Jump to content

"Allow log on through Terminal Services" in GP: How does it work?

Guest roga

By Guest roga
in Windows NT Server

 Share

Recommended Posts

Guest roga

Guest roga

Posted
Posted

All I want to do is set a group policy which allows members of an existing

security group to log on via RDP without me having to make them members of

the local "remote desktop users" group.

 

The group policy "Allow log on through Terminal Services" " looks like it

should do the job, but I have never managed to get it to work.

 

can someone give me some pointers?

 

regards

 

roga

  • Replies 13
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: "Allow log on through Terminal Services" in GP: How does it work?

 

Why do you not want to use the group which is especially created to

ensure that members receive all the rights and permissions they

need?

 

Members of the "Remote Desktop Users" group have not only the user

right to Logon to Terminal Services, they also have the necessary

permissions on the rdp-tcp connection.

So if you don't want to add users to this group, you either have to

duplicate the group with another group of your making, or add each

user manually to the permissions tab of the rdp-tcp connection.

Both methods seem a waist of time to me, but I could be missing

something here.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

"roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> wrote

on 20 jul 2007 in microsoft.public.windows.terminal_services:

> All I want to do is set a group policy which allows members of

> an existing security group to log on via RDP without me having

> to make them members of the local "remote desktop users" group.

>

> The group policy "Allow log on through Terminal Services" "

> looks like it should do the job, but I have never managed to get

> it to work.

>

> can someone give me some pointers?

>

> regards

>

> roga

Guest Bruce Sanderson

Guest Bruce Sanderson

Posted
Posted

Re: "Allow log on through Terminal Services" in GP: How does it work?

 

To add to what Vera said, you can populate the Remote Desktop Users group

using Restricted Groups in a GPO. This avoids having to manually adjust the

group membership on each target computer (Server or workstation).

 

Restricted Groups are at

Computer Configuration

Windows Settings

Security Settings

 

See http://support.microsoft.com/?id=810076.

 

--

Bruce Sanderson MVP Printing

http://members.shaw.ca/bsanders

 

It is perfectly useless to know the right answer to the wrong question.

 

 

 

"roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> wrote in message

news:uof0DlwyHHA.4712@TK2MSFTNGP04.phx.gbl...

> All I want to do is set a group policy which allows members of an

> existing security group to log on via RDP without me having to make them

> members of the local "remote desktop users" group.

>

> The group policy "Allow log on through Terminal Services" " looks like it

> should do the job, but I have never managed to get it to work.

>

> can someone give me some pointers?

>

> regards

>

> roga

>

Guest Rob (Microsoft)

Guest Rob (Microsoft)

Posted
Posted

RE: "Allow log on through Terminal Services" in GP: How does it work?

 

Allow logon through terminal Services as well as allow logon locally should

let you logon with those users as long as you are running Terminal Server and

not remote desktop.

 

"roga" wrote:

> All I want to do is set a group policy which allows members of an existing

> security group to log on via RDP without me having to make them members of

> the local "remote desktop users" group.

>

> The group policy "Allow log on through Terminal Services" " looks like it

> should do the job, but I have never managed to get it to work.

>

> can someone give me some pointers?

>

> regards

>

> roga

>

>

>

Guest roga

Guest roga

Posted
Posted

Re: "Allow log on through Terminal Services" in GP: How does it work?

 

Thanks Bruce, that looks helpful

 

regards

 

Roger

 

"Bruce Sanderson" <bsanders@newsgroups.nospam> wrote in message

news:C66730E2-287F-4B44-A7C6-9756A66CE8B1@microsoft.com...

> To add to what Vera said, you can populate the Remote Desktop Users group

> using Restricted Groups in a GPO. This avoids having to manually adjust

> the group membership on each target computer (Server or workstation).

>

> Restricted Groups are at

> Computer Configuration

> Windows Settings

> Security Settings

>

> See http://support.microsoft.com/?id=810076.

>

> --

> Bruce Sanderson MVP Printing

> http://members.shaw.ca/bsanders

>

> It is perfectly useless to know the right answer to the wrong question.

