Guest NewMan Posted August 30, 2008 Posted August 30, 2008 We have receontly installed a Win 2008 Server. I added the Hyoer-V role, and installed a virtual instance of a Win2000 Server. I have no problem accessing the WIn2000 server via Remote Desktop / Terminal Services. Here is the twist.... Non-Admin users cannot log on locally. No problem, there is an option for that Right???? WRONG! You cannot access the "Allow logon through Terminal Services" element of Group Policy when you are accessing the group policy via a Terminal Services Session! ACK! With a virtualized machine, the ONLY kind of connection is a Terminal Services Session! I tried accessing via the Hypervisor console, but all it does is connect to a terminal services session! So, other thank making EVERYONE a member of the "administrators" group, how do I edit the "Allow logon through Terminal Services" group policy??? I'm stumped.
Guest Rod Posted August 30, 2008 Posted August 30, 2008 Re: New Twist (and problem) with TS... NewMan wrote: > We have receontly installed a Win 2008 Server. > > I added the Hyoer-V role, and installed a virtual instance of a > Win2000 Server. > > I have no problem accessing the WIn2000 server via Remote Desktop / > Terminal Services. > > Here is the twist.... > > Non-Admin users cannot log on locally. No problem, there is an option > for that Right???? WRONG! > > You cannot access the "Allow logon through Terminal Services" element > of Group Policy when you are accessing the group policy via a Terminal > Services Session! > > ACK! With a virtualized machine, the ONLY kind of connection is a > Terminal Services Session! > > I tried accessing via the Hypervisor console, but all it does is > connect to a terminal services session! > > So, other thank making EVERYONE a member of the "administrators" > group, how do I edit the "Allow logon through Terminal Services" group > policy??? > > I'm stumped. Not sure, but would it not make sense to make such group policy changes on another server, e.g. your domain controller - which is, if I have read right, your 2008 server? They will then propagate to any TS servers in the domain. -- Rod Hypothyroidism is a seriously debilitating condition with an insidious onset. Although common it frequently goes undiagnosed. <www.thyromind.info> <www.thyroiduk.org> <www.altsupportthyroid.org>
Guest Jeff Pitsch Posted August 30, 2008 Posted August 30, 2008 Re: New Twist (and problem) with TS... I believe you should be able to pull up a console session from the hyper-v server itself. Also, you can make these changes, as Rod said, through Group Policy. Also did you instal in remote admin mode or applicatioin mode for terminal services? -- Jeff Pitsch Microsoft MVP - Terminal Services "Rod" <polygonum@ntlworld.com> wrote in message news:6hsdieFngvq3U1@mid.individual.net... > NewMan wrote: >> We have receontly installed a Win 2008 Server. >> >> I added the Hyoer-V role, and installed a virtual instance of a >> Win2000 Server. >> >> I have no problem accessing the WIn2000 server via Remote Desktop / >> Terminal Services. >> >> Here is the twist.... >> >> Non-Admin users cannot log on locally. No problem, there is an option >> for that Right???? WRONG! >> >> You cannot access the "Allow logon through Terminal Services" element >> of Group Policy when you are accessing the group policy via a Terminal >> Services Session! >> >> ACK! With a virtualized machine, the ONLY kind of connection is a >> Terminal Services Session! >> >> I tried accessing via the Hypervisor console, but all it does is >> connect to a terminal services session! >> >> So, other thank making EVERYONE a member of the "administrators" >> group, how do I edit the "Allow logon through Terminal Services" group >> policy??? >> >> I'm stumped. > > Not sure, but would it not make sense to make such group policy changes on > another server, e.g. your domain controller - which is, if I have read > right, your 2008 server? They will then propagate to any TS servers in the > domain. > > -- > Rod > > Hypothyroidism is a seriously debilitating condition with an insidious > onset. > Although common it frequently goes undiagnosed. > <www.thyromind.info> <www.thyroiduk.org> <www.altsupportthyroid.org>
