Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Remote Desktop/Active Directory Question

  • 18-05-2007 10:05am
    #1
    Registered Users, Registered Users 2 Posts: 1,692 ✭✭✭


    Hi all. First post here.

    I'm trying allow a chap that works for me to create a remote desktop connection to some of our servers, so he can remotely manage printer installs and backup jobs. I have made him a member of the Print Operators, Backup Operators and Remote Desktop Users groups.

    But when I try and create a RDC for that user, it gives me an error saying:

    To log onto this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote Desktop Users group or another group that has this right, or if the Remote Desktop User group does not have this right, you must be granted this right manually.

    I don't want to have to go around to every server to change local permissions if possible, and also that is not possible on the main AD server itself anyway.

    Anyone got any ideas?


Comments

  • Registered Users, Registered Users 2 Posts: 11,389 ✭✭✭✭Saruman


    Am i missing something? If you gave him remote access on one server the AD should replicate that. Is it only a remote desktop session you are setting up or an actual term session for his own profile?


  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    The domain "Remote Desktop Users", and server "Remote Desktop Users" groups, are not the same.

    The domain group gives the user permission to log onto Domain Controllers only. It doesn't automatically give them permission to log onto any server remotely.

    There are a number of things you can do:

    1. Add the domain group to the RD Users group on each server. The con here is that this will give the user access to log on remotely to both domain controllers and those servers you've chosen.

    2. Create a new domain security group for the user. Add a group policy object to the OU where the servers reside, and grant that security group the right "Log on through Terminal Services". The con here is that the user gets access to log onto every server in that OU.

    3. Create a new security group. Add that group to the Print Operators, Backup Operators and Remote Desktop Users groups on each server to which you want to give the user access. This is a PITA, but it is the most secure option. You also only need to do this once - if someone else comes along and needs the same, you only need to add them into that security group, and hey presto.


  • Registered Users, Registered Users 2 Posts: 1,692 ✭✭✭shawpower


    Saruman wrote:
    Am i missing something? If you gave him remote access on one server the AD should replicate that. Is it only a remote desktop session you are setting up or an actual term session for his own profile?

    Yeah, I thought it should be straight forward too.

    He is listed as a user of the Remote Access group within AD on all the servers, so it has replicated fine.

    I created a second admin account for him, and added it to all the groups I mentioned. I simply want him to be able to open a Remote desktop session to the servers to be able to edit backup jobs and add printers.

    I've also tried to logon locally as this user and it failed with the same message. So on my exchange server, I went into Computer Management and added the user to the Remote Desktop User group in Local Users and Groups. Tried to log in locally and remotely and the message is that it needs administrative permissions on the computer. I thought that membership of the Print/Backup operators groups got by this.


  • Registered Users, Registered Users 2 Posts: 1,692 ✭✭✭shawpower


    seamus wrote:
    3. Create a new security group. Add that group to the Print Operators, Backup Operators and Remote Desktop Users groups on each server to which you want to give the user access. This is a PITA, but it is the most secure option. You also only need to do this once - if someone else comes along and needs the same, you only need to add them into that security group, and hey presto.

    Thanks for this reply Seamus. I think that I'll go with this option.


  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    Tried to log in locally and remotely and the message is that it needs administrative permissions on the computer. I thought that membership of the Print/Backup operators groups got by this.
    Logging on remotely and logging on locally involve two separate sets of permissions. The remote desktop users group by default doesn't have permission to log on locally.

    In addition to "Allow log on locally" and "Allow log on through terminal services", there are also "Deny log on locally" and "Deny log on through terminal services". If a user or group is listed as being denied a permission, then they won't be allowed log on - the deny permission always overrides the allow permission.


  • Advertisement
Advertisement