New Twist (and problem) with TS...

  • Thread starter Thread starter NewMan
  • Start date Start date
N

NewMan

Guest
We have receontly installed a Win 2008 Server.

I added the Hyoer-V role, and installed a virtual instance of a
Win2000 Server.

I have no problem accessing the WIn2000 server via Remote Desktop /
Terminal Services.

Here is the twist....

Non-Admin users cannot log on locally. No problem, there is an option
for that Right???? WRONG!

You cannot access the "Allow logon through Terminal Services" element
of Group Policy when you are accessing the group policy via a Terminal
Services Session!

ACK! With a virtualized machine, the ONLY kind of connection is a
Terminal Services Session!

I tried accessing via the Hypervisor console, but all it does is
connect to a terminal services session!

So, other thank making EVERYONE a member of the "administrators"
group, how do I edit the "Allow logon through Terminal Services" group
policy???

I'm stumped.
 
Re: New Twist (and problem) with TS...

NewMan wrote:
> We have receontly installed a Win 2008 Server.
>
> I added the Hyoer-V role, and installed a virtual instance of a
> Win2000 Server.
>
> I have no problem accessing the WIn2000 server via Remote Desktop /
> Terminal Services.
>
> Here is the twist....
>
> Non-Admin users cannot log on locally. No problem, there is an option
> for that Right???? WRONG!
>
> You cannot access the "Allow logon through Terminal Services" element
> of Group Policy when you are accessing the group policy via a Terminal
> Services Session!
>
> ACK! With a virtualized machine, the ONLY kind of connection is a
> Terminal Services Session!
>
> I tried accessing via the Hypervisor console, but all it does is
> connect to a terminal services session!
>
> So, other thank making EVERYONE a member of the "administrators"
> group, how do I edit the "Allow logon through Terminal Services" group
> policy???
>
> I'm stumped.

Not sure, but would it not make sense to make such group policy changes
on another server, e.g. your domain controller - which is, if I have
read right, your 2008 server? They will then propagate to any TS servers
in the domain.

--
Rod

Hypothyroidism is a seriously debilitating condition with an insidious
onset.
Although common it frequently goes undiagnosed.
<www.thyromind.info> <www.thyroiduk.org> <www.altsupportthyroid.org>
 
Re: New Twist (and problem) with TS...

I believe you should be able to pull up a console session from the hyper-v
server itself.

Also, you can make these changes, as Rod said, through Group Policy. Also
did you instal in remote admin mode or applicatioin mode for terminal
services?

--
Jeff Pitsch
Microsoft MVP - Terminal Services

"Rod" <polygonum@ntlworld.com> wrote in message
news:6hsdieFngvq3U1@mid.individual.net...
> NewMan wrote:
>> We have receontly installed a Win 2008 Server.
>>
>> I added the Hyoer-V role, and installed a virtual instance of a
>> Win2000 Server.
>>
>> I have no problem accessing the WIn2000 server via Remote Desktop /
>> Terminal Services.
>>
>> Here is the twist....
>>
>> Non-Admin users cannot log on locally. No problem, there is an option
>> for that Right???? WRONG!
>>
>> You cannot access the "Allow logon through Terminal Services" element
>> of Group Policy when you are accessing the group policy via a Terminal
>> Services Session!
>>
>> ACK! With a virtualized machine, the ONLY kind of connection is a
>> Terminal Services Session!
>>
>> I tried accessing via the Hypervisor console, but all it does is
>> connect to a terminal services session!
>>
>> So, other thank making EVERYONE a member of the "administrators"
>> group, how do I edit the "Allow logon through Terminal Services" group
>> policy???
>>
>> I'm stumped.
>
> Not sure, but would it not make sense to make such group policy changes on
> another server, e.g. your domain controller - which is, if I have read
> right, your 2008 server? They will then propagate to any TS servers in the
> domain.
>
> --
> Rod
>
> Hypothyroidism is a seriously debilitating condition with an insidious
> onset.
> Although common it frequently goes undiagnosed.
> <www.thyromind.info> <www.thyroiduk.org> <www.altsupportthyroid.org>
 
Re: New Twist (and problem) with TS...