>

>

>

> "roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> wrote in

> message news:uof0DlwyHHA.4712@TK2MSFTNGP04.phx.gbl...

>> All I want to do is set a group policy which allows members of an

>> existing security group to log on via RDP without me having to make them

>> members of the local "remote desktop users" group.

>>

>> The group policy "Allow log on through Terminal Services" " looks like

>> it should do the job, but I have never managed to get it to work.

>>

>> can someone give me some pointers?

>>

>> regards

>>

>> roga

>>

>

Guest roga

Guest roga

Posted
Posted

Re: "Allow log on through Terminal Services" in GP: How does it work?

 

 

"Vera Noest [MVP]" wrote

> Why do you not want to use the group which is especially created to

> ensure that members receive all the rights and permissions they

> need?

 

Because if I do it in GP I only have to do it once for the domain

 

If I have to add to local groups on each TS it means I have to touch each

machine ...

 

regards

 

Roga

>

> Members of the "Remote Desktop Users" group have not only the user

> right to Logon to Terminal Services, they also have the necessary

> permissions on the rdp-tcp connection.

> So if you don't want to add users to this group, you either have to

> duplicate the group with another group of your making, or add each

> user manually to the permissions tab of the rdp-tcp connection.

> Both methods seem a waist of time to me, but I could be missing

> something here.

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> "roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> wrote

> on 20 jul 2007 in microsoft.public.windows.terminal_services:

>

>> All I want to do is set a group policy which allows members of

>> an existing security group to log on via RDP without me having

>> to make them members of the local "remote desktop users" group.

>>

>> The group policy "Allow log on through Terminal Services" "

>> looks like it should do the job, but I have never managed to get

>> it to work.

>>

>> can someone give me some pointers?

>>

>> regards

>>

>> roga

Guest Florian Frommherz [MVP]

Guest Florian Frommherz [MVP]

Posted
Posted

Re: "Allow log on through Terminal Services" in GP: How does it work?

 

Howdie!

 

roga schrieb:

> "Vera Noest [MVP]" wrote

>> Why do you not want to use the group which is especially created to

>> ensure that members receive all the rights and permissions they

>> need?

>

> Because if I do it in GP I only have to do it once for the domain

 

Look at the "Restricted Groups" feature of Group Policy. That allows you

to put Active Directory users automatically to local workstation's

security groups. You could like this add a Active Directory security

group as a member to a bunch of clients' "Remote Desktop Users" group.

 

cheers,

 

Florian

--

Microsoft MVP - Windows Server - Group Policy.

eMail: prename [at] frickelsoft [dot] net.

blog: http://www.frickelsoft.net/blog.

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: "Allow log on through Terminal Services" in GP: How does it work?

 

"roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> wrote

on 23 jul 2007:

> "Vera Noest [MVP]" wrote

>> Why do you not want to use the group which is especially

>> created to ensure that members receive all the rights and

>> permissions they need?

>

> Because if I do it in GP I only have to do it once for the

> domain

>

> If I have to add to local groups on each TS it means I have to

> touch each machine ...

 

Agreed. But if you bypass the recommended method of:

Users in Global groups, Global groups in Local groups, Local group

gets permissions, then you will also loose a level of flexibility.

It will be impossible to differentiate between the Terminal

Servers, i.e. you can not allow only a subset of your users to a

subset of your Terminal Servers.

And sooner or later, you'll get the need for a dedicated TS with

some special program, only for some special users.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

*----------- Please reply in newsgroup -------------*

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

RE: "Allow log on through Terminal Services" in GP: How does it work?

 

That's not correct, Rob.

For the mentioning of the "Remote Desktop Users" group we can

deduce that the TS is running 2003. Then you do *not* need the user

right to Logon Locally. That was true on W2K, but not on 2003.

