Initial Rights Setup for TS

  • Thread starter Thread starter ricdu
  • Start date Start date
R

ricdu

Guest
I have a Terminal Services setup running on the domain controller. Everthing
is OK logging on as administrator, but when I try to use my AD user account,
I get the message "To log on to the remote computer, you must be granted the
Allow logon through Terminal Services right" I cannot logon, even though that
right appears to be set correctly in the Remote Desktop Users profile.

What can I do to get past this problem?
 
RE: Initial Rights Setup for TS

You can add the user to the remote desktop users group. Users of this group
have the right to log on to TS. It's absolutely not recommended to enable
terminal services on a domain controller.

"ricdu" wrote:

> I have a Terminal Services setup running on the domain controller. Everthing
> is OK logging on as administrator, but when I try to use my AD user account,
> I get the message "To log on to the remote computer, you must be granted the
> Allow logon through Terminal Services right" I cannot logon, even though that
> right appears to be set correctly in the Remote Desktop Users profile.
>
> What can I do to get past this problem?
 
RE: Initial Rights Setup for TS

The users are already in the Remote Desktop Users group, but that hasn't had
any effect.

I have seen several references to having TS in the DC, some in favor some
against. Your thoughts?

"Bart Van Vugt" wrote:

> You can add the user to the remote desktop users group. Users of this group
> have the right to log on to TS. It's absolutely not recommended to enable
> terminal services on a domain controller.
>
> "ricdu" wrote:
>
> > I have a Terminal Services setup running on the domain controller. Everthing
> > is OK logging on as administrator, but when I try to use my AD user account,
> > I get the message "To log on to the remote computer, you must be granted the
> > Allow logon through Terminal Services right" I cannot logon, even though that
> > right appears to be set correctly in the Remote Desktop Users profile.
> >
> > What can I do to get past this problem?
 
RE: Initial Rights Setup for TS

I prefer to have a dedicated TS.

"ricdu" wrote:

> The users are already in the Remote Desktop Users group, but that hasn't had
> any effect.
>
> I have seen several references to having TS in the DC, some in favor some
> against. Your thoughts?
>
> "Bart Van Vugt" wrote:
>
> > You can add the user to the remote desktop users group. Users of this group
> > have the right to log on to TS. It's absolutely not recommended to enable
> > terminal services on a domain controller.
> >
> > "ricdu" wrote:
> >
> > > I have a Terminal Services setup running on the domain controller. Everthing
> > > is OK logging on as administrator, but when I try to use my AD user account,
> > > I get the message "To log on to the remote computer, you must be granted the
> > > Allow logon through Terminal Services right" I cannot logon, even though that
> > > right appears to be set correctly in the Remote Desktop Users profile.
> > >
> > > What can I do to get past this problem?
 
RE: Initial Rights Setup for TS

You MUST addign these users the logon locally right via the Default Domain
Controllers Security Policy in GPMC if the TS is a Domain Controller. This
allows these users to be able to logon interactively to any DC in the domain,
which is absolutely a security risk in most environments.


--
Patrick C. Rouse
Microsoft MVP - Terminal Server
Provision Networks VIP
Citrix Technology Professional
President - Session Computing Solutions, LLC
http://www.sessioncomputing.com



"Bart Van Vugt" wrote:

> I prefer to have a dedicated TS.
>
> "ricdu" wrote:
>
> > The users are already in the Remote Desktop Users group, but that hasn't had
> > any effect.
> >
> > I have seen several references to having TS in the DC, some in favor some
> > against. Your thoughts?
> >
> > "Bart Van Vugt" wrote:
> >
> > > You can add the user to the remote desktop users group. Users of this group
> > > have the right to log on to TS. It's absolutely not recommended to enable
> > > terminal services on a domain controller.
> > >
> > > "ricdu" wrote:
> > >
> > > > I have a Terminal Services setup running on the domain controller. Everthing
> > > > is OK logging on as administrator, but when I try to use my AD user account,
> > > > I get the message "To log on to the remote computer, you must be granted the
> > > > Allow logon through Terminal Services right" I cannot logon, even though that
> > > > right appears to be set correctly in the Remote Desktop Users profile.
> > > >
> > > > What can I do to get past this problem?
 
RE: Initial Rights Setup for TS

It is absolutely *not* recommended to run TS on your DC, for both
security and performance reasons.
You will have users logged on to you DC and using it as their
personal workstation. That's normally not how you like to treat the
most important server in your domain!

For this reason, normal users can't logon to a TS on a DC, even
when they are members of the Remote Desktop Users group. You will
also have to modify the Default Domain Controllers Policy, and
configure this setting:

Computer Configuration - Windows Settings - Security Settings -
Local Policies
- User rights Assignment
"Allow log on through Terminal Services"
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?QmFydCBWYW4gVnVndA==?=
<BartVanVugt@discussions.microsoft.com> wrote on 10 dec 2007 in
microsoft.public.windows.terminal_services:

> I prefer to have a dedicated TS.
>
> "ricdu" wrote:
>
>> The users are already in the Remote Desktop Users group, but
>> that hasn't had any effect.
>>
>> I have seen several references to having TS in the DC, some in
>> favor some against. Your thoughts?
>>
>> "Bart Van Vugt" wrote:
>>
>> > You can add the user to the remote desktop users group. Users
>> > of this group have the right to log on to TS. It's absolutely
>> > not recommended to enable terminal services on a domain
>> > controller.
>> >
>> > "ricdu" wrote:
>> >
>> > > I have a Terminal Services setup running on the domain
>> > > controller. Everthing is OK logging on as administrator,
>> > > but when I try to use my AD user account, I get the message
>> > > "To log on to the remote computer, you must be granted the
>> > > Allow logon through Terminal Services right" I cannot
>> > > logon, even though that right appears to be set correctly
>> > > in the Remote Desktop Users profile.
>> > >
>> > > What can I do to get past this problem?
 