On Sat, 30 Aug 2008 09:09:47 +0100, Rod <polygonum@ntlworld.com>
wrote:

>NewMan wrote:
>> We have receontly installed a Win 2008 Server.
>>
>> I added the Hyoer-V role, and installed a virtual instance of a
>> Win2000 Server.
>>
>> I have no problem accessing the WIn2000 server via Remote Desktop /
>> Terminal Services.
>>
>> Here is the twist....
>>
>> Non-Admin users cannot log on locally. No problem, there is an option
>> for that Right???? WRONG!
>>
>> You cannot access the "Allow logon through Terminal Services" element
>> of Group Policy when you are accessing the group policy via a Terminal
>> Services Session!
>>
>> ACK! With a virtualized machine, the ONLY kind of connection is a
>> Terminal Services Session!
>>
>> I tried accessing via the Hypervisor console, but all it does is
>> connect to a terminal services session!
>>
>> So, other thank making EVERYONE a member of the "administrators"
>> group, how do I edit the "Allow logon through Terminal Services" group
>> policy???
>>
>> I'm stumped.
>
>Not sure, but would it not make sense to make such group policy changes
>on another server, e.g. your domain controller - which is, if I have
>read right, your 2008 server? They will then propagate to any TS servers
>in the domain.

Actually, the 2008 server itself is NOT a part of the domain, it is in
its own workgroup. However, the virtualized Win 2000 Server *is* a
part of the domain.

Our domain has not had the schema updated yet, so joining 2008 server
to the domain wont work.
 
Re: New Twist (and problem) with TS...

Hi Jeff,

TS was installed in Remote Admin mode. And I was trying to make the
changes via Group Policy. THe problem is that certain items do *not*
appear in the GP menus when you are connected remotely. Thinking about
it, it is easy to see why... If you were allowed to permit an account
to log on remotely, then an attacker might be able to trick-out the
system and gain what would appear to be legitimate access. Knowing
that does nto help me.

However, you make an interesting point....

The virtualized server is indeed a domain controller. So... when I get
back to the office if I log on to one of the other Physical domain
controllers, then in theory the missing GP items will appear in the
menu. I can then set them accordingly, and they should replicate to
the other DCs in the domain! (*maybe* ;)

And here I sit at home on a long weekend.

I know it is available, but I have never used it... would a TELNET
session be able to accomplish what I am after? And, if so, how do you
set it up???

Thanks!

On Sat, 30 Aug 2008 08:44:48 -0400, "Jeff Pitsch"
<jeff@jeffpitschconsulting.com> wrote:

>I believe you should be able to pull up a console session from the hyper-v
>server itself.
>
>Also, you can make these changes, as Rod said, through Group Policy. Also
>did you instal in remote admin mode or applicatioin mode for terminal
>services?
 
Re: New Twist (and problem) with TS...

You cannot allow nonadmin users into remote admin mode on a Windows 2000
server.

It sounds like you are looking at local policy (gpedit.msc) vs group Policy.

--
Jeff Pitsch
Microsoft MVP - Terminal Services

"NewMan" <cloakedrun2001@NOSPAM.yahoo.ca> wrote in message
news:36mib49t9psqcq3aj44kumpii8db0if5tk@4ax.com...
> Hi Jeff,
>
> TS was installed in Remote Admin mode. And I was trying to make the
> changes via Group Policy. THe problem is that certain items do *not*
> appear in the GP menus when you are connected remotely. Thinking about
> it, it is easy to see why... If you were allowed to permit an account
> to log on remotely, then an attacker might be able to trick-out the
> system and gain what would appear to be legitimate access. Knowing
> that does nto help me.
>
> However, you make an interesting point....
>
> The virtualized server is indeed a domain controller. So... when I get
> back to the office if I log on to one of the other Physical domain
> controllers, then in theory the missing GP items will appear in the
> menu. I can then set them accordingly, and they should replicate to
> the other DCs in the domain! (*maybe* ;)
>
> And here I sit at home on a long weekend.
>
> I know it is available, but I have never used it... would a TELNET
> session be able to accomplish what I am after? And, if so, how do you
> set it up???
>
> Thanks!
>
> On Sat, 30 Aug 2008 08:44:48 -0400, "Jeff Pitsch"
> <jeff@jeffpitschconsulting.com> wrote:
>
>>I believe you should be able to pull up a console session from the hyper-v
>>server itself.
>>
>>Also, you can make these changes, as Rod said, through Group Policy. Also
>>did you instal in remote admin mode or applicatioin mode for terminal
>>services?
>
 
