Announcement

Collapse
No announcement yet.

Permissions to logon through terminal services

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Permissions to logon through terminal services

    Why is this not working...

    Forest is domain.com, child domain is ABC.domain.com

    Domain admins group at Domain.com is part of the built in administrators group in ABC.domain.com.

    Servers local policy states Administrators and Remote Desktop Users are allowed logon through terminal services, but yet a user in the domain admins group at domain.com cannot log into a server in ABC.domain.com.


    Did I miss something?

  • #2
    Re: Permissions to logon through terminal services

    Are domain admins in abc.domain.com in the LOCAL admins group on the server?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Permissions to logon through terminal services

      No they are part of the built in administrators group of the child domain. I cant imagine that if I need to give them permissions to 150 servers that I would have to add them to each servers local admin group??

      Comment


      • #4
        Re: Permissions to logon through terminal services

        It is worth testing by adding a User and Group directly to the local administrator group.

        Comment


        • #5
          Re: Permissions to logon through terminal services

          Servers local policy states Administrators and Remote Desktop Users are allowed logon through terminal services

          If the Administrators group you're referring to is the local Administrators group then that's the problem. The Domain Admins group is a member of the local Administrators group but the Builtin Administrators group, of which the domain.com Domain Admins group is a member, is not a member of the local Administrators group.

          The domain.com Domain Admins group is a member of the abc.domain.com Builtin Administrators group, but the abc.domain.com Builtin Administrators group is not a memeber of the local Administrators group.
          Last edited by joeqwerty; 16th May 2013, 14:48.

          Comment


          • #6
            Re: Permissions to logon through terminal services

            So what is a painless way to solve this problem? If I have 150 servers, how can I give admins from domain.com access to log on to my servers in abc.domain.com??

            Can I add their accounts to the remote desktop users group (built in) and solve the issue that way?

            Comment


            • #7
              Re: Permissions to logon through terminal services

              Group Policies and Restricted Groups should do it
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Re: Permissions to logon through terminal services

                Tom, can you guide me here?

                Comment


                • #9
                  Re: Permissions to logon through terminal services

                  One of the first few links should explain it:
                  https://www.google.co.uk/search?q=gr...D-SM7Aap14D4BQ
                  Tom Jones
                  MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                  PhD, MSc, FIAP, MIITT
                  IT Trainer / Consultant
                  Ossian Ltd
                  Scotland

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment


                  • #10
                    Re: Permissions to logon through terminal services

                    Tom -

                    I am not understanding this completely. When you are defining a restricted group, and select to add "administrators" is this defining the Administrators Built-In group for the domain? Or the local administrators group of the Computer accounts that belong in the OU where the Policy resides?

                    Comment


                    • #11
                      Re: Permissions to logon through terminal services

                      If you create a restricted group GPO and add Administrators, then put domain accounts in, this will apply to the LOCAL administrators group on every machine that falls under the scope of the GPO - not the domain level Administrators group

                      Try it - but be warned other group members get removed
                      Tom Jones
                      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                      PhD, MSc, FIAP, MIITT
                      IT Trainer / Consultant
                      Ossian Ltd
                      Scotland

                      ** Remember to give credit where credit is due and leave reputation points where appropriate **

                      Comment


                      • #12
                        Re: Permissions to logon through terminal services

                        Ok I have my domain admins group for domain1.domain.com added to the Built-in Administrators group of domain2.domain.com.

                        I go the domain2.domain.com servers OU and add a GP for restricted groups.

                        So when I add it asks to add group, what group am I adding here? A group from domain1.domain.com or a group for domain2.domain.com?

                        I need a video on this. I have never used restricted groups because I thought it was for literally restricting groups to certain computers not making groups part of another group on a computer.

                        Comment


                        • #13
                          Re: Permissions to logon through terminal services

                          As pointed out, you are adding Administrators and will effect the membership of the local Admistrators group on the servers you apply the GPO to, so therefore, in the OU. As this removes existing users, you will need to add all users (including from all Domains) to here that require to have local administrator access.

                          Comment

                          Working...
                          X