Initial Rights Setup for TS

[Guest ricdu]

I have a Terminal Services setup running on the domain controller. Everthing

is OK logging on as administrator, but when I try to use my AD user account,

I get the message "To log on to the remote computer, you must be granted the

Allow logon through Terminal Services right" I cannot logon, even though that

right appears to be set correctly in the Remote Desktop Users profile.

 

What can I do to get past this problem?

[Guest Bart Van Vugt]

RE: Initial Rights Setup for TS

 

You can add the user to the remote desktop users group. Users of this group

have the right to log on to TS. It's absolutely not recommended to enable

terminal services on a domain controller.

 

"ricdu" wrote:

> I have a Terminal Services setup running on the domain controller. Everthing

> is OK logging on as administrator, but when I try to use my AD user account,

> I get the message "To log on to the remote computer, you must be granted the

> Allow logon through Terminal Services right" I cannot logon, even though that

> right appears to be set correctly in the Remote Desktop Users profile.

>

> What can I do to get past this problem?

[Guest ricdu]

RE: Initial Rights Setup for TS

 

The users are already in the Remote Desktop Users group, but that hasn't had

any effect.

 

I have seen several references to having TS in the DC, some in favor some

against. Your thoughts?

 

"Bart Van Vugt" wrote:

> You can add the user to the remote desktop users group. Users of this group

> have the right to log on to TS. It's absolutely not recommended to enable

> terminal services on a domain controller.

>

> "ricdu" wrote:

>

> > I have a Terminal Services setup running on the domain controller. Everthing

> > is OK logging on as administrator, but when I try to use my AD user account,

> > I get the message "To log on to the remote computer, you must be granted the

> > Allow logon through Terminal Services right" I cannot logon, even though that

> > right appears to be set correctly in the Remote Desktop Users profile.

> >

> > What can I do to get past this problem?

[Guest Bart Van Vugt]

RE: Initial Rights Setup for TS

 

I prefer to have a dedicated TS.

 

"ricdu" wrote:

> The users are already in the Remote Desktop Users group, but that hasn't had

> any effect.

>

> I have seen several references to having TS in the DC, some in favor some

> against. Your thoughts?

>

> "Bart Van Vugt" wrote:

>

> > You can add the user to the remote desktop users group. Users of this group

> > have the right to log on to TS. It's absolutely not recommended to enable

> > terminal services on a domain controller.

> >

> > "ricdu" wrote:

> >

> > > I have a Terminal Services setup running on the domain controller. Everthing

> > > is OK logging on as administrator, but when I try to use my AD user account,

> > > I get the message "To log on to the remote computer, you must be granted the

> > > Allow logon through Terminal Services right" I cannot logon, even though that

> > > right appears to be set correctly in the Remote Desktop Users profile.

> > >

> > > What can I do to get past this problem?

[Guest Patrick Rouse]

RE: Initial Rights Setup for TS

 

You MUST addign these users the logon locally right via the Default Domain

Controllers Security Policy in GPMC if the TS is a Domain Controller. This

allows these users to be able to logon interactively to any DC in the domain,

which is absolutely a security risk in most environments.

 

 

--

Patrick C. Rouse

Microsoft MVP - Terminal Server

Provision Networks VIP

Citrix Technology Professional

President - Session Computing Solutions, LLC

http://www.sessioncomputing.com

 

 

 

"Bart Van Vugt" wrote:

> I prefer to have a dedicated TS.

>

> "ricdu" wrote:

>

> > The users are already in the Remote Desktop Users group, but that hasn't had

> > any effect.

> >

> > I have seen several references to having TS in the DC, some in favor some

> > against. Your thoughts?

> >

> > "Bart Van Vugt" wrote:

> >

> > > You can add the user to the remote desktop users group. Users of this group

> > > have the right to log on to TS. It's absolutely not recommended to enable

> > > terminal services on a domain controller.

> > >

> > > "ricdu" wrote:

> > >

> > > > I have a Terminal Services setup running on the domain controller. Everthing

> > > > is OK logging on as administrator, but when I try to use my AD user account,

> > > > I get the message "To log on to the remote computer, you must be granted the

> > > > Allow logon through Terminal Services right" I cannot logon, even though that

> > > > right appears to be set correctly in the Remote Desktop Users profile.

> > > >

> > > > What can I do to get past this problem?

[Guest Vera Noest [MVP]]

RE: Initial Rights Setup for TS

 

It is absolutely *not* recommended to run TS on your DC, for both

security and performance reasons.

You will have users logged on to you DC and using it as their

personal workstation. That's normally not how you like to treat the

most important server in your domain!

 

For this reason, normal users can't logon to a TS on a DC, even

when they are members of the Remote Desktop Users group. You will

also have to modify the Default Domain Controllers Policy, and

configure this setting:

 

Computer Configuration - Windows Settings - Security Settings -

Local Policies

- User rights Assignment

"Allow log on through Terminal Services"

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?QmFydCBWYW4gVnVndA==?=

<BartVanVugt@discussions.microsoft.com> wrote on 10 dec 2007 in

microsoft.public.windows.terminal_services:

> I prefer to have a dedicated TS.

>

> "ricdu" wrote:

>

>> The users are already in the Remote Desktop Users group, but

>> that hasn't had any effect.

>>

>> I have seen several references to having TS in the DC, some in

>> favor some against. Your thoughts?

