Remote Administration

Hi,

I am just wondering how do I allow a user_group without Domain
Administrators right to logon to a Domain Controller under Remote
Administration Mode (No Terminal Service installed). I have added the group
to the "Remote Desktop Users group" but with no luck. Any idea?

Thanks in advance.

Jason

First, make sure that you have remote desktop enabled on your DC.
Secondly, you also need to grant the "Allow Login locally" right to the user
group.
But if I may ask, why would you want to allow non-domain admins to log into
a domain controller?

Chris

"Jason" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> I am just wondering how do I allow a user_group without Domain
> Administrators right to logon to a Domain Controller under Remote
> Administration Mode (No Terminal Service installed). I have added the
> group
> to the "Remote Desktop Users group" but with no luck. Any idea?
>
> Thanks in advance.
>
> Jason
>
>

I log on to several domain controllers remotely that I do not have domain
admin rights to. I am doing other tasks, (recently I updated a few dlls to
enforce password requirements) as well as light AD administration with a
few delegated rights. I have local admin rights to most of them but not all.
In my company we have thousands of servers and use extremely tight controls.
The whole least privilege concept.

--
Manny Borges
MCSE NT4-2003 (+ Security)
MCT, Certified Cheese Master

The pen is mightier than the sword, and considerably easier to write with.
-- Marty Feldman
"Chris Leiter" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> First, make sure that you have remote desktop enabled on your DC.
> Secondly, you also need to grant the "Allow Login locally" right to the
> user group.
> But if I may ask, why would you want to allow non-domain admins to log
> into a domain controller?
>
> Chris
>
> "Jason" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hi,
>>
>> I am just wondering how do I allow a user_group without Domain
>> Administrators right to logon to a Domain Controller under Remote
>> Administration Mode (No Terminal Service installed). I have added the
>> group
>> to the "Remote Desktop Users group" but with no luck. Any idea?
>>
>> Thanks in advance.
>>
>> Jason
>>
>>
>
>

Hello Jason,

Thank you for using newsgroup and appreciate Chris and Manny's input!

From your post, you want to grant a user group without Domain
Administrators right to logon to a DC for remote administration.

Based on your requirement, I agree with Chris's suggestions. By default,
only the local administrators group is assigned the right to log on locally
to a server. You can use the Microsoft Management Console Group Policy
Editor snap-in to assign "Log on locally" user rights to other users and
groups:

Note: If the server is a domain controller (DC), you must give the right on
the DC object.
1. Click Start, click Run, and then type gpedit.msc to start the Group
Policy Editor snap-in.
2. Double-click the Computer Configuration node, and then double-click the
Windows Settings node.
3. Double-click the Security Settings node, and then double-click the Local
Policies node.
4. Double-click User Rights Assignment, right-click Log on Locally, and
then click Add.
5. Select the user(s) or group(s) that you want to add, and then click OK.
6. Quit the Group Policy Editor snap-in.

References:
===================
220609: How to Assign "Log On Locally" User Rights in Windows 2000
http://support.microsoft.com/default...b;en-us;220609

Granting Log on Locally Rights
<http://www.microsoft.com/resources/d.../server/reskit
/en-us/iisbook/c08_granting_log_on_locally_rights.asp>

Permit users to log on locally to a domain controller: Security
Configuration Editor
http://www.microsoft.com/technet/pro.../library/Serve
rHelp/F8045387-AB2E-4E19-AAFA-55880C1C286B.mspx

276580: Non-Domain Users Cannot Log On Locally or Interactively to Domain
Members
http://support.microsoft.com/default...b;en-us;276580

If you have any further questions, we also recommend Microsoft Advisory
Services, a remotely-delivered. CSS Advisory Services is a remotely
delivered, hourly fee-based, consultative support option that provides
proactive support beyond your break-fix product maintenance needs like
product migration, code review, or new program development. For more info
in the
US and Canada:

http://support.microsoft.com/default...dvisoryService

Outside of the US/Canada:

http://support.microsoft.com/common/international.aspx

Hope the information helps!

Thanks & Regards,

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.


