's all for testing ;-)
Anyway...
[first change configuration]
1 :: Terminal Services Configuration\Connections\RDP-Tcp
..\Remote Control: Use remote controll with the following settings: does not
require user permition; interact with session.
2 :: gpedit.msc
Local Computer Policy\Computer Configuration\Administrative
Templates\Windows Components\Terminal Services
..\Sets rules for remote control of Terminal=Enabled, Full control without
user's permition
Now using the local Administrator account I loged on to console (virtual
machine's local console, and not the terminal /console). Then a second login
to session 1 on remote desktop and from that session run:
shadow 0
shows the same error as you have.
....Next I disjoined the no longer existing domain and after the restart
shadow 0 worked fine.
Because you are in a domain I had to create a domain to test it... I cloned
the same virtual machine and then used sysprep.exe to change the security
intentifiers and chose a unique name for it. I then assigned the cloning as
a domain controller and joined the original to it.
Now using the domain Administrator account I loged on to console (virtual
machine's local console, and not the terminal /console). Then a second login
to session 1 on remote desktop and from that session run:
shadow 0
Works fine both for the domain controller and the member server.
Ops I forgot to test this with the built-in accout ;-) but I had no problems
with the domain Administrator.
And so, if it is not a problem, try to disjoin and then rejoin the member
server to the domain.
Good luck!
George Valkov
.
- References:
- Re: shadow console connection through terminal connection on server 20
- From: George Valkov
- Re: shadow console connection through terminal connection on server 20
- From: mrhanman
- Re: shadow console connection through terminal connection on server 20
- From: Vera Noest [MVP]
- Re: shadow console connection through terminal connection on server 20
- From: mrhanman
- Re: shadow console connection through terminal connection on server 20
- From: George Valkov
- Re: shadow console connection through terminal connection on server 20
- From: mrhanman
- Re: shadow console connection through terminal connection on server 20
- Prev by Date: Re: User Profiles Best Practices
- Next by Date: Re: Move user profiles to a different partition.
- Previous by thread: Re: shadow console connection through terminal connection on server 20
- Next by thread: Terminal Server + Word 2k3
- Index(es):
Relevant Pages
|
