To be
clear, what I'm suggesting is not a work around, it is a means of manipulating
the ACL that's preventing the connection from succeeding. I'm not aware of
any other non-programmatic or scripted techniques of controlling the rdp-console
object.
--
Dean Wells
MSEtechnology
* Email: dwells@msetechnology.com
http://msetechnology.com
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: Friday, June 10, 2005 5:52 PM
To: [email protected]
Subject: RE: [ActiveDir] mstsc /console switch for non admins
The Group is already a member of the Remote Desktop User group and
has the allow logon through terminal services so I assume I will need to do
something along the lines of what Dean has suggested unless you have any other
ideas!?
thanks
Frank
Jorge de Almeida Pinto
<[EMAIL PROTECTED]> wrote:
Hi,In the domain the group "Remote Desktop Users" exists. This groups has permissions on the RDP-protocol on each DC (Terminal Services Configuration MMC) but does not have the user right "Allow logon through Terminal Services" in the Default Domain Controllers GPO.For member servers almost the same applies. In the local SAM of each stand alone or member server a group "Remote Desktop Users" exists. This groups has permissions on the RDP-protocol on server (Terminal Services Configuration MMC) AND has the user right "Allow logon through Terminal Services" in the Local Security Policy.To sove your problem you could:* add your group to the group Remote Desktop Users in the domain* Assign the group Remote Desktop Users in the Default DC GPO the user right Allow logon through Terminal ServicesREMEMBER: this applies to ALL DCs in your domain! So if the file/print role is only on some DCs you might want to create a custom group for remote desktop purposes and configure only those DCs accordinglyBe aware that server operators also have many powers over the DC, like shutting down. Think about it if you have enough trust for your file/print admins to logon to your DC?Cheers#JORGE#
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: vrijdag 10 juni 2005 10:57
To: [email protected]
Subject: [ActiveDir] mstsc /console switch for non adminsHi,Our IT Operations team will require access to our remote Windows 2003 DC's which act as File & Print Servers.At the moment, they are members of the Built-in domain Server Operators group which they use Remote Desktop to connect through to the DC's for data/print services support/administration which gives them the remote access they require.I would like them to use the mstsc /console switch however, it seems only members of the domain administrators group can use this switch as they are unable to logon.The IT Ops user can logon to the server via the physical kvm console using the same account and have access. Only through mstsc /console are they denied access.The Server Operators group have the following rights:Allow logon through Terminal Services
Log on LocallyDoes anyone know of a way around this so I can allow Non-Admins use the /console switch?Any ideas or alternative workarounds appreciated and I already understand that Non-admins are not supposed to logon to DC's but due to politics we have to allow this...for the time being.Thanks- Frank
Discover Yahoo!
Have fun online with music videos, cool games, IM & more. Check it out!
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
__________________________________________________
Do You Yahoo!?
Tired
of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