Newsgroup Web Interface Upgrade
Please complete a one-time registration process on your first visit to the
Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
code mspp2005 when prompted. This secure code will be valid for 6 months
after which you will need to update your registration by entering the new
secure code. We will post announcements in the newsgroups prior to
expiration. Once you have entered the secure code mspp2005 , you will be
able to update your profile and access the the partner newsgroups. Please
update your Favorites link to the newsgroups web page, your current link
will redirect until November 1, 2005.
Please post any comment, questions or concerns to the
microsoft.private.directaccess.partnerfeedback newsgroup. For more
information, please go to:
https://partner.microsoft.com/global...edsupport/4001
4662


--------------------
| From: "Manny Borges" <(E-Mail Removed)>
| References: <(E-Mail Removed)>
<(E-Mail Removed)>
| Subject: Re: Remote Administration
| Date: Tue, 26 Jul 2005 22:16:29 -0400
| Lines: 43
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| X-RFC2646: Format=Flowed; Response
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| Message-ID: <#(E-Mail Removed)>
| Newsgroups: microsoft.public.windows.server.networking
| NNTP-Posting-Host: 24-181-231-251.dhcp.oxfr.ma.charter.com 24.181.231.251
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msft ngp13.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.networking:17920
| X-Tomcat-NG: microsoft.public.windows.server.networking
|
| I log on to several domain controllers remotely that I do not have domain
| admin rights to. I am doing other tasks, (recently I updated a few dlls
to
| enforce password requirements) as well as light AD administration with a
| few delegated rights. I have local admin rights to most of them but not
all.
| In my company we have thousands of servers and use extremely tight
controls.
| The whole least privilege concept.
|
| --
| Manny Borges
| MCSE NT4-2003 (+ Security)
| MCT, Certified Cheese Master
|
| The pen is mightier than the sword, and considerably easier to write with.
| -- Marty Feldman
| "Chris Leiter" <(E-Mail Removed)> wrote in message
| news:(E-Mail Removed)...
| > First, make sure that you have remote desktop enabled on your DC.
| > Secondly, you also need to grant the "Allow Login locally" right to the
| > user group.
| > But if I may ask, why would you want to allow non-domain admins to log
| > into a domain controller?
| >
| > Chris
| >
| > "Jason" <(E-Mail Removed)> wrote in message
| > news:(E-Mail Removed)...
| >> Hi,
| >>
| >> I am just wondering how do I allow a user_group without Domain
| >> Administrators right to logon to a Domain Controller under Remote
| >> Administration Mode (No Terminal Service installed). I have added the
| >> group
| >> to the "Remote Desktop Users group" but with no luck. Any idea?
| >>
| >> Thanks in advance.
| >>
| >> Jason
| >>
| >>
| >
| >
|
|
|

Thanks for all the input.

Frist, let me explain, the reason I want to allow this tech group to remote
login to the DC is that I want them to do some light AD works without giving
them too the "Domain Administor" right - same as Chris.

And second, promblem solved. Just realized that the "Remote Desktop Users"
group didn't belong to the "Allow logon though Terminal Service".
Originally I thought that's a default setting. Apprently, it's not the
case. Anyone know why?

So, I added my Tech group to the "Allow logon though Termainal Service" -
problem sloved

Jason.




