Re: User Rights in TS

powlaz <powlaz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
We have an application or two that we run where the manufacturers
recommends that any user be logged in as an administrator on the
local PC. Being the good little lambs that we are we have always
followed this rule.

Another (better) option, besides walloping the application vendor with a
brickbat, is to find out where in the file system and/or registry their
software expects access, and manually changing the permissions for same.
ProcessMonitor (Sysinternals...now downloadable from MS) will help you do
this.

Anyway now that we are set up with a Terminal Server I am seeing,
more than ever, why the need for each user to have local admin
rights is such a concern.

No idding!

It looks to me like every user of the TS
needs to be added to the local Remote Desktop Users group on the TS.

Well, it's better to do this with an AD security group. I like to set up one
called TSUsers.

In addition it seems I will need to make these users members of the
Administrators group which unfortunately provides Admin rights to the
Domain as well as the local PC.

Then it sounds like your TS box is a DC - that's a big no-no. Your TS box
should be a member server with no other roles. Don't let users log in to
your DCs, ever.

We don't use Group Policy yet.

You'll want to. You need to lock down a lot.

I'm interested in knowing what I"m
supposed to do now. I certainly don't want these folks to have carte
blanche on the network.

Absolutely!

Please help.

MJ

I'm not a guru, but here's what I've learned along the way -

Basics: you should be running Terminal Services on a dedicated member server
with *no* other roles on the network. It should be set up in its own OU,
with a policy specifically for TS (including loopback processing so that all
users who log in get the same settings, regardless of
their own inherited user policy settings). See KB 278295 for some good
lockdown suggestions. Also see MVP Patrick Rouse's articles at
http://www.sessioncomputing.com/articles.htm


You'll still need to figure out what your rogue apps want access to, of
course.


.

Relevant Pages

  • Re: Must all users be administrators?
    ... The familiar look of the AD objects tree you see in Group Policy Editor is ... This seems modestly confusing to an SBS Administrator because there's very ... those rights happen to be nearly unlimited. ... sit a workstation logged on as the Local Administrator, by default, there ...
    (microsoft.public.windows.server.sbs)
  • Re: The local policy of this system does not permit you to logon i
    ... Security policies were propagated with warning. ... Error 0x534 occurs when a user account in one or more Group Policy objects ... I have checked the security policies & the administrator profile is not ...
    (microsoft.public.windows.server.sbs)
  • Re: Administrator unable to log on Interactively
    ... Firstly i tried accessing the domain controller C drive ... I think the policy has been changed in the "local security ... >> administrator is not able to log on interactively. ... >Interactive Logon setting takes precedence over the Allow ...
    (microsoft.public.win2000.security)
  • Re: Administrator is not the "Boss" on this machine.
    ... policy, I'd see two columns, one for "setting" ... > you can not run that command you may not be logged on as an administrator. ... > If you messed with Group Policy settings for user configuration the solution above ...
    (microsoft.public.win2000.security)
  • RE: Userenv 1030 error on member server
    ... Microsoft CSS Online Newsgroup Support ... Userenv 1030 error on member server ... Windows cannot query for the list of Group Policy objects. ... List of NetBt transports currently bound to the Redir ...
    (microsoft.public.windows.server.sbs)
Loading