Running TS on DC - RDP question

[Guest compsosinc@gmail.com]

I know,this is not accepted practice but I am trying something for

experimental purposes because it may be implemented on a real network

in the future.

 

I have a Windows 2003 Server St. Ed (no SP1) running as a DC and I

installed Terminal Server on it --currently without a Licensing Server

installed. I have an XP Pro client PC added to the domain and User

added called "TestUser1" in the AD. This user is currently a member of

the Domain Users & Remote Desktop Users groups. Are these the only

groups this user needs to be a member of to successfully connect to

the DC/TS using RDC?

 

Based on some research, there seems to be a question about making the

user a member of the "local" Remote Desktop Users group on the XP

Client vs just within the AD.

 

Thanks!

[Guest Ratnesh Yadav [MSFT]]

Re: Running TS on DC - RDP question

 

If TS is installed on a DC (Domain Controller), then one need to be member

of "Domain Admins" group on AD, in order to be able to connect to the DC

machine. Just being a member of "Remote Desktop User" group on DC will not

be sufficient.

 

 

<compsosinc@gmail.com> wrote in message

news:8214443c-0387-4bc7-932e-9c7c5f3886f1@h11g2000prf.googlegroups.com...

> I know,this is not accepted practice but I am trying something for

> experimental purposes because it may be implemented on a real network

> in the future.

>

> I have a Windows 2003 Server St. Ed (no SP1) running as a DC and I

> installed Terminal Server on it --currently without a Licensing Server

> installed. I have an XP Pro client PC added to the domain and User

> added called "TestUser1" in the AD. This user is currently a member of

> the Domain Users & Remote Desktop Users groups. Are these the only

> groups this user needs to be a member of to successfully connect to

> the DC/TS using RDC?

>

> Based on some research, there seems to be a question about making the

> user a member of the "local" Remote Desktop Users group on the XP

> Client vs just within the AD.

>

> Thanks!

[Guest Dragos CAMARA]

RE: Running TS on DC - RDP question

 

hi,

on a DC there are no "local groups", all of them are domain groups. So to

connect to TS on a DC the users have to be domain users and member of domain

remote desktop users.

You have to check on that DC on Terminal Services Configuration, the rdp-tcp

permissions if are modified.

--

Dragos CAMARA

MCSA Windows 2003 server

 

 

"compsosinc@gmail.com" wrote:

> I know,this is not accepted practice but I am trying something for

> experimental purposes because it may be implemented on a real network

> in the future.

>

> I have a Windows 2003 Server St. Ed (no SP1) running as a DC and I

> installed Terminal Server on it --currently without a Licensing Server

> installed. I have an XP Pro client PC added to the domain and User

> added called "TestUser1" in the AD. This user is currently a member of

> the Domain Users & Remote Desktop Users groups. Are these the only

> groups this user needs to be a member of to successfully connect to

> the DC/TS using RDC?

>

> Based on some research, there seems to be a question about making the

> user a member of the "local" Remote Desktop Users group on the XP

> Client vs just within the AD.

>

> Thanks!

>

[Guest compsosinc@gmail.com]

Re: Running TS on DC - RDP question

 

On Jan 3, 6:48 am, Dragos CAMARA <drago...@remove-this.hotmail.com>

wrote:

> hi,

> on a DC there are no "local groups", all of them are domain groups. So to

> connect to TS on a DC the users have to be domain users and member of domain

> remote desktop users.

> You have to check on that DC on Terminal Services Configuration, the rdp-tcp

> permissions if are modified.

> --

> Dragos CAMARA

> MCSA Windows 2003 server

>

>

>

> "compsos...@gmail.com" wrote:

> > I know,this is not accepted practice but I am trying something for

> > experimental purposes because it may be implemented on a real network

> > in the future.

>

> > I have a Windows 2003 Server St. Ed (no SP1) running as a DC and I

> > installed Terminal Server on it --currently without a Licensing Server

> > installed. I have an XP Pro client PC added to the domain and User

> > added called "TestUser1" in the AD. This user is currently a member of

> > the Domain Users & Remote Desktop Users groups. Are these the only

> > groups this user needs to be a member of to successfully connect to

> > the DC/TS using RDC?

>

> > Based on some research, there seems to be a question about making the

> > user a member of the "local" Remote Desktop Users group on the XP

> > Client vs just within the AD.