"Ken Zhao [MSFT]" <v-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello Jason,
>
> Thank you for using newsgroup and appreciate Chris and Manny's input!
>
> From your post, you want to grant a user group without Domain
> Administrators right to logon to a DC for remote administration.
>
> Based on your requirement, I agree with Chris's suggestions. By default,
> only the local administrators group is assigned the right to log on
locally
> to a server. You can use the Microsoft Management Console Group Policy
> Editor snap-in to assign "Log on locally" user rights to other users and
> groups:
>
> Note: If the server is a domain controller (DC), you must give the right
on
> the DC object.
> 1. Click Start, click Run, and then type gpedit.msc to start the Group
> Policy Editor snap-in.
> 2. Double-click the Computer Configuration node, and then double-click the
> Windows Settings node.
> 3. Double-click the Security Settings node, and then double-click the
Local
> Policies node.
> 4. Double-click User Rights Assignment, right-click Log on Locally, and
> then click Add.
> 5. Select the user(s) or group(s) that you want to add, and then click OK.
> 6. Quit the Group Policy Editor snap-in.
>
> References:
> ===================
> 220609: How to Assign "Log On Locally" User Rights in Windows 2000
> http://support.microsoft.com/default...b;en-us;220609
>
> Granting Log on Locally Rights
>
<http://www.microsoft.com/resources/d.../server/reskit
> /en-us/iisbook/c08_granting_log_on_locally_rights.asp>
>
> Permit users to log on locally to a domain controller: Security
> Configuration Editor
>
http://www.microsoft.com/technet/pro.../library/Serve
> rHelp/F8045387-AB2E-4E19-AAFA-55880C1C286B.mspx
>
> 276580: Non-Domain Users Cannot Log On Locally or Interactively to Domain
> Members
> http://support.microsoft.com/default...b;en-us;276580
>
> If you have any further questions, we also recommend Microsoft Advisory
> Services, a remotely-delivered. CSS Advisory Services is a remotely
> delivered, hourly fee-based, consultative support option that provides
> proactive support beyond your break-fix product maintenance needs like
> product migration, code review, or new program development. For more info
> in the
> US and Canada:
>
> http://support.microsoft.com/default...dvisoryService
>
> Outside of the US/Canada:
>
> http://support.microsoft.com/common/international.aspx
>
> Hope the information helps!
>
> Thanks & Regards,
>
> Ken Zhao
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> ================================================== ===
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ================================================== ===
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> Newsgroup Web Interface Upgrade
> Please complete a one-time registration process on your first visit to the
> Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the
secure
> code mspp2005 when prompted. This secure code will be valid for 6 months
> after which you will need to update your registration by entering the new
> secure code. We will post announcements in the newsgroups prior to
> expiration. Once you have entered the secure code mspp2005 , you will be
> able to update your profile and access the the partner newsgroups. Please
> update your Favorites link to the newsgroups web page, your current link
> will redirect until November 1, 2005.
> Please post any comment, questions or concerns to the
> microsoft.private.directaccess.partnerfeedback newsgroup. For more
> information, please go to:
>
https://partner.microsoft.com/global...edsupport/4001
> 4662
>
>
> --------------------
> | From: "Manny Borges" <(E-Mail Removed)>
> | References: <(E-Mail Removed)>
> <(E-Mail Removed)>
> | Subject: Re: Remote Administration
> | Date: Tue, 26 Jul 2005 22:16:29 -0400
> | Lines: 43
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
> | X-RFC2646: Format=Flowed; Response
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
> | Message-ID: <#(E-Mail Removed)>
> | Newsgroups: microsoft.public.windows.server.networking
> | NNTP-Posting-Host: 24-181-231-251.dhcp.oxfr.ma.charter.com
24.181.231.251
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msft ngp13.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.windows.server.networking:17920
> | X-Tomcat-NG: microsoft.public.windows.server.networking
> |
> | I log on to several domain controllers remotely that I do not have
domain
> | admin rights to. I am doing other tasks, (recently I updated a few dlls
> to
> | enforce password requirements) as well as light AD administration with
a
> | few delegated rights. I have local admin rights to most of them but not
> all.
> | In my company we have thousands of servers and use extremely tight
> controls.
> | The whole least privilege concept.
> |
> | --
> | Manny Borges
> | MCSE NT4-2003 (+ Security)
> | MCT, Certified Cheese Master
> |
> | The pen is mightier than the sword, and considerably easier to write
with.
> | -- Marty Feldman
> | "Chris Leiter" <(E-Mail Removed)> wrote in message
> | news:(E-Mail Removed)...
> | > First, make sure that you have remote desktop enabled on your DC.
> | > Secondly, you also need to grant the "Allow Login locally" right to
the
> | > user group.
> | > But if I may ask, why would you want to allow non-domain admins to log
> | > into a domain controller?
> | >
> | > Chris
> | >
> | > "Jason" <(E-Mail Removed)> wrote in message
> | > news:(E-Mail Removed)...
> | >> Hi,
> | >>
> | >> I am just wondering how do I allow a user_group without Domain
> | >> Administrators right to logon to a Domain Controller under Remote
> | >> Administration Mode (No Terminal Service installed). I have added
the
> | >> group
> | >> to the "Remote Desktop Users group" but with no luck. Any idea?
> | >>
> | >> Thanks in advance.
> | >>
> | >> Jason
> | >>
> | >>
> | >
> | >
> |
> |
> |
>

Hi Jason ,

Thank you for your reply and the detailed additional feedback on how you
were successful in resolving this issue. Your solution will benefit many
other users.

