Windows Server

Hiro · Guest

I have a mix of windows 2000/windows 2003 servers in an OU. I need to setup
Group Policy to allow a group of users (web_admin) the ability to logon
through a remote session to manage these servers. All other users not in the
web_admin group should not be able to logon to this server. What is the best
method to do this?

Paul Williams [MVP] · Guest

Modify the logon locally and logon via terminal services rights for this
server or servers. Do this by filtering the GPO to the servers in question,
and only granting these rights to domain local groups that you create. Then
pop the users you want to have access into these groups. Also, leave
administrators in there.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Hiro · Guest

Which policies exactly need to be edited?

"Paul Williams [MVP]" wrote:

Chriss3 [MVP] · Guest

Computer Configuration\Windows Settings\Local Policies\User Rights
Assignment\Allow log on through Terminal Services

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

"Hiro" <Hiro@discussions.microsoft.com> skrev i meddelandet
news:7E602213-9CAC-4F97-AC96-47B26921FD6A@microsoft.com...

Hiro · Guest

Have this policy updated with the correct group (webadmin). Also I have every
user that is in webadmin group in the remote desktop user group. Still no
luck logging into servers.

I ended up logging on the webserver and adding the webadmin group to the
Remote Users locally. This setup worked.

Shouldn't I just be able to do this through a GPO without having to make any
changes locally? Could it have something to do with group policy not
applying?

"Chriss3 [MVP]" wrote:

Paul Williams [MVP] · Guest

You need both logon locally and logon using terminal services. The RDP
group has these rights already. You may also need to configure the
permissions on the RDP Protocol (in TS config). I can't remember. The RDP
group also has the necessary permissions here.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Hiro · Guest

I am able to give the Active Directory group (webadmin) access if I change TS
Config locally on each server. This just seems backwards because if there is
a group policy it should already apply to the server.

"Paul Williams [MVP]" wrote:

Paul Williams [MVP] · Guest

The permissions on the RDP object are defined to allow the remote desktop
users. Adding the user to this group (and obviously allowing for
replication and the user to refresh his/ her access token) should sort this.

I don't know if there are GPO settings that can configure the permissions of
the RDP object for you - I've never looked. It might be worth asking about
this in the Terminal Services group.

Otherwise, it's the manual process you mentioned :-(

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

	Windows Server Forum Index -> Active Directory	All times are GMT
Page 1 of 1