>

> > Thanks!- Hide quoted text -

>

> - Show quoted text -

 

Thank you both. When trying to login, as member of "Domain Users" and

"Remote Desktop Users", we get the error similar to "Local policy

does not allow logon interactively". We added the Remote Desktop Users

group to "Allow Logon to Terminal Services" in the Default Domain

Controller Security Policy and we could logon. We did not need to make

the user a member of the Domain Admins group -however if we had, maybe

we would not need to modify the Security Policy? I would rather not

have users as Domain Admins -I think?

 

Thanks again.

[Guest Vera Noest [MVP]]

Re: Running TS on DC - RDP question

 

compsosinc@gmail.com wrote on 03 jan 2008:

> On Jan 3, 6:48 am, Dragos CAMARA

> <drago...@remove-this.hotmail.com> wrote:

>> hi,

>> on a DC there are no "local groups", all of them are domain

>> groups. So to connect to TS on a DC the users have to be domain

>> users and member of doma

> in

>> remote desktop users.

>> You have to check on that DC on Terminal Services

>> Configuration, the rdp-t

> cp

>> permissions if are modified.

>> --

>> Dragos CAMARA

>> MCSA Windows 2003 server

>>

>>

>>

>> "compsos...@gmail.com" wrote:

>> > I know,this is not accepted practice but I am trying

>> > something for experimental purposes because it may be

>> > implemented on a real network in the future.

>>

>> > I have a Windows 2003 Server St. Ed (no SP1) running as a DC

>> > and I installed Terminal Server on it --currently without a

>> > Licensing Server installed. I have an XP Pro client PC added

>> > to the domain and User added called "TestUser1" in the AD.

>> > This user is currently a member of the Domain Users & Remote

>> > Desktop Users groups. Are these the only groups this user

>> > needs to be a member of to successfully connect to the DC/TS

>> > using RDC?

>>

>> > Based on some research, there seems to be a question about

>> > making the user a member of the "local" Remote Desktop Users

>> > group on the XP Client vs just within the AD.

>>

>> > Thanks!- Hide quoted text -

>>

>> - Show quoted text -

>

> Thank you both. When trying to login, as member of "Domain

> Users" and "Remote Desktop Users", we get the error similar to

> "Local policy does not allow logon interactively". We added the

> Remote Desktop Users group to "Allow Logon to Terminal Services"

> in the Default Domain Controller Security Policy and we could

> logon. We did not need to make the user a member of the Domain

> Admins group -however if we had, maybe we would not need to

> modify the Security Policy? I would rather not have users as

> Domain Admins -I think?

>

> Thanks again.

 

That's correct, there is no need for users to be members of the

Domain Admins group.

It's better to only give them the "Allow Logon to Terminal

Services" right in the Default Domain Controller Security Policy

than to make them Domain Admins. That would really be a nightmare

scenario!

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

*----------- Please reply in newsgroup -------------*

[Guest Vera Noest [MVP]]

Re: Running TS on DC - RDP question

 

It is *not* needed to make users members of the Domain Admins

group! That would be a real nightmare situation.

 

Besides making them members of the domain-local Remote Desktop

Users group in AD, they also need the "Allow Logon to Terminal

Services" right in the Default Domain Controller Security Policy.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

*----------- Please reply in newsgroup -------------*

 

"Ratnesh Yadav [MSFT]" <ratneshyadav@hotmail.com> wrote on 03 jan

2008:

> If TS is installed on a DC (Domain Controller), then one need to

> be member of "Domain Admins" group on AD, in order to be able to

> connect to the DC machine. Just being a member of "Remote

> Desktop User" group on DC will not be sufficient.

>

>

> <compsosinc@gmail.com> wrote in message

> news:8214443c-0387-4bc7-932e-9c7c5f3886f1@h11g2000prf.googlegroup

> s.com...

>> I know,this is not accepted practice but I am trying something

>> for experimental purposes because it may be implemented on a

>> real network in the future.

>>

>> I have a Windows 2003 Server St. Ed (no SP1) running as a DC

>> and I installed Terminal Server on it --currently without a

>> Licensing Server installed. I have an XP Pro client PC added to

>> the domain and User added called "TestUser1" in the AD. This

>> user is currently a member of the Domain Users & Remote Desktop

>> Users groups. Are these the only groups this user needs to be a

>> member of to successfully connect to the DC/TS using RDC?

>>

>> Based on some research, there seems to be a question about

>> making the user a member of the "local" Remote Desktop Users

>> group on the XP Client vs just within the AD.

>>

>> Thanks!