Re: User Rights in TS
- From: powlaz <powlaz@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 17 Sep 2008 05:53:01 -0700
Lanwench - thank you for the great answers. If I may, I have a couple of
follow-up questions.
I am aware of the things that require user permission changes relative to
the two programs we have that require admin access. I wonder if there is a
way to change the permissions of these directories and registry keys in a
login script. Would you know?
My TS server is not a DC. It is nothing other than a TS server. Although
you did address another issue I have with exactly how I'm supposed to set up
a subnet for the VPN that I am using for the TS (I guess making the TS a DC
is out of the question).
Anyway the statement I made about everyone being added to the local Admin
group having full local and domain access is because this is the description
of the group on the server. Seems pretty straight forward - if I add a user
to this local group they will be local/domain admins. What don't I know?
Is there some kind of automatic connection between the Remote Desktop Users
group in AD and the TS server? Otherwise how does the TS Server know to
authenticate the users in the AD group?
Thanks for the reply and the help. Group Policy is the next project I
tackle. Seems like a big one, especially since we've never had it and there
are tons of policies. The sites you referenced should prove to be helpful.
Thanks,
MJ
"Lanwench [MVP - Exchange]" wrote:
powlaz <powlaz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:.
We have an application or two that we run where the manufacturers
recommends that any user be logged in as an administrator on the
local PC. Being the good little lambs that we are we have always
followed this rule.
Another (better) option, besides walloping the application vendor with a
brickbat, is to find out where in the file system and/or registry their
software expects access, and manually changing the permissions for same.
ProcessMonitor (Sysinternals...now downloadable from MS) will help you do
this.
Anyway now that we are set up with a Terminal Server I am seeing,
more than ever, why the need for each user to have local admin
rights is such a concern.
No idding!
It looks to me like every user of the TS
needs to be added to the local Remote Desktop Users group on the TS.
Well, it's better to do this with an AD security group. I like to set up one
called TSUsers.
In addition it seems I will need to make these users members of the
Administrators group which unfortunately provides Admin rights to the
Domain as well as the local PC.
Then it sounds like your TS box is a DC - that's a big no-no. Your TS box
should be a member server with no other roles. Don't let users log in to
your DCs, ever.
We don't use Group Policy yet.
You'll want to. You need to lock down a lot.
I'm interested in knowing what I"m
supposed to do now. I certainly don't want these folks to have carte
blanche on the network.
Absolutely!
Please help.
MJ
I'm not a guru, but here's what I've learned along the way -
Basics: you should be running Terminal Services on a dedicated member server
with *no* other roles on the network. It should be set up in its own OU,
with a policy specifically for TS (including loopback processing so that all
users who log in get the same settings, regardless of
their own inherited user policy settings). See KB 278295 for some good
lockdown suggestions. Also see MVP Patrick Rouse's articles at
http://www.sessioncomputing.com/articles.htm
You'll still need to figure out what your rogue apps want access to, of
course.
- Follow-Ups:
- Re: User Rights in TS
- From: Lanwench [MVP - Exchange]
- Re: User Rights in TS
- References:
- User Rights in TS
- From: powlaz
- Re: User Rights in TS
- From: Lanwench [MVP - Exchange]
- User Rights in TS
- Prev by Date: Licensing Question- moving TS to SBS2003 domain
- Next by Date: Re: Issues with Mandatory Roaming profiles
- Previous by thread: Re: User Rights in TS
- Next by thread: Re: User Rights in TS
- Index(es):
Relevant Pages
|