Guest NewMan Posted August 30, 2008 Posted August 30, 2008 Re: New Twist (and problem) with TS... On Sat, 30 Aug 2008 09:09:47 +0100, Rod <polygonum@ntlworld.com> wrote: >NewMan wrote: >> We have receontly installed a Win 2008 Server. >> >> I added the Hyoer-V role, and installed a virtual instance of a >> Win2000 Server. >> >> I have no problem accessing the WIn2000 server via Remote Desktop / >> Terminal Services. >> >> Here is the twist.... >> >> Non-Admin users cannot log on locally. No problem, there is an option >> for that Right???? WRONG! >> >> You cannot access the "Allow logon through Terminal Services" element >> of Group Policy when you are accessing the group policy via a Terminal >> Services Session! >> >> ACK! With a virtualized machine, the ONLY kind of connection is a >> Terminal Services Session! >> >> I tried accessing via the Hypervisor console, but all it does is >> connect to a terminal services session! >> >> So, other thank making EVERYONE a member of the "administrators" >> group, how do I edit the "Allow logon through Terminal Services" group >> policy??? >> >> I'm stumped. > >Not sure, but would it not make sense to make such group policy changes >on another server, e.g. your domain controller - which is, if I have >read right, your 2008 server? They will then propagate to any TS servers >in the domain. Actually, the 2008 server itself is NOT a part of the domain, it is in its own workgroup. However, the virtualized Win 2000 Server *is* a part of the domain. Our domain has not had the schema updated yet, so joining 2008 server to the domain wont work.
Guest NewMan Posted August 30, 2008 Posted August 30, 2008 Re: New Twist (and problem) with TS... Hi Jeff, TS was installed in Remote Admin mode. And I was trying to make the changes via Group Policy. THe problem is that certain items do *not* appear in the GP menus when you are connected remotely. Thinking about it, it is easy to see why... If you were allowed to permit an account to log on remotely, then an attacker might be able to trick-out the system and gain what would appear to be legitimate access. Knowing that does nto help me. However, you make an interesting point.... The virtualized server is indeed a domain controller. So... when I get back to the office if I log on to one of the other Physical domain controllers, then in theory the missing GP items will appear in the menu. I can then set them accordingly, and they should replicate to the other DCs in the domain! (*maybe* ;) And here I sit at home on a long weekend. I know it is available, but I have never used it... would a TELNET session be able to accomplish what I am after? And, if so, how do you set it up??? Thanks! On Sat, 30 Aug 2008 08:44:48 -0400, "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote: >I believe you should be able to pull up a console session from the hyper-v >server itself. > >Also, you can make these changes, as Rod said, through Group Policy. Also >did you instal in remote admin mode or applicatioin mode for terminal >services?
Guest Jeff Pitsch Posted August 30, 2008 Posted August 30, 2008 Re: New Twist (and problem) with TS... You cannot allow nonadmin users into remote admin mode on a Windows 2000 server. It sounds like you are looking at local policy (gpedit.msc) vs group Policy. -- Jeff Pitsch Microsoft MVP - Terminal Services "NewMan" <cloakedrun2001@NOSPAM.yahoo.ca> wrote in message news:36mib49t9psqcq3aj44kumpii8db0if5tk@4ax.com... > Hi Jeff, > > TS was installed in Remote Admin mode. And I was trying to make the > changes via Group Policy. THe problem is that certain items do *not* > appear in the GP menus when you are connected remotely. Thinking about > it, it is easy to see why... If you were allowed to permit an account > to log on remotely, then an attacker might be able to trick-out the > system and gain what would appear to be legitimate access. Knowing > that does nto help me. > > However, you make an interesting point.... > > The virtualized server is indeed a domain controller. So... when I get > back to the office if I log on to one of the other Physical domain > controllers, then in theory the missing GP items will appear in the > menu. I