That would be your RDP permissions most likely. By default only administrators can log into a server that doesn't have app mode TS enabled. Look in Terminal Services Configuration.
Just the same, I don't think it is the greatest approach. There really shouldn't be a lot of need to look around like that. Good monitoring, consistent system builds, and familiarity with the environment / good documentation should make it unnecessary. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Tuesday, September 14, 2004 10:23 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Logging on to a Domain Controller Okay, as you were so helpful as to provide your reason for asking, so will I. We have two groups of administrators in our setup. There is Group 1, who can actually log on and make the necessary changes and there is Group 2, who should be able to log on and be able to "look around", check running processes, check settings, etc, but have no ability to start installing/removing software or making other system changes. So I would like to be able to grant this second level of administrators the ability to log on to a domain controller but so far I have not been able to do it. I have followed various instructions but all to no avail. The message I see is saying "You do not have access to log on to this session". So if anyone can suggest a way to allow me to set up a group with the ability to log on to DC's with a restricted set of rights, Iwould be eternally grateful. Many thanks in advance. Mark -----Original Message----- From: joe [mailto:[EMAIL PROTECTED] Sent: Dienstag, 14. September 2004 15:33 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logging on to a Domain Controller The reason for the question is that allowing local access to a DC substantially impacts your security. It is extremely bad practice and poor form to give non-domain admins interactive access to domain controllers. The recommendation from everyone, including MS is to not do it. Why? Because if they so choose, the person you give the access to will most likely have the ability to get administrative level access and can hopscotch that into complete forest admin access - usually with no knowledge of the DA's and EA's. Most people tend to do it when they don't know how to do things in a better more secure way. When we ask why, we are trying to understand the context to better provide solutions. I.E. Lots of people ask for lots of things and most of the time they don't know what they are asking for else they generally don't need to ask. Not saying you fit this category but before we give someone a loaded gun, we like to know that they intend to point at a rat in the dumpster versus their own head or foot. My general answer to someone who wants to give someone else interactive domain controller access is to give them domain admin rights, then you aren't fooling yourself into thinking you have a secure solution. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Tuesday, September 14, 2004 9:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Logging on to a Domain Controller Is it really important why ? I just want to know how it might be done. I am weird like that. Thanks for any other tips anyone might have. -----Original Message----- From: ASB [mailto:[EMAIL PROTECTED] Sent: Montag, 13. September 2004 21:44 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Logging on to a Domain Controller ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Because? -ASB ----- Original Message ----- From: Abbiss, Mark <[EMAIL PROTECTED]> Date: Mon, 13 Sep 2004 14:32:47 +0200 Subject: [ActiveDir] Logging on to a Domain Controller To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> I am going round in circles and am now completely confused ! I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. I have applied a group policy to the "Domain Controllers " OU which sets the "Computer configuration -> windows settings -> security settings -> local policies -> user rights assignment " to give this group "Log on locally" rights. I have also ensured that the group policy is applied to all authorised users. I have no problem logging on as I am an Enterprise Admin, however, the other admins are denied the ability to log on. Therefore, I modified the local DC security settings to give the same group the "Log on locally" right. Still they cannot log on. Please, what could I be missing ? Do I need to set access rights anywhere else ? Can I do anything to troubleshoot what rights this group is getting ? Many thanks for any help. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
