Can domain users RDP to domain controllers?
Domon
Hi guys
Can I check with you guys if by default can a domain users RDP to a
domain controller? I tried putting the account into the remote desktop
users group which has the allow logon via terminal services. I also
grant it the "allow logon locally" rights. But while I am able to log on
to the DC locally with that account, I am not able to RDP into it.
Is only domain admins able to RDP to DC only?
Regards
--
Domon
------------------------------------------------------------------------
Domon's Profile: http://forums.techarena.in/members/48096.htm
View this thread: http://forums.techarena.in/active-directory/1292003.htm
Meinolf Weber [MVP-DS]
Hello Domon,
By default domain users are not allowed to logon to a DC. And this shouldn't
be changed, a DC is the heart of the domain. Why should they be able to logon
to it?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> Hi guys
>
> Can I check with you guys if by default can a domain users RDP to a
> domain controller? I tried putting the account into the remote desktop
> users group which has the allow logon via terminal services. I also
> grant it the "allow logon locally" rights. But while I am able to log
> on to the DC locally with that account, I am not able to RDP into it.
>
> Is only domain admins able to RDP to DC only?
>
> Regards
>
Paul Bergson [MVP-DS]
servers.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Domon" <Domon....@DoNotSpam.com> wrote in message
news:Domon....@DoNotSpam.com...
Domon
Hi Guys
Really thanks for the prompt reply.
Actually, there is an application installed in this DC and the
application team wants a normal user account with permission just enough
to administer the application. So, I am thinking of giving them a domain
user account and grant them enough permission to perform their
administration, probably granting the acount full control on the
application related folders ( located seperated from the system drive).
Wonder is there a better solution?
Is promoting a server to an DC result in domain users not able to
remote logon (RDP) to the node?
Paul Bergson [MVP-DS]
a seperate thread on the SBS NewsGroup.
So could you provide previous info requested?
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Domon" <Domon....@DoNotSpam.com> wrote in message
news:Domon....@DoNotSpam.com...
>
Ace Fekay [MVP-DS, MCT]
"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:OkUIXftk...@TK2MSFTNGP02.phx.gbl...
> Lets stay with the first error and move on once that is resolved or open
> up a seperate thread on the SBS NewsGroup.
>
> So could you provide previous info requested?
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
Paul, is this machine an SBS box? Looking back in this thread, I couldn't
find that info.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.
Ace Fekay [MVP-DS, MCT]
news:Domon....@DoNotSpam.com...
>
>
> Can I check with you guys if by default can a domain users RDP to a
> domain controller? I tried putting the account into the remote desktop
> users group which has the allow logon via terminal services. I also
> grant it the "allow logon locally" rights. But while I am able to log on
> to the DC locally with that account, I am not able to RDP into it.
>
> Is only domain admins able to RDP to DC only?
>
> Regards
As Paul and Meinolf mentioned, by default Domain Users are not permitted to
logon on to a DC.
If you really need them to logon, they also need Interactive Rights. That is
done manually.by running the following command
ntrights -u Users +r SeInteractiveLogonRight
or
ntrights -u TheUser'sAccountName +r SeInteractiveLogonRight
You will need the ntrights.exe from the resource kit installed to run it.
HOWEVER, I recommend to put the app on a non-DC. And yes, to answer your
other question, when you promote a machine to a DC, this security does go
into afffect.
Paul Bergson [MVP-DS]
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Ace Fekay [MVP-DS, MCT]" <ace...@mvps.RemoveThisPart.org> wrote in message
news:Ob3RBUuk...@TK2MSFTNGP02.phx.gbl...
Lanwench [MVP - Exchange]
On Mon, 11 Jan 2010 19:59:17 +0530, Domon <Domon....@DoNotSpam.com>
wrote:
>
>Hi Guys
>
>Really thanks for the prompt reply.