 

And without the proper permissions on the rdp-tcp connection, you

won't be able to connect, no matter what Logon user rights you

have.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

*----------- Please reply in newsgroup -------------*

 

=?Utf-8?B?Um9iIChNaWNyb3NvZnQp?=

<RobMicrosoft@discussions.microsoft.com> wrote on 22 jul 2007:

> Allow logon through terminal Services as well as allow logon

> locally should let you logon with those users as long as you are

> running Terminal Server and not remote desktop.

>

> "roga" wrote:

>

>> All I want to do is set a group policy which allows members of

>> an existing security group to log on via RDP without me having

>> to make them members of the local "remote desktop users" group.

>>

>> The group policy "Allow log on through Terminal Services" "

>> looks like it should do the job, but I have never managed to

>> get it to work.

>>

>> can someone give me some pointers?

>>

>> regards

>>

>> roga

Guest Roger Abell [MVP]

Guest Roger Abell [MVP]

Posted
Posted

Re: "Allow log on through Terminal Services" in GP: How does it work?

 

"Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message

news:Xns99768D84F7BDCveranoesthemutforsse@207.46.248.16...

> "roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> wrote

> on 23 jul 2007:

>

>> "Vera Noest [MVP]" wrote

>>> Why do you not want to use the group which is especially

>>> created to ensure that members receive all the rights and

>>> permissions they need?

>>

>> Because if I do it in GP I only have to do it once for the

>> domain

>>

>> If I have to add to local groups on each TS it means I have to

>> touch each machine ...

>

> Agreed. But if you bypass the recommended method of:

> Users in Global groups, Global groups in Local groups, Local group

> gets permissions, then you will also loose a level of flexibility.

> It will be impossible to differentiate between the Terminal

> Servers, i.e. you can not allow only a subset of your users to a

> subset of your Terminal Servers.

> And sooner or later, you'll get the need for a dedicated TS with

> some special program, only for some special users.

 

I do not follow any of that posting.

The poster may use Restricted Group definitions on a per GPO

basis to effect membership adjustments to local groups on any

selected collection of TS servers. Doing so can add either a

domain global or a domain local to the machine local group,

and the effect is the same in either case.

I do however agree that there seems no good reason to reinvent

the machine local Remote Desktop Users group, and that one in

fact would be doing just that, defining a new machine local that

is identical in grants as the existing Remote Desktop Users group

 

Roger

Guest Roger Abell [MVP]

Guest Roger Abell [MVP]

Posted
Posted

Re: "Allow log on through Terminal Services" in GP: How does it work?

 

Right on both counts, provided . . .

There are basically two things carried by the Remote Desktop Users

group, as you have indicated a couple times: the user right to log on

through TS, and the permissions on the rdp-tcp connectoid. However,

I often recommend that people take control over the Users group on

their domain joined machines, in which case they may have removed

Authenticated Users, Domain Users, and/or Interactive from Users

and/or from the user rights normally granted to Users . The precise

impact would depend on how they have hardened their server. In

most all cases, sufficient grants over Windows binaries and temp

areas does result if, in this case, the group made a member of the

Remote Desktop Users group is also made a member of Users, both

of course doable via GPO targetting.

 

Roger

 

"Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message

news:Xns99768E5EFCDECveranoesthemutforsse@207.46.248.16...

> That's not correct, Rob.

> For the mentioning of the "Remote Desktop Users" group we can

> deduce that the TS is running 2003. Then you do *not* need the user

> right to Logon Locally. That was true on W2K, but not on 2003.

>

> And without the proper permissions on the rdp-tcp connection, you

> won't be able to connect, no matter what Logon user rights you

> have.

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> *----------- Please reply in newsgroup -------------*

>

> =?Utf-8?B?Um9iIChNaWNyb3NvZnQp?=

> <RobMicrosoft@discussions.microsoft.com> wrote on 22 jul 2007:

>

>> Allow logon through terminal Services as well as allow logon

>> locally should let you logon with those users as long as you are

>> running Terminal Server and not remote desktop.

>>

>> "roga" wrote:

>>

>>> All I want to do is set a group policy which allows members of

>>> an existing security group to log on via RDP without me having

>>> to make them members of the local "remote desktop users" group.

