Guest roga Posted July 20, 2007 Posted July 20, 2007 All I want to do is set a group policy which allows members of an existing security group to log on via RDP without me having to make them members of the local "remote desktop users" group. The group policy "Allow log on through Terminal Services" " looks like it should do the job, but I have never managed to get it to work. can someone give me some pointers? regards roga
Guest Vera Noest [MVP] Posted July 20, 2007 Posted July 20, 2007 Re: "Allow log on through Terminal Services" in GP: How does it work? Why do you not want to use the group which is especially created to ensure that members receive all the rights and permissions they need? Members of the "Remote Desktop Users" group have not only the user right to Logon to Terminal Services, they also have the necessary permissions on the rdp-tcp connection. So if you don't want to add users to this group, you either have to duplicate the group with another group of your making, or add each user manually to the permissions tab of the rdp-tcp connection. Both methods seem a waist of time to me, but I could be missing something here. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ "roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> wrote on 20 jul 2007 in microsoft.public.windows.terminal_services: > All I want to do is set a group policy which allows members of > an existing security group to log on via RDP without me having > to make them members of the local "remote desktop users" group. > > The group policy "Allow log on through Terminal Services" " > looks like it should do the job, but I have never managed to get > it to work. > > can someone give me some pointers? > > regards > > roga
Guest Bruce Sanderson Posted July 21, 2007 Posted July 21, 2007 Re: "Allow log on through Terminal Services" in GP: How does it work? To add to what Vera said, you can populate the Remote Desktop Users group using Restricted Groups in a GPO. This avoids having to manually adjust the group membership on each target computer (Server or workstation). Restricted Groups are at Computer Configuration Windows Settings Security Settings See http://support.microsoft.com/?id=810076. -- Bruce Sanderson MVP Printing http://members.shaw.ca/bsanders It is perfectly useless to know the right answer to the wrong question. "roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> wrote in message news:uof0DlwyHHA.4712@TK2MSFTNGP04.phx.gbl... > All I want to do is set a group policy which allows members of an > existing security group to log on via RDP without me having to make them > members of the local "remote desktop users" group. > > The group policy "Allow log on through Terminal Services" " looks like it > should do the job, but I have never managed to get it to work. > > can someone give me some pointers? > > regards > > roga >
Guest Rob (Microsoft) Posted July 22, 2007 Posted July 22, 2007 RE: "Allow log on through Terminal Services" in GP: How does it work? Allow logon through terminal Services as well as allow logon locally should let you logon with those users as long as you are running Terminal Server and not remote desktop. "roga" wrote: > All I want to do is set a group policy which allows members of an existing > security group to log on via RDP without me having to make them members of > the local "remote desktop users" group. > > The group policy "Allow log on through Terminal Services" " looks like it > should do the job, but I have never managed to get it to work. > > can someone give me some pointers? > > regards > > roga > > >
Guest roga Posted July 23, 2007 Posted July 23, 2007 Re: "Allow log on through Terminal Services" in GP: How does it work? Thanks Bruce, that looks helpful regards Roger "Bruce Sanderson" <bsanders@newsgroups.nospam> wrote in message news:C66730E2-287F-4B44-A7C6-9756A66CE8B1@microsoft.com... > To add to what Vera said, you can populate the Remote Desktop Users group > using Restricted Groups in a GPO. This avoids having to manually adjust > the group membership on each target computer (Server or workstation). > > Restricted Groups are at > Computer Configuration > Windows Settings > Security Settings > > See http://support.microsoft.com/?id=810076. > > -- > Bruce Sanderson MVP Printing > http://members.shaw.ca/bsanders > > It is perfectly useless to know the right answer to the wrong question. > > > > "roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> wrote in > message news:uof0DlwyHHA.4712@TK2MSFTNGP04.phx.gbl... >> All I want to do is set a group policy which allows members of an >> existing security group to log on via RDP without me having to make them >> members of the local "remote desktop users" group. >> >> The group policy "Allow log on through Terminal Services" " looks like >> it should do the job, but I have never managed to get it to work. >> >> can someone give me some pointers? >> >> regards >> >> roga >> >
Guest roga Posted July 23, 2007 Posted July 23, 2007 Re: "Allow log on through Terminal Services" in GP: How does it work? "Vera Noest [MVP]" wrote > Why do you not want to use the group which is especially created to > ensure that members receive all the rights and permissions they > need? Because if I do it in GP I only have to do it once for the domain If I have to add to local groups on each TS it means I have to touch each machine ... regards Roga > > Members of the "Remote Desktop Users" group have not only the user > right to Logon to Terminal Services, they also have the necessary > permissions on the rdp-tcp connection. > So if you don't want to add users to this group, you either have to > duplicate the group with another group of your making, or add each > user manually to the permissions tab of the rdp-tcp connection. > Both methods seem a waist of time to me, but I could be missing > something here. > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > "roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> wrote > on 20 jul 2007 in microsoft.public.windows.terminal_services: > >> All I want to do is set a group policy which allows members of >> an existing security group to log on via RDP without me having >> to make them members of the local "remote desktop users" group. >> >> The group policy "Allow log on through Terminal Services" " >> looks like it should do the job, but I have never managed to get >> it to work. >> >> can someone give me some pointers? >> >> regards >> >> roga
Guest Florian Frommherz [MVP] Posted July 23, 2007 Posted July 23, 2007 Re: "Allow log on through Terminal Services" in GP: How does it work? Howdie! roga schrieb: > "Vera Noest [MVP]" wrote >> Why do you not want to use the group which is especially created to >> ensure that members receive all the rights and permissions they >> need? > > Because if I do it in GP I only have to do it once for the domain Look at the "Restricted Groups" feature of Group Policy. That allows you to put Active Directory users automatically to local workstation's security groups. You could like this add a Active Directory security group as a member to a bunch of clients' "Remote Desktop Users" group. cheers, Florian -- Microsoft MVP - Windows Server - Group Policy. eMail: prename [at] frickelsoft [dot] net. blog: http://www.frickelsoft.net/blog.
