Running TS on DC - RDP question

  • Thread starter Thread starter compsosinc@gmail.com
  • Start date Start date
C

compsosinc@gmail.com

Guest
I know,this is not accepted practice but I am trying something for
experimental purposes because it may be implemented on a real network
in the future.

I have a Windows 2003 Server St. Ed (no SP1) running as a DC and I
installed Terminal Server on it --currently without a Licensing Server
installed. I have an XP Pro client PC added to the domain and User
added called "TestUser1" in the AD. This user is currently a member of
the Domain Users & Remote Desktop Users groups. Are these the only
groups this user needs to be a member of to successfully connect to
the DC/TS using RDC?

Based on some research, there seems to be a question about making the
user a member of the "local" Remote Desktop Users group on the XP
Client vs just within the AD.

Thanks!
 
Re: Running TS on DC - RDP question

If TS is installed on a DC (Domain Controller), then one need to be member
of "Domain Admins" group on AD, in order to be able to connect to the DC
machine. Just being a member of "Remote Desktop User" group on DC will not
be sufficient.


<compsosinc@gmail.com> wrote in message
news:8214443c-0387-4bc7-932e-9c7c5f3886f1@h11g2000prf.googlegroups.com...
> I know,this is not accepted practice but I am trying something for
> experimental purposes because it may be implemented on a real network
> in the future.
>
> I have a Windows 2003 Server St. Ed (no SP1) running as a DC and I
> installed Terminal Server on it --currently without a Licensing Server
> installed. I have an XP Pro client PC added to the domain and User
> added called "TestUser1" in the AD. This user is currently a member of
> the Domain Users & Remote Desktop Users groups. Are these the only
> groups this user needs to be a member of to successfully connect to
> the DC/TS using RDC?
>
> Based on some research, there seems to be a question about making the
> user a member of the "local" Remote Desktop Users group on the XP
> Client vs just within the AD.
>
> Thanks!
 
RE: Running TS on DC - RDP question

hi,
on a DC there are no "local groups", all of them are domain groups. So to
connect to TS on a DC the users have to be domain users and member of domain
remote desktop users.
You have to check on that DC on Terminal Services Configuration, the rdp-tcp
permissions if are modified.
--
Dragos CAMARA
MCSA Windows 2003 server


"compsosinc@gmail.com" wrote:

> I know,this is not accepted practice but I am trying something for
> experimental purposes because it may be implemented on a real network
> in the future.
>
> I have a Windows 2003 Server St. Ed (no SP1) running as a DC and I
> installed Terminal Server on it --currently without a Licensing Server
> installed. I have an XP Pro client PC added to the domain and User
> added called "TestUser1" in the AD. This user is currently a member of
> the Domain Users & Remote Desktop Users groups. Are these the only
> groups this user needs to be a member of to successfully connect to
> the DC/TS using RDC?
>
> Based on some research, there seems to be a question about making the
> user a member of the "local" Remote Desktop Users group on the XP
> Client vs just within the AD.
>
> Thanks!
>
 
Re: Running TS on DC - RDP question

On Jan 3, 6:48 am, Dragos CAMARA <drago...@remove-this.hotmail.com>
wrote:
> hi,
> on a DC there are no "local groups", all of them are domain groups. So to
> connect to TS on a DC the users have to be domain users and member of domain
> remote desktop users.
> You have to check on that DC on Terminal Services Configuration, the rdp-tcp
> permissions if are modified.
> --
> Dragos CAMARA
> MCSA Windows 2003 server
>
>
>
> "compsos...@gmail.com" wrote:
> > I know,this is not accepted practice but I am trying something for
> > experimental purposes because it may be implemented on a real network
> > in the future.
>
> > I have a Windows 2003 Server St. Ed (no SP1) running as a DC and I
> > installed Terminal Server on it --currently without a Licensing Server
> > installed. I have an XP Pro client PC added to the domain and User
> > added called "TestUser1" in the AD. This user is currently a member of
> > the Domain Users & Remote Desktop Users groups. Are these the only
> > groups this user needs to be a member of to successfully connect to
> > the DC/TS using RDC?
>
> > Based on some research, there seems to be a question about making the
> > user a member of the "local" Remote Desktop Users group on the XP
> > Client vs just within the AD.
>
> > Thanks!- Hide quoted text -
>
> - Show quoted text -

Thank you both. When trying to login, as member of "Domain Users" and
"Remote Desktop Users", we get the error similar to "Local policy
does not allow logon interactively". We added the Remote Desktop Users
group to "Allow Logon to Terminal Services" in the Default Domain
Controller Security Policy and we could logon. We did not need to make
the user a member of the Domain Admins group -however if we had, maybe
we would not need to modify the Security Policy? I would rather not
have users as Domain Admins -I think?