Re: New Twist (and problem) with TS...

Hi,

"Allow logon through Terminal Services" right does not
exist in 2000 server. Use "Log on locally", or "Allow log on locally",
depending on your GP template version instead.

You will also need to make sure the limited users have
Permissions on the RDP-Tcp object in Terminal Services
Configuration (tscc.msc).

Thanks.

-TP

NewMan wrote:
> We have receontly installed a Win 2008 Server.
>
> I added the Hyoer-V role, and installed a virtual instance of a
> Win2000 Server.
>
> I have no problem accessing the WIn2000 server via Remote Desktop /
> Terminal Services.
>
> Here is the twist....
>
> Non-Admin users cannot log on locally. No problem, there is an option
> for that Right???? WRONG!
>
> You cannot access the "Allow logon through Terminal Services" element
> of Group Policy when you are accessing the group policy via a Terminal
> Services Session!
>
> ACK! With a virtualized machine, the ONLY kind of connection is a
> Terminal Services Session!
>
> I tried accessing via the Hypervisor console, but all it does is
> connect to a terminal services session!
>
> So, other thank making EVERYONE a member of the "administrators"
> group, how do I edit the "Allow logon through Terminal Services" group
> policy???
>
> I'm stumped.
 
Re: New Twist (and problem) with TS...

Well I had no problem doing it on the physical box before the
virtualization. It was just so long ago that I don'r remember how I
set it up.

On Sat, 30 Aug 2008 14:51:54 -0400, "Jeff Pitsch"
<jeff@jeffpitschconsulting.com> wrote:

>You cannot allow nonadmin users into remote admin mode on a Windows 2000
>server.
>
>It sounds like you are looking at local policy (gpedit.msc) vs group Policy.
 
Re: New Twist (and problem) with TS...

On Sat, 30 Aug 2008 16:42:23 -0400, "TP"
<tperson.knowspamn@mailandnews.com> wrote:

>Hi,
>
>"Allow logon through Terminal Services" right does not
>exist in 2000 server. Use "Log on locally", or "Allow log on locally",
>depending on your GP template version instead.
>
>You will also need to make sure the limited users have
>Permissions on the RDP-Tcp object in Terminal Services
>Configuration (tscc.msc).
>

THAT was it! Problem solved! Thank you so very much. :)


>Thanks.
>
>-TP
>
>NewMan wrote:
>> We have receontly installed a Win 2008 Server.
>>
>> I added the Hyoer-V role, and installed a virtual instance of a
>> Win2000 Server.
>>
>> I have no problem accessing the WIn2000 server via Remote Desktop /
>> Terminal Services.
>>
>> Here is the twist....
>>
>> Non-Admin users cannot log on locally. No problem, there is an option
>> for that Right???? WRONG!
>>
>> You cannot access the "Allow logon through Terminal Services" element
>> of Group Policy when you are accessing the group policy via a Terminal
>> Services Session!
>>
>> ACK! With a virtualized machine, the ONLY kind of connection is a
>> Terminal Services Session!
>>
>> I tried accessing via the Hypervisor console, but all it does is
>> connect to a terminal services session!
>>
>> So, other thank making EVERYONE a member of the "administrators"
>> group, how do I edit the "Allow logon through Terminal Services" group
>> policy???
>>
>> I'm stumped.
 
Re: New Twist (and problem) with TS...

You are welcome.

Thank you for posting back with your results.

-TP
 
Back
Top