Guest Vera Noest [MVP] Posted July 23, 2007 Posted July 23, 2007 Re: "Allow log on through Terminal Services" in GP: How does it work? "roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> wrote on 23 jul 2007: > "Vera Noest [MVP]" wrote >> Why do you not want to use the group which is especially >> created to ensure that members receive all the rights and >> permissions they need? > > Because if I do it in GP I only have to do it once for the > domain > > If I have to add to local groups on each TS it means I have to > touch each machine ... Agreed. But if you bypass the recommended method of: Users in Global groups, Global groups in Local groups, Local group gets permissions, then you will also loose a level of flexibility. It will be impossible to differentiate between the Terminal Servers, i.e. you can not allow only a subset of your users to a subset of your Terminal Servers. And sooner or later, you'll get the need for a dedicated TS with some special program, only for some special users. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net *----------- Please reply in newsgroup -------------*
Guest Vera Noest [MVP] Posted July 23, 2007 Posted July 23, 2007 RE: "Allow log on through Terminal Services" in GP: How does it work? That's not correct, Rob. For the mentioning of the "Remote Desktop Users" group we can deduce that the TS is running 2003. Then you do *not* need the user right to Logon Locally. That was true on W2K, but not on 2003. And without the proper permissions on the rdp-tcp connection, you won't be able to connect, no matter what Logon user rights you have. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net *----------- Please reply in newsgroup -------------* =?Utf-8?B?Um9iIChNaWNyb3NvZnQp?= <RobMicrosoft@discussions.microsoft.com> wrote on 22 jul 2007: > Allow logon through terminal Services as well as allow logon > locally should let you logon with those users as long as you are > running Terminal Server and not remote desktop. > > "roga" wrote: > >> All I want to do is set a group policy which allows members of >> an existing security group to log on via RDP without me having >> to make them members of the local "remote desktop users" group. >> >> The group policy "Allow log on through Terminal Services" " >> looks like it should do the job, but I have never managed to >> get it to work. >> >> can someone give me some pointers? >> >> regards >> >> roga
Guest Roger Abell [MVP] Posted July 24, 2007 Posted July 24, 2007 Re: "Allow log on through Terminal Services" in GP: How does it work? "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message news:Xns99768D84F7BDCveranoesthemutforsse@207.46.248.16... > "roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> wrote > on 23 jul 2007: > >> "Vera Noest [MVP]" wrote >>> Why do you not want to use the group which is especially >>> created to ensure that members receive all the rights and >>> permissions they need? >> >> Because if I do it in GP I only have to do it once for the >> domain >> >> If I have to add to local groups on each TS it means I have to >> touch each machine ... > > Agreed. But if you bypass the recommended method of: > Users in Global groups, Global groups in Local groups, Local group > gets permissions, then you will also loose a level of flexibility. > It will be impossible to differentiate between the Terminal > Servers, i.e. you can not allow only a subset of your users to a > subset of your Terminal Servers. > And sooner or later, you'll get the need for a dedicated TS with > some special program, only for some special users. I do not follow any of that posting. The poster may use Restricted Group definitions on a per GPO basis to effect membership adjustments to local groups on any selected collection of TS servers. Doing so can add either a domain global or a domain local to the machine local group, and the effect is the same in either case. I do however agree that there seems no good reason to reinvent the machine local Remote Desktop Users group, and that one in fact would be doing just that, defining a new machine local that is identical in grants as the existing Remote Desktop Users group Roger
Guest Roger Abell [MVP] Posted July 24, 2007 Posted July 24, 2007 Re: "Allow log on through Terminal Services" in GP: How does it work? Right on both counts, provided . . . There are basically two things carried by the Remote Desktop Users group, as you have indicated a couple times: the user right to log on through TS, and the permissions on the rdp-tcp connectoid. However, I often recommend that people take control over the Users group on their domain joined machines, in which case they may have removed Authenticated Users, Domain Users, and/or Interactive from Users and/or from the user rights normally granted to Users . The precise impact would depend on how they have hardened their server. In most all cases, sufficient grants over Windows binaries and temp areas does result if, in this case, the group made a member of the Remote Desktop Users group is also made a member of Users, both of course doable via GPO targetting. Roger "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message news:Xns99768E5EFCDECveranoesthemutforsse@207.46.248.16... > That's not correct, Rob. > For the mentioning of the "Remote Desktop Users" group we can > deduce that the TS is running 2003. Then you do *not* need the user > right to Logon Locally. That was true on W2K, but not on 2003. > > And without the proper permissions on the rdp-tcp connection, you > won't be able to connect, no matter what Logon user rights you > have. > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > *----------- Please reply in newsgroup -------------* > > =?Utf-8?B?Um9iIChNaWNyb3NvZnQp?