Thanks again.
 
Re: Running TS on DC - RDP question

compsosinc@gmail.com wrote on 03 jan 2008:

> On Jan 3, 6:48 am, Dragos CAMARA
> <drago...@remove-this.hotmail.com> wrote:
>> hi,
>> on a DC there are no "local groups", all of them are domain
>> groups. So to connect to TS on a DC the users have to be domain
>> users and member of doma
> in
>> remote desktop users.
>> You have to check on that DC on Terminal Services
>> Configuration, the rdp-t
> cp
>> permissions if are modified.
>> --
>> Dragos CAMARA
>> MCSA Windows 2003 server
>>
>>
>>
>> "compsos...@gmail.com" wrote:
>> > I know,this is not accepted practice but I am trying
>> > something for experimental purposes because it may be
>> > implemented on a real network in the future.
>>
>> > I have a Windows 2003 Server St. Ed (no SP1) running as a DC
>> > and I installed Terminal Server on it --currently without a
>> > Licensing Server installed. I have an XP Pro client PC added
>> > to the domain and User added called "TestUser1" in the AD.
>> > This user is currently a member of the Domain Users & Remote
>> > Desktop Users groups. Are these the only groups this user
>> > needs to be a member of to successfully connect to the DC/TS
>> > using RDC?
>>
>> > Based on some research, there seems to be a question about
>> > making the user a member of the "local" Remote Desktop Users
>> > group on the XP Client vs just within the AD.
>>
>> > Thanks!- Hide quoted text -
>>
>> - Show quoted text -
>
> Thank you both. When trying to login, as member of "Domain
> Users" and "Remote Desktop Users", we get the error similar to
> "Local policy does not allow logon interactively". We added the
> Remote Desktop Users group to "Allow Logon to Terminal Services"
> in the Default Domain Controller Security Policy and we could
> logon. We did not need to make the user a member of the Domain
> Admins group -however if we had, maybe we would not need to
> modify the Security Policy? I would rather not have users as
> Domain Admins -I think?
>
> Thanks again.

That's correct, there is no need for users to be members of the
Domain Admins group.
It's better to only give them the "Allow Logon to Terminal
Services" right in the Default Domain Controller Security Policy
than to make them Domain Admins. That would really be a nightmare
scenario!
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*
 
Re: Running TS on DC - RDP question

It is *not* needed to make users members of the Domain Admins
group! That would be a real nightmare situation.

Besides making them members of the domain-local Remote Desktop
Users group in AD, they also need the "Allow Logon to Terminal
Services" right in the Default Domain Controller Security Policy.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

"Ratnesh Yadav [MSFT]" <ratneshyadav@hotmail.com> wrote on 03 jan
2008:

> If TS is installed on a DC (Domain Controller), then one need to
> be member of "Domain Admins" group on AD, in order to be able to
> connect to the DC machine. Just being a member of "Remote
> Desktop User" group on DC will not be sufficient.
>
>
> <compsosinc@gmail.com> wrote in message
> news:8214443c-0387-4bc7-932e-9c7c5f3886f1@h11g2000prf.googlegroup
> s.com...
>> I know,this is not accepted practice but I am trying something
>> for experimental purposes because it may be implemented on a
>> real network in the future.
>>
>> I have a Windows 2003 Server St. Ed (no SP1) running as a DC
>> and I installed Terminal Server on it --currently without a
>> Licensing Server installed. I have an XP Pro client PC added to
>> the domain and User added called "TestUser1" in the AD. This
>> user is currently a member of the Domain Users & Remote Desktop
>> Users groups. Are these the only groups this user needs to be a
>> member of to successfully connect to the DC/TS using RDC?
>>
>> Based on some research, there seems to be a question about
>> making the user a member of the "local" Remote Desktop Users
>> group on the XP Client vs just within the AD.
>>
>> Thanks!
 
Back
Top