>>

>> "Bart Van Vugt" wrote:

>>

>> > You can add the user to the remote desktop users group. Users

>> > of this group have the right to log on to TS. It's absolutely

>> > not recommended to enable terminal services on a domain

>> > controller.

>> >

>> > "ricdu" wrote:

>> >

>> > > I have a Terminal Services setup running on the domain

>> > > controller. Everthing is OK logging on as administrator,

>> > > but when I try to use my AD user account, I get the message

>> > > "To log on to the remote computer, you must be granted the

>> > > Allow logon through Terminal Services right" I cannot

>> > > logon, even though that right appears to be set correctly

>> > > in the Remote Desktop Users profile.

>> > >

>> > > What can I do to get past this problem?

[Guest ricdu]

RE: Initial Rights Setup for TS

 

The rights are established both on the Default Domain controller Security

Policy and the Terminal Services Policy. That's what is confounding.

 

Users are being directed to servers other than the DC for application support.

 

"Patrick Rouse" wrote:

> You MUST addign these users the logon locally right via the Default Domain

> Controllers Security Policy in GPMC if the TS is a Domain Controller. This

> allows these users to be able to logon interactively to any DC in the domain,

> which is absolutely a security risk in most environments.

>

>

> --

> Patrick C. Rouse

> Microsoft MVP - Terminal Server

> Provision Networks VIP

> Citrix Technology Professional

> President - Session Computing Solutions, LLC

> http://www.sessioncomputing.com

>

>

>

> "Bart Van Vugt" wrote:

>

> > I prefer to have a dedicated TS.

> >

> > "ricdu" wrote:

> >

> > > The users are already in the Remote Desktop Users group, but that hasn't had

> > > any effect.

> > >

> > > I have seen several references to having TS in the DC, some in favor some

> > > against. Your thoughts?

> > >

> > > "Bart Van Vugt" wrote:

> > >

> > > > You can add the user to the remote desktop users group. Users of this group

> > > > have the right to log on to TS. It's absolutely not recommended to enable

> > > > terminal services on a domain controller.

> > > >

> > > > "ricdu" wrote:

> > > >

> > > > > I have a Terminal Services setup running on the domain controller. Everthing

> > > > > is OK logging on as administrator, but when I try to use my AD user account,

> > > > > I get the message "To log on to the remote computer, you must be granted the

> > > > > Allow logon through Terminal Services right" I cannot logon, even though that

> > > > > right appears to be set correctly in the Remote Desktop Users profile.

> > > > >

> > > > > What can I do to get past this problem?

[Guest Lanwench [MVP - Exchange]]

Re: Initial Rights Setup for TS

 

ricdu <ricdu@discussions.microsoft.com> wrote:

> The users are already in the Remote Desktop Users group, but that

> hasn't had any effect.

>

> I have seen several references to having TS in the DC, some in favor

> some against. Your thoughts?

 

There is *never* a good enough reason to run TS on a DC, sorry. A DC has

remote desktop, which is all an admin would need - it's not for users. Would

you want your users walking up to a DC's console & logging in there? You

shouldn't, for reasons of security - and you shouldn't install "desktop"

apps on a DC. I think a TS should do nothing else, period.

>

> "Bart Van Vugt" wrote:

>

>> You can add the user to the remote desktop users group. Users of

>> this group have the right to log on to TS. It's absolutely not

>> recommended to enable terminal services on a domain controller.

>>

>> "ricdu" wrote:

>>

>>> I have a Terminal Services setup running on the domain controller.

>>> Everthing is OK logging on as administrator, but when I try to use

>>> my AD user account, I get the message "To log on to the remote

>>> computer, you must be granted the Allow logon through Terminal

>>> Services right" I cannot logon, even though that right appears to

>>> be set correctly in the Remote Desktop Users profile.

>>>

>>> What can I do to get past this problem?

[Guest ricdu]

Re: Initial Rights Setup for TS

 

I have moved Terminal Services to another server that will run that

exclusively. Howeever, I am still getting the message "To log on to the

remote computer, you must be granted the Allow logon through Terminal

Services right" I cannot logon, even though that right appears to be set

correctly in the Remote Desktop Users profile.

 

 

 

"Lanwench [MVP - Exchange]" wrote:

> ricdu <ricdu@discussions.microsoft.com> wrote:

> > The users are already in the Remote Desktop Users group, but that

> > hasn't had any effect.

> >

> > I have seen several references to having TS in the DC, some in favor

> > some against. Your thoughts?

>

> There is *never* a good enough reason to run TS on a DC, sorry. A DC has

> remote desktop, which is all an admin would need - it's not for users. Would

> you want your users walking up to a DC's console & logging in there? You

> shouldn't, for reasons of security - and you shouldn't install "desktop"

> apps on a DC. I think a TS should do nothing else, period.

>

> >

> > "Bart Van Vugt" wrote:

> >

> >> You can add the user to the remote desktop users group. Users of

> >> this group have the right to log on to TS. It's absolutely not

> >> recommended to enable terminal services on a domain controller.

> >>

> >> "ricdu" wrote:

> >>

> >>> I have a Terminal Services setup running on the domain controller.

> >>> Everthing is OK logging on as administrator, but when I try to use

> >>> my AD user account, I get the message "To log on to the remote

> >>> computer, you must be granted the Allow logon through Terminal

> >>> Services right" I cannot logon, even though that right appears to

> >>> be set correctly in the Remote Desktop Users profile.

> >>>

> >>> What can I do to get past this problem?

>

>

>

>