Discussion:
RDP onto DCs with non-admin accounts
(too old to reply)
GrahamC
2005-07-12 07:28:03 UTC
Permalink
I'm having some fun and games getting non-admin accounts to be able to RDP
onto my DCs. Scenario as follows:

Windows Server 2003 forest, raised to 2003 functional level.

User is using a secondary logon account, which is a member of
"Builtin\Remote Desktop Users" and has the User Right "Log on locally"
assigned via the "Default Domain Controllers Policy"

Ordinarily this works fine (well it does in both my test forests) but in the
Production Forest there are 4 DCs which won't accept the logon.

I've checked and all policies are in synch (checked using GPOTOOL across
Sysvol and the AD) and DCDIAG reports no problems. Nothing useful is
appearing in the event log.

When the user is denied logon to my errant DCs he gets "The local policy of
the sysem won't allow you to logon interactively"; however this user account
can connect via the iLO board and logon to the console so they clearly can!

The RDP permissions are set to normal, ie "Builtin\RemoteDesktopUsers" have
User and Guest access.

I'm clearly missing something but I don't know what! Any guidance would be
gratefully received.
GrahamC
2005-07-12 07:37:02 UTC
Permalink
Meant to add that this doesn't appear to be policy related - if I explicitly
add the user into the RDP permissions then they can logon fine. If I rely on
membership of "Built-in\Remote Desktop Users" (which also has appropriate
permissions for RDP) then the logon fails.
Post by GrahamC
I'm having some fun and games getting non-admin accounts to be able to RDP
Windows Server 2003 forest, raised to 2003 functional level.
User is using a secondary logon account, which is a member of
"Builtin\Remote Desktop Users" and has the User Right "Log on locally"
assigned via the "Default Domain Controllers Policy"
Ordinarily this works fine (well it does in both my test forests) but in the
Production Forest there are 4 DCs which won't accept the logon.
I've checked and all policies are in synch (checked using GPOTOOL across
Sysvol and the AD) and DCDIAG reports no problems. Nothing useful is
appearing in the event log.
When the user is denied logon to my errant DCs he gets "The local policy of
the sysem won't allow you to logon interactively"; however this user account
can connect via the iLO board and logon to the console so they clearly can!
The RDP permissions are set to normal, ie "Builtin\RemoteDesktopUsers" have
User and Guest access.
I'm clearly missing something but I don't know what! Any guidance would be
gratefully received.
Paul Williams [MVP]
2005-07-12 09:51:11 UTC
Permalink
Are these DCs in a different OU to the default?

Logon to a machine, install the support tools and type: WHOAMI /GROUPS

Sounds like authentication problems somewhere. Otherwise, errant GPO
settings.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
GrahamC
2005-07-12 10:52:02 UTC
Permalink
Hi,
Thanks for the reply.

All the DCs are in the default OU.

I can't see anything obvious coming from WHOAMI; it dumps the access token
ok and shows that you're a member of "Remote Interactive Logon".

What's really throwing me is the idea that if I give the users permissions
for the RDP protocol via a custom group through "Terminal Services
Configuration" they can logon. If I rely on the built-in group "Remote
Desktop Users" then they fail. Both groups have identical RDP permissions, so
this points to a deny/enumeration hiccup elsewhere.

I've run DSREVOKE against "Remote Desktop Users" and it shows no other ACEs
in the AD for that group; only the "Default Domain Policy" and the "Default
Domain Controllers Policy" are applying and there are no settings referring
to "Remote Desktop Users".

Any suggestion as to how I might track this fella down?

Cheers

Graham
Post by Paul Williams [MVP]
Are these DCs in a different OU to the default?
Logon to a machine, install the support tools and type: WHOAMI /GROUPS
Sounds like authentication problems somewhere. Otherwise, errant GPO
settings.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
GrahamC
2005-07-12 10:55:03 UTC
Permalink
I've also now run DCGPOFIX to reset the default policies to out of the box -
still no joy!
Post by GrahamC
Hi,
Thanks for the reply.
All the DCs are in the default OU.
I can't see anything obvious coming from WHOAMI; it dumps the access token
ok and shows that you're a member of "Remote Interactive Logon".
What's really throwing me is the idea that if I give the users permissions
for the RDP protocol via a custom group through "Terminal Services
Configuration" they can logon. If I rely on the built-in group "Remote
Desktop Users" then they fail. Both groups have identical RDP permissions, so
this points to a deny/enumeration hiccup elsewhere.
I've run DSREVOKE against "Remote Desktop Users" and it shows no other ACEs
in the AD for that group; only the "Default Domain Policy" and the "Default
Domain Controllers Policy" are applying and there are no settings referring
to "Remote Desktop Users".
Any suggestion as to how I might track this fella down?
Cheers
Graham
Post by Paul Williams [MVP]
Are these DCs in a different OU to the default?
Logon to a machine, install the support tools and type: WHOAMI /GROUPS
Sounds like authentication problems somewhere. Otherwise, errant GPO
settings.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2005-07-12 11:02:06 UTC
Permalink
Grant the RDP Users group logon locally right via the DDC GPO.

Then see what happens.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
GrahamC
2005-07-13 08:02:09 UTC
Permalink
Hi,
Thanks for your help. Like a number of things in life, it's easy when you
know how! To configure non-admin RDP access onto your DCs these are the steps
to follow:

- Create a group to handle the remote connection people, eg "Logon remotely
to DC"
- Create a group to handle the logon interactive people, eg "Logon locally
to DC"
- Add "Logon remotely to DC" to "Built-in\Remote Desktop Users"
- Within the "Default Domain Controller" policy assign the logon locally
user right to the "Logon locally to DC" group
- Within the "Default Domain Controller" policy assign the "Allow Log On
Through Terminal Services" right to "Administrators" and "Remote Desktop
Users"

Now, non-admin users should be able to connect to DCs both via RDP and
locally - of course they still can't do anything once they get there unless
you give them the privilege!!

Oh, and remember that to do the same for Member Servers things are a great
deal easier because there is no need to grant the user rights to the chosen
groups.

Cheers

Graham
Post by Paul Williams [MVP]
Grant the RDP Users group logon locally right via the DDC GPO.
Then see what happens.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2005-07-13 10:05:02 UTC
Permalink
No problem. Glad you got it sorted out.

Good follow up!
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Loading...