Re: Had to add Administrator to Remote Desktop Users group to use
- From: bfessenden <bfessenden@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 13 Jun 2007 04:45:00 -0700
Ok. Now I'm a little worried, but since there doesn't seem to be any other
issues in my logs, or any obvious problems with the server, I guess I'll wait
and see.
Thanks for the clarifying how "not defined" should work.
Bret
"Helge Klein" wrote:
Your solution does sound acceptable ;-) I am not sure, though, if it.
is logical.
If you set the user right "Allow logon through terminal services" to
"not defined" in all policies that apply to a DC (which is the
default) then (only) members of the local group Administrators should
be able to log on over terminal services. Anyway, that is what you
have now and it works.
Generally speaking, a policy setting can have three values: on, off or
not defined. Typically, if it is set to on, a value of "1" is written
to the registry. If it is set to off, then a value of "0" is written
to the registry. If it is not defined, then nothing is written to the
registry and any previous registry entries are removed. To sum this
up: If a setting is changed to "not defined" then any previous values
should _not_ apply any more.
Helge
On 12 Jun., 14:28, bfessenden <bfessen...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
It does help very much, thanks!
And I think I fixed the problem. I guess that policies can apply even if you
change one back to "not defined" and run gpupdate - is that correct?
In other words, I think I must have, at some point, enabled the "Allow logon
through terminal services" in the Default Domain Controller policy, but not
put the administrators group in, or something like that, then changed it back
to "not defined".
So, I enabled it again, added administrators, ran gpupdate, then actually
changed it back to "not defined", ran gpupdate, and removed the administrator
from the remote desktop users group, and now I can login as any domain admin.
Does this sound logical, and an acceptable solution? Do GPO's still apply
the last "defined" setting, even if gpupdate is run?
Thanks.
Bret
"Helge Klein" wrote:
Login through terminal services is governed by security in two places:
- Permissions on the RDP listener
- Security option (mentioned by you): Allow/Deny through terminal
services
The group Remote Desktop Users is just a shortcut for configuring
those. You should check the settings that are in effect on your DC.
I hope this helps.
Helge
On 11 Jun., 21:29, bfessenden <bfessen...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
Sorry - I forgot to specify that:
I get the standard "To logon to this remote computer, you must be granted
the Allow log on through Terminal Services right..." that you would get with
a regular user not in the RDU's group.
Bret
"Helge Klein" wrote:
What error message do you get when trying to TS into the DC and the
admin account used is _not_ a member of the Remote Desktop Users?
Helge
On 11 Jun., 19:08, bfessenden <bfessen...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
Hi,
I just setup a new domain with one new domain controller running Windows
2003 R2 SP2. I have made no changes, aside from password policy to any GPO,
and I have added no new GPOs.
After connecting a existing terminal server as a member server to the new
domain, I could no longer RDC in with any administrator account to the
*domain controller*.
I did have to add Domain Users to the local Remote Desktop Users group on
the terminal server, and they can login to the terminal server fine. I can
also login as an administrator (either local or domain) to the terminal
server ok.
But I cannot login as an administrator to the DC, unless I add the
administrator to the Remote Desktop Users group on the DC.
I haven't been able to find any info about this, because all my searches
just end up being explanations about how to make a regular user a member of
Remote Desktop Users.
I also have not tried to implement any GPO's to "Allow login through
Terminal Services", etc., because I have never done that with any of my other
domain controllers, and I have always been able to login as an admin with no
problem (assuming the System Properties "Allow users to connect remotely" has
been checked on the DC).
Have I just mis-configured something, or is my brand new DC having a serious
issue? I wouldn't worry, except that Microsoft specifically says not to add
admins to the RDU's group.
Any help would be appreciated. Thanks.
Bret
- References:
- Re: Had to add Administrator to Remote Desktop Users group to use RDC.
- From: Helge Klein
- Re: Had to add Administrator to Remote Desktop Users group to use
- From: Helge Klein
- Re: Had to add Administrator to Remote Desktop Users group to use
- From: bfessenden
- Re: Had to add Administrator to Remote Desktop Users group to use
- From: Helge Klein
- Re: Had to add Administrator to Remote Desktop Users group to use RDC.
- Prev by Date: Re: remote printer not not ditect
- Next by Date: Re: Conflicting Messages about License Server
- Previous by thread: Re: Had to add Administrator to Remote Desktop Users group to use
- Next by thread: Re: Internet Access at the Same Time as Remote Desktop Connection
- Index(es):
Relevant Pages
|