= > <RobMicrosoft@discussions.microsoft.com> wrote on 22 jul 2007: > >> Allow logon through terminal Services as well as allow logon >> locally should let you logon with those users as long as you are >> running Terminal Server and not remote desktop. >> >> "roga" wrote: >> >>> All I want to do is set a group policy which allows members of >>> an existing security group to log on via RDP without me having >>> to make them members of the local "remote desktop users" group. >>> >>> The group policy "Allow log on through Terminal Services" " >>> looks like it should do the job, but I have never managed to >>> get it to work. >>> >>> can someone give me some pointers? >>> >>> regards >>> >>> roga
Guest Vera Noest [MVP] Posted July 24, 2007 Posted July 24, 2007 Re: "Allow log on through Terminal Services" in GP: How does it work? "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote on 24 jul 2007 in microsoft.public.windows.terminal_services: > "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote > in message > news:Xns99768D84F7BDCveranoesthemutforsse@207.46.248.16... >> "roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> >> wrote on 23 jul 2007: >> >>> "Vera Noest [MVP]" wrote >>>> Why do you not want to use the group which is especially >>>> created to ensure that members receive all the rights and >>>> permissions they need? >>> >>> Because if I do it in GP I only have to do it once for the >>> domain >>> >>> If I have to add to local groups on each TS it means I have to >>> touch each machine ... >> >> Agreed. But if you bypass the recommended method of: >> Users in Global groups, Global groups in Local groups, Local >> group gets permissions, then you will also loose a level of >> flexibility. It will be impossible to differentiate between the >> Terminal Servers, i.e. you can not allow only a subset of your >> users to a subset of your Terminal Servers. >> And sooner or later, you'll get the need for a dedicated TS >> with some special program, only for some special users. > > I do not follow any of that posting. > The poster may use Restricted Group definitions on a per GPO > basis to effect membership adjustments to local groups on any > selected collection of TS servers. Doing so can add either a > domain global or a domain local to the machine local group, > and the effect is the same in either case. > I do however agree that there seems no good reason to reinvent > the machine local Remote Desktop Users group, and that one in > fact would be doing just that, defining a new machine local that > is identical in grants as the existing Remote Desktop Users > group > > Roger But the OP wanted to assign all necessary user rights and permissions in one big sweep (a single domain-wide GPO). I agree that populating the Remote Desktop Users group through GPOs is a very efficient way of doing it, but if/when you need to differentiate between Terminal Servers, the OP would still need to use multiple GPOs. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___
Guest roga Posted July 24, 2007 Posted July 24, 2007 Re: "Allow log on through Terminal Services" in GP: How does it work? "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message news:Xns9977E840D4062veranoesthemutforsse@207.46.248.16... > > But the OP wanted to assign all necessary user rights and > permissions in one big sweep (a single domain-wide GPO). No I didn't Vera, I said nothing about which OU's I was going to assign the GPO to. (Although I can see why you took it that way) > I agree that populating the Remote Desktop Users group through GPOs > is a very efficient way of doing it, but if/when you need to > differentiate between Terminal Servers, the OP would still need to > use multiple GPOs. I would need one GPO and enable it for whatever OU's and security groups necessary, wouldnt I? regards roga
Guest Vera Noest [MVP] Posted July 25, 2007 Posted July 25, 2007 Re: "Allow log on through Terminal Services" in GP: How does it work? "roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> wrote on 24 jul 2007 in microsoft.public.windows.terminal_services: > "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote > in message > news:Xns9977E840D4062veranoesthemutforsse@207.46.248.16... >> >> But the OP wanted to assign all necessary user rights and >> permissions in one big sweep (a single domain-wide GPO). > > No I didn't Vera, I said nothing about which OU's I was going to > assign the GPO to. (Although I can see why you took it that way) > >> I agree that populating the Remote Desktop Users group through >> GPOs is a very efficient way of doing it, but if/when you need >> to differentiate between Terminal Servers, the OP would still >> need to use multiple GPOs. > > I would need one GPO and enable it for whatever OU's and > security groups necessary, wouldnt I? Not if you need to differentiate between Terminal Servers, which was the only thing I wanted to point out from the beginning: you try to use a shortcut now, but be aware that it could bite you later. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___
Recommended Posts