>>>

>>> The group policy "Allow log on through Terminal Services" "

>>> looks like it should do the job, but I have never managed to

>>> get it to work.

>>>

>>> can someone give me some pointers?

>>>

>>> regards

>>>

>>> roga

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: "Allow log on through Terminal Services" in GP: How does it work?

 

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote on 24 jul 2007 in

microsoft.public.windows.terminal_services:

> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote

> in message

> news:Xns99768D84F7BDCveranoesthemutforsse@207.46.248.16...

>> "roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk>

>> wrote on 23 jul 2007:

>>

>>> "Vera Noest [MVP]" wrote

>>>> Why do you not want to use the group which is especially

>>>> created to ensure that members receive all the rights and

>>>> permissions they need?

>>>

>>> Because if I do it in GP I only have to do it once for the

>>> domain

>>>

>>> If I have to add to local groups on each TS it means I have to

>>> touch each machine ...

>>

>> Agreed. But if you bypass the recommended method of:

>> Users in Global groups, Global groups in Local groups, Local

>> group gets permissions, then you will also loose a level of

>> flexibility. It will be impossible to differentiate between the

>> Terminal Servers, i.e. you can not allow only a subset of your

>> users to a subset of your Terminal Servers.

>> And sooner or later, you'll get the need for a dedicated TS

>> with some special program, only for some special users.

>

> I do not follow any of that posting.

> The poster may use Restricted Group definitions on a per GPO

> basis to effect membership adjustments to local groups on any

> selected collection of TS servers. Doing so can add either a

> domain global or a domain local to the machine local group,

> and the effect is the same in either case.

> I do however agree that there seems no good reason to reinvent

> the machine local Remote Desktop Users group, and that one in

> fact would be doing just that, defining a new machine local that

> is identical in grants as the existing Remote Desktop Users

> group

>

> Roger

 

But the OP wanted to assign all necessary user rights and

permissions in one big sweep (a single domain-wide GPO).

I agree that populating the Remote Desktop Users group through GPOs

is a very efficient way of doing it, but if/when you need to

differentiate between Terminal Servers, the OP would still need to

use multiple GPOs.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

Guest roga

Guest roga

Posted
Posted

Re: "Allow log on through Terminal Services" in GP: How does it work?

 

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message

news:Xns9977E840D4062veranoesthemutforsse@207.46.248.16...

>

> But the OP wanted to assign all necessary user rights and

> permissions in one big sweep (a single domain-wide GPO).

 

No I didn't Vera, I said nothing about which OU's I was going to assign the

GPO to. (Although I can see why you took it that way)

> I agree that populating the Remote Desktop Users group through GPOs

> is a very efficient way of doing it, but if/when you need to

> differentiate between Terminal Servers, the OP would still need to

> use multiple GPOs.

 

I would need one GPO and enable it for whatever OU's and security groups

necessary, wouldnt I?

 

regards

 

roga

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: "Allow log on through Terminal Services" in GP: How does it work?

 

"roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> wrote

on 24 jul 2007 in microsoft.public.windows.terminal_services:

> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote

> in message

> news:Xns9977E840D4062veranoesthemutforsse@207.46.248.16...

>>

>> But the OP wanted to assign all necessary user rights and

>> permissions in one big sweep (a single domain-wide GPO).

>

> No I didn't Vera, I said nothing about which OU's I was going to

> assign the GPO to. (Although I can see why you took it that way)

>

>> I agree that populating the Remote Desktop Users group through

>> GPOs is a very efficient way of doing it, but if/when you need

>> to differentiate between Terminal Servers, the OP would still

>> need to use multiple GPOs.

>

> I would need one GPO and enable it for whatever OU's and

> security groups necessary, wouldnt I?

 

Not if you need to differentiate between Terminal Servers, which

was the only thing I wanted to point out from the beginning: you

try to use a shortcut now, but be aware that it could bite you

later.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 Share
Go to topic listing
×
×
  • Create New...