can then set them accordingly, and they should replicate to > the other DCs in the domain! (*maybe* ;) > > And here I sit at home on a long weekend. > > I know it is available, but I have never used it... would a TELNET > session be able to accomplish what I am after? And, if so, how do you > set it up??? > > Thanks! > > On Sat, 30 Aug 2008 08:44:48 -0400, "Jeff Pitsch" > <jeff@jeffpitschconsulting.com> wrote: > >>I believe you should be able to pull up a console session from the hyper-v >>server itself. >> >>Also, you can make these changes, as Rod said, through Group Policy. Also >>did you instal in remote admin mode or applicatioin mode for terminal >>services? >
Guest TP Posted August 30, 2008 Posted August 30, 2008 Re: New Twist (and problem) with TS... Hi, "Allow logon through Terminal Services" right does not exist in 2000 server. Use "Log on locally", or "Allow log on locally", depending on your GP template version instead. You will also need to make sure the limited users have Permissions on the RDP-Tcp object in Terminal Services Configuration (tscc.msc). Thanks. -TP NewMan wrote: > We have receontly installed a Win 2008 Server. > > I added the Hyoer-V role, and installed a virtual instance of a > Win2000 Server. > > I have no problem accessing the WIn2000 server via Remote Desktop / > Terminal Services. > > Here is the twist.... > > Non-Admin users cannot log on locally. No problem, there is an option > for that Right???? WRONG! > > You cannot access the "Allow logon through Terminal Services" element > of Group Policy when you are accessing the group policy via a Terminal > Services Session! > > ACK! With a virtualized machine, the ONLY kind of connection is a > Terminal Services Session! > > I tried accessing via the Hypervisor console, but all it does is > connect to a terminal services session! > > So, other thank making EVERYONE a member of the "administrators" > group, how do I edit the "Allow logon through Terminal Services" group > policy??? > > I'm stumped.
Guest NewMan Posted August 30, 2008 Posted August 30, 2008 Re: New Twist (and problem) with TS... Well I had no problem doing it on the physical box before the virtualization. It was just so long ago that I don'r remember how I set it up. On Sat, 30 Aug 2008 14:51:54 -0400, "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote: >You cannot allow nonadmin users into remote admin mode on a Windows 2000 >server. > >It sounds like you are looking at local policy (gpedit.msc) vs group Policy.
Guest NewMan Posted August 30, 2008 Posted August 30, 2008 Re: New Twist (and problem) with TS... On Sat, 30 Aug 2008 16:42:23 -0400, "TP" <tperson.knowspamn@mailandnews.com> wrote: >Hi, > >"Allow logon through Terminal Services" right does not >exist in 2000 server. Use "Log on locally", or "Allow log on locally", >depending on your GP template version instead. > >You will also need to make sure the limited users have >Permissions on the RDP-Tcp object in Terminal Services >Configuration (tscc.msc). > THAT was it! Problem solved! Thank you so very much. :) >Thanks. > >-TP > >NewMan wrote: >> We have receontly installed a Win 2008 Server. >> >> I added the Hyoer-V role, and installed a virtual instance of a >> Win2000 Server. >> >> I have no problem accessing the WIn2000 server via Remote Desktop / >> Terminal Services. >> >> Here is the twist.... >> >> Non-Admin users cannot log on locally. No problem, there is an option >> for that Right???? WRONG! >> >> You cannot access the "Allow logon through Terminal Services" element >> of Group Policy when you are accessing the group policy via a Terminal >> Services Session! >> >> ACK! With a virtualized machine, the ONLY kind of connection is a >> Terminal Services Session! >> >> I tried accessing via the Hypervisor console, but all it does is >> connect to a terminal services session! >> >> So, other thank making EVERYONE a member of the "administrators" >> group, how do I edit the "Allow logon through Terminal Services" group >> policy??? >> >> I'm stumped.
Guest TP Posted September 2, 2008 Posted September 2, 2008 Re: New Twist (and problem) with TS... You are welcome. Thank you for posting back with your results. -TP
Recommended Posts