>
>Actually, there is an application installed in this DC and the
>application team wants a normal user account with permission just enough
>to administer the application. So, I am thinking of giving them a domain
>user account and grant them enough permission to perform their
>administration, probably granting the acount full control on the
>application related folders ( located seperated from the system drive).
>Wonder is there a better solution?
>
>Is promoting a server to an DC result in domain users not able to
>remote logon (RDP) to the node?
>
>Regards
I would be hesitant about this. If possible, move the application OFF
a domain controller onto a member server, even if it's virtual - then
the application support folks can do what they like. You have to open
up too many security holes to allow anyone but a domain admin to log
into a DC.
Ace Fekay [MVP-DS, MCT]
> Wrong thread on part of the answer. Sorry they are blurring together.
>
Sometimes they do blurr into one big thread! :-)
Cheers!
kj [SBS MVP]
Applications don't belong on Domain Controllers as well as standard users
shouldn't be allowed anything but authentication to a DC. (OK perhaps an
LDAP query, but that's about all.)
--
/kj
Jorge Silva
Assuming that the APP can be remotely accessed, why not administer that App
from another server or workstation?
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Domon" <Domon....@DoNotSpam.com> wrote in message
news:Domon....@DoNotSpam.com...
>
Domon
Hi Guys
I know the normal practice is that we should have a delicated server
for the DC. Probably the apps team did it because they have some
contraints. Any way, I probably need to ensure i can allow domain users
to RDP to DC as the last resort in case they don't want to move the
apps.
Is ntrights -u Users +r SeInteractiveLogonRight the same as granting
the rights "allow logon locally" in the GPO settings? If yes, then I
think it still have not solve the issue. I think it 's likely to due to
the hardening template created by our security team.
I tried on a non-hardened DC and it's works..
Ace Fekay [MVP-DS, MCT]
"Domon" <Domon....@DoNotSpam.com> wrote in message
news:Domon....@DoNotSpam.com...
>
>
> I know the normal practice is that we should have a delicated server
> for the DC. Probably the apps team did it because they have some
> contraints. Any way, I probably need to ensure i can allow domain users
> to RDP to DC as the last resort in case they don't want to move the
> apps.
>
> Is ntrights -u Users +r SeInteractiveLogonRight the same as granting
> the rights "allow logon locally" in the GPO settings? If yes, then I
> think it still have not solve the issue. I think it 's likely to due to
> the hardening template created by our security team.
>
> I tried on a non-hardened DC and it's works..
>
> Regards
No, they are two separate Rights. They would need both assigned to them.
There is nothing in the GUI to assign the interactive rights. If you ask me,
it was a security precaution to not make it easy to assign it.
If there's a hardening template, then we need to know either which template
is being used. If it's one of the secure DC templates available with the OS,
or a custom made one. If it was a custom template, we'll need to know what's
in the template to ascertain if it is preventing users to connect.
Ace
Domon
Hi Guys
Sorry for the late reply.
I looked through the template and noticed that the "Bypass traverse
checking" right has been removed for all groups and users. I tried
granting the authorized users this right and it works. Once it is
removed, I got an userinit.exe error (The application failed to
intialize properly (0xc0000142)).
The problem is that my security team is not willing to grant the right.
They want us to grant it in folder/file permission instead.
Has anyone done this kind of configuration before?
Regards
Lip Ann
Ace Fekay [MVP-DS, MCT]
news:Domon....@DoNotSpam.com...
>
>
> Sorry for the late reply.
>
> I looked through the template and noticed that the "Bypass traverse
> checking" right has been removed for all groups and users. I tried
> granting the authorized users this right and it works. Once it is
> removed, I got an userinit.exe error (The application failed to
> intialize properly (0xc0000142)).
>
> The problem is that my security team is not willing to grant the right.
> They want us to grant it in folder/file permission instead.
>
> Has anyone done this kind of configuration before?
>
> Regards
>
> Lip Ann
Not that I know of other than manually assigning it using ntrights. And it
wouldn't be a file/folder permission. It's one of the *right* required to
access a domain controller.
Ace