As far as I know, you are right. By default, the "Remote Desktop Users"
belongs to "Allow log on though Terminal Services".

Thanks & Regards,

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.


Newsgroup Web Interface Upgrade
Please complete a one-time registration process on your first visit to the
Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
code mspp2005 when prompted. This secure code will be valid for 6 months
after which you will need to update your registration by entering the new
secure code. We will post announcements in the newsgroups prior to
expiration. Once you have entered the secure code mspp2005 , you will be
able to update your profile and access the the partner newsgroups. Please
update your Favorites link to the newsgroups web page, your current link
will redirect until November 1, 2005.
Please post any comment, questions or concerns to the
microsoft.private.directaccess.partnerfeedback newsgroup. For more
information, please go to:
https://partner.microsoft.com/global...edsupport/4001
4662


--------------------
| From: "Jason" <(E-Mail Removed)>
| References: <(E-Mail Removed)>
<(E-Mail Removed)>
<#(E-Mail Removed)>
<(E-Mail Removed)>
| Subject: Re: Remote Administration
| Date: Wed, 27 Jul 2005 12:02:42 -0500
| Lines: 196
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1478
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478
| Message-ID: <ueix$(E-Mail Removed)>
| Newsgroups: microsoft.public.windows.server.networking
| NNTP-Posting-Host: thsnmb01dc1-199-22.dynamic.mts.net 204.112.199.22
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP14.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.networking:17958
| X-Tomcat-NG: microsoft.public.windows.server.networking
|
| Thanks for all the input.
|
| Frist, let me explain, the reason I want to allow this tech group to
remote
| login to the DC is that I want them to do some light AD works without
giving
| them too the "Domain Administor" right - same as Chris.
|
| And second, promblem solved. Just realized that the "Remote Desktop
Users"
| group didn't belong to the "Allow logon though Terminal Service".
| Originally I thought that's a default setting. Apprently, it's not the
| case. Anyone know why?
|
| So, I added my Tech group to the "Allow logon though Termainal Service" -
| problem sloved
|
| Jason.
|
|
|
|
| "Ken Zhao [MSFT]" <v-(E-Mail Removed)> wrote in message
| news:(E-Mail Removed)...
| > Hello Jason,
| >
| > Thank you for using newsgroup and appreciate Chris and Manny's input!
| >
| > From your post, you want to grant a user group without Domain
| > Administrators right to logon to a DC for remote administration.
| >
| > Based on your requirement, I agree with Chris's suggestions. By default,
| > only the local administrators group is assigned the right to log on
| locally
| > to a server. You can use the Microsoft Management Console Group Policy
| > Editor snap-in to assign "Log on locally" user rights to other users and
| > groups:
| >
| > Note: If the server is a domain controller (DC), you must give the right
| on
| > the DC object.
| > 1. Click Start, click Run, and then type gpedit.msc to start the Group
| > Policy Editor snap-in.
| > 2. Double-click the Computer Configuration node, and then double-click
the
| > Windows Settings node.
| > 3. Double-click the Security Settings node, and then double-click the
| Local
| > Policies node.
| > 4. Double-click User Rights Assignment, right-click Log on Locally, and
| > then click Add.
| > 5. Select the user(s) or group(s) that you want to add, and then click
OK.
| > 6. Quit the Group Policy Editor snap-in.
| >
| > References:
| > ===================
| > 220609: How to Assign "Log On Locally" User Rights in Windows 2000
| > http://support.microsoft.com/default...b;en-us;220609
| >
| > Granting Log on Locally Rights
| >
|
<http://www.microsoft.com/resources/d.../server/reskit
| > /en-us/iisbook/c08_granting_log_on_locally_rights.asp>
| >
| > Permit users to log on locally to a domain controller: Security
| > Configuration Editor
| >
|
http://www.microsoft.com/technet/pro.../library/Serve
| > rHelp/F8045387-AB2E-4E19-AAFA-55880C1C286B.mspx
| >
| > 276580: Non-Domain Users Cannot Log On Locally or Interactively to
Domain
| > Members
| > http://support.microsoft.com/default...b;en-us;276580