RE: Initial Rights Setup for TS

The rights are established both on the Default Domain controller Security
Policy and the Terminal Services Policy. That's what is confounding.

Users are being directed to servers other than the DC for application support.

"Patrick Rouse" wrote:

> You MUST addign these users the logon locally right via the Default Domain
> Controllers Security Policy in GPMC if the TS is a Domain Controller. This
> allows these users to be able to logon interactively to any DC in the domain,
> which is absolutely a security risk in most environments.
>
>
> --
> Patrick C. Rouse
> Microsoft MVP - Terminal Server
> Provision Networks VIP
> Citrix Technology Professional
> President - Session Computing Solutions, LLC
> http://www.sessioncomputing.com
>
>
>
> "Bart Van Vugt" wrote:
>
> > I prefer to have a dedicated TS.
> >
> > "ricdu" wrote:
> >
> > > The users are already in the Remote Desktop Users group, but that hasn't had
> > > any effect.
> > >
> > > I have seen several references to having TS in the DC, some in favor some
> > > against. Your thoughts?
> > >
> > > "Bart Van Vugt" wrote:
> > >
> > > > You can add the user to the remote desktop users group. Users of this group
> > > > have the right to log on to TS. It's absolutely not recommended to enable
> > > > terminal services on a domain controller.
> > > >
> > > > "ricdu" wrote:
> > > >
> > > > > I have a Terminal Services setup running on the domain controller. Everthing
> > > > > is OK logging on as administrator, but when I try to use my AD user account,
> > > > > I get the message "To log on to the remote computer, you must be granted the
> > > > > Allow logon through Terminal Services right" I cannot logon, even though that
> > > > > right appears to be set correctly in the Remote Desktop Users profile.
> > > > >
> > > > > What can I do to get past this problem?
 
Re: Initial Rights Setup for TS

ricdu <ricdu@discussions.microsoft.com> wrote:
> The users are already in the Remote Desktop Users group, but that
> hasn't had any effect.
>
> I have seen several references to having TS in the DC, some in favor
> some against. Your thoughts?

There is *never* a good enough reason to run TS on a DC, sorry. A DC has
remote desktop, which is all an admin would need - it's not for users. Would
you want your users walking up to a DC's console & logging in there? You
shouldn't, for reasons of security - and you shouldn't install "desktop"
apps on a DC. I think a TS should do nothing else, period.

>
> "Bart Van Vugt" wrote:
>
>> You can add the user to the remote desktop users group. Users of
>> this group have the right to log on to TS. It's absolutely not
>> recommended to enable terminal services on a domain controller.
>>
>> "ricdu" wrote:
>>
>>> I have a Terminal Services setup running on the domain controller.
>>> Everthing is OK logging on as administrator, but when I try to use
>>> my AD user account, I get the message "To log on to the remote
>>> computer, you must be granted the Allow logon through Terminal
>>> Services right" I cannot logon, even though that right appears to
>>> be set correctly in the Remote Desktop Users profile.
>>>
>>> What can I do to get past this problem?
 
Re: Initial Rights Setup for TS

I have moved Terminal Services to another server that will run that
exclusively. Howeever, I am still getting the message "To log on to the
remote computer, you must be granted the Allow logon through Terminal
Services right" I cannot logon, even though that right appears to be set
correctly in the Remote Desktop Users profile.



"Lanwench [MVP - Exchange]" wrote:

> ricdu <ricdu@discussions.microsoft.com> wrote:
> > The users are already in the Remote Desktop Users group, but that
> > hasn't had any effect.
> >
> > I have seen several references to having TS in the DC, some in favor
> > some against. Your thoughts?
>
> There is *never* a good enough reason to run TS on a DC, sorry. A DC has
> remote desktop, which is all an admin would need - it's not for users. Would
> you want your users walking up to a DC's console & logging in there? You
> shouldn't, for reasons of security - and you shouldn't install "desktop"
> apps on a DC. I think a TS should do nothing else, period.
>
> >
> > "Bart Van Vugt" wrote:
> >
> >> You can add the user to the remote desktop users group. Users of
> >> this group have the right to log on to TS. It's absolutely not
> >> recommended to enable terminal services on a domain controller.
> >>
> >> "ricdu" wrote:
> >>
> >>> I have a Terminal Services setup running on the domain controller.
> >>> Everthing is OK logging on as administrator, but when I try to use
> >>> my AD user account, I get the message "To log on to the remote
> >>> computer, you must be granted the Allow logon through Terminal
> >>> Services right" I cannot logon, even though that right appears to
> >>> be set correctly in the Remote Desktop Users profile.
> >>>
> >>> What can I do to get past this problem?
>
>
>
>
 
Back
Top