| >
| > If you have any further questions, we also recommend Microsoft Advisory
| > Services, a remotely-delivered. CSS Advisory Services is a remotely
| > delivered, hourly fee-based, consultative support option that provides
| > proactive support beyond your break-fix product maintenance needs like
| > product migration, code review, or new program development. For more
info
| > in the
| > US and Canada:
| >
| > http://support.microsoft.com/default...dvisoryService
| >
| > Outside of the US/Canada:
| >
| > http://support.microsoft.com/common/international.aspx
| >
| > Hope the information helps!
| >
| > Thanks & Regards,
| >
| > Ken Zhao
| >
| > Microsoft Online Partner Support
| > Get Secure! - www.microsoft.com/security
| >
| > ================================================== ===
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > ================================================== ===
| > This posting is provided "AS IS" with no warranties, and confers no
| rights.
| >
| >
| > Newsgroup Web Interface Upgrade
| > Please complete a one-time registration process on your first visit to
the
| > Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the
| secure
| > code mspp2005 when prompted. This secure code will be valid for 6 months
| > after which you will need to update your registration by entering the
new
| > secure code. We will post announcements in the newsgroups prior to
| > expiration. Once you have entered the secure code mspp2005 , you will be
| > able to update your profile and access the the partner newsgroups.
Please
| > update your Favorites link to the newsgroups web page, your current link
| > will redirect until November 1, 2005.
| > Please post any comment, questions or concerns to the
| > microsoft.private.directaccess.partnerfeedback newsgroup. For more
| > information, please go to:
| >
|
https://partner.microsoft.com/global...edsupport/4001
| > 4662
| >
| >
| > --------------------
| > | From: "Manny Borges" <(E-Mail Removed)>
| > | References: <(E-Mail Removed)>
| > <(E-Mail Removed)>
| > | Subject: Re: Remote Administration
| > | Date: Tue, 26 Jul 2005 22:16:29 -0400
| > | Lines: 43
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| > | X-RFC2646: Format=Flowed; Response
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| > | Message-ID: <#(E-Mail Removed)>
| > | Newsgroups: microsoft.public.windows.server.networking
| > | NNTP-Posting-Host: 24-181-231-251.dhcp.oxfr.ma.charter.com
| 24.181.231.251
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msft ngp13.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.windows.server.networking:17920
| > | X-Tomcat-NG: microsoft.public.windows.server.networking
| > |
| > | I log on to several domain controllers remotely that I do not have
| domain
| > | admin rights to. I am doing other tasks, (recently I updated a few
dlls
| > to
| > | enforce password requirements) as well as light AD administration
with
| a
| > | few delegated rights. I have local admin rights to most of them but
not
| > all.
| > | In my company we have thousands of servers and use extremely tight
| > controls.
| > | The whole least privilege concept.
| > |
| > | --
| > | Manny Borges
| > | MCSE NT4-2003 (+ Security)
| > | MCT, Certified Cheese Master
| > |
| > | The pen is mightier than the sword, and considerably easier to write
| with.
| > | -- Marty Feldman
| > | "Chris Leiter" <(E-Mail Removed)> wrote in message
| > | news:(E-Mail Removed)...
| > | > First, make sure that you have remote desktop enabled on your DC.
| > | > Secondly, you also need to grant the "Allow Login locally" right to
| the
| > | > user group.
| > | > But if I may ask, why would you want to allow non-domain admins to
log
| > | > into a domain controller?
| > | >
| > | > Chris
| > | >
| > | > "Jason" <(E-Mail Removed)> wrote in message
| > | > news:(E-Mail Removed)...
| > | >> Hi,
| > | >>
| > | >> I am just wondering how do I allow a user_group without Domain
| > | >> Administrators right to logon to a Domain Controller under Remote
| > | >> Administration Mode (No Terminal Service installed). I have added
| the
| > | >> group
| > | >> to the "Remote Desktop Users group" but with no luck. Any idea?
| > | >>
| > | >> Thanks in advance.
| > | >>
| > | >> Jason
| > | >>
| > | >>
| > | >
| > | >
| > |
| > |
| > |
| >
|
|
|