"Allow log on through Terminal Services" in GP: How does it work?

[roga]

All I want to do is set a group policy which allows members of an existing
security group to log on via RDP without me having to make them members of
the local "remote desktop users" group.

The group policy "Allow log on through Terminal Services" " looks like it
should do the job, but I have never managed to get it to work.

can someone give me some pointers?

regards

roga

 

[Vera Noest [MVP]]

Why do you not want to use the group which is especially created to
ensure that members receive all the rights and permissions they
need?

Members of the "Remote Desktop Users" group have not only the user
right to Logon to Terminal Services, they also have the necessary
permissions on the rdp-tcp connection.
So if you don't want to add users to this group, you either have to
duplicate the group with another group of your making, or add each
user manually to the permissions tab of the rdp-tcp connection.
Both methods seem a waist of time to me, but I could be missing
something here.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> wrote
on 20 jul 2007 in microsoft.public.windows.terminal_services:

> All I want to do is set a group policy which allows members of
> an existing security group to log on via RDP without me having
> to make them members of the local "remote desktop users" group.
>
> The group policy "Allow log on through Terminal Services" "
> looks like it should do the job, but I have never managed to get
> it to work.
>
> can someone give me some pointers?
>
> regards
>
> roga

 

[Bruce Sanderson]

To add to what Vera said, you can populate the Remote Desktop Users group
using Restricted Groups in a GPO. This avoids having to manually adjust the
group membership on each target computer (Server or workstation).

Restricted Groups are at
Computer Configuration
Windows Settings
Security Settings

See http://support.microsoft.com/?id=810076.

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> wrote in message
news:uof0DlwyHHA.4712@TK2MSFTNGP04.phx.gbl...
> All I want to do is set a group policy which allows members of an
> existing security group to log on via RDP without me having to make them
> members of the local "remote desktop users" group.
>
> The group policy "Allow log on through Terminal Services" " looks like it
> should do the job, but I have never managed to get it to work.
>
> can someone give me some pointers?
>
> regards
>
> roga
>

 

[Rob (Microsoft)]

Allow logon through terminal Services as well as allow logon locally should
let you logon with those users as long as you are running Terminal Server and
not remote desktop.

"roga" wrote:

> All I want to do is set a group policy which allows members of an existing
> security group to log on via RDP without me having to make them members of
> the local "remote desktop users" group.
>
> The group policy "Allow log on through Terminal Services" " looks like it
> should do the job, but I have never managed to get it to work.
>
> can someone give me some pointers?
>
> regards
>
> roga
>
>
>

 

[roga]

Thanks Bruce, that looks helpful

regards

Roger

"Bruce Sanderson" <bsanders@newsgroups.nospam> wrote in message
news:C66730E2-287F-4B44-A7C6-9756A66CE8B1@microsoft.com...
> To add to what Vera said, you can populate the Remote Desktop Users group
> using Restricted Groups in a GPO. This avoids having to manually adjust
> the group membership on each target computer (Server or workstation).
>
> Restricted Groups are at
> Computer Configuration
> Windows Settings
> Security Settings
>
> See http://support.microsoft.com/?id=810076.
>
> --
> Bruce Sanderson MVP Printing
> http://members.shaw.ca/bsanders
>
> It is perfectly useless to know the right answer to the wrong question.
>
>
>
> "roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> wrote in
> message news:uof0DlwyHHA.4712@TK2MSFTNGP04.phx.gbl...
>> All I want to do is set a group policy which allows members of an
>> existing security group to log on via RDP without me having to make them
>> members of the local "remote desktop users" group.
>>
>> The group policy "Allow log on through Terminal Services" " looks like
>> it should do the job, but I have never managed to get it to work.
>>
>> can someone give me some pointers?
>>
>> regards
>>
>> roga
>>
>

 

[roga]

"Vera Noest [MVP]" wrote
> Why do you not want to use the group which is especially created to
> ensure that members receive all the rights and permissions they
> need?

Because if I do it in GP I only have to do it once for the domain

If I have to add to local groups on each TS it means I have to touch each
machine ...

regards

Roga

>
> Members of the "Remote Desktop Users" group have not only the user
> right to Logon to Terminal Services, they also have the necessary
> permissions on the rdp-tcp connection.
> So if you don't want to add users to this group, you either have to
> duplicate the group with another group of your making, or add each
> user manually to the permissions tab of the rdp-tcp connection.
> Both methods seem a waist of time to me, but I could be missing
> something here.
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> "roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> wrote
> on 20 jul 2007 in microsoft.public.windows.terminal_services:
>
>> All I want to do is set a group policy which allows members of
>> an existing security group to log on via RDP without me having
>> to make them members of the local "remote desktop users" group.
>>
>> The group policy "Allow log on through Terminal Services" "
>> looks like it should do the job, but I have never managed to get
>> it to work.
>>
>> can someone give me some pointers?
>>
>> regards
>>
>> roga

 

[Florian Frommherz [MVP]]

Howdie!

roga schrieb:
> "Vera Noest [MVP]" wrote
>> Why do you not want to use the group which is especially created to
>> ensure that members receive all the rights and permissions they
>> need?
>
> Because if I do it in GP I only have to do it once for the domain

Look at the "Restricted Groups" feature of Group Policy. That allows you
to put Active Directory users automatically to local workstation's
security groups. You could like this add a Active Directory security
group as a member to a bunch of clients' "Remote Desktop Users" group.

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.

 

[Vera Noest [MVP]]

"roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> wrote
on 23 jul 2007:

> "Vera Noest [MVP]" wrote
>> Why do you not want to use the group which is especially
>> created to ensure that members receive all the rights and
>> permissions they need?
>
> Because if I do it in GP I only have to do it once for the
> domain
>
> If I have to add to local groups on each TS it means I have to
> touch each machine ...

Agreed. But if you bypass the recommended method of:
Users in Global groups, Global groups in Local groups, Local group
gets permissions, then you will also loose a level of flexibility.
It will be impossible to differentiate between the Terminal
Servers, i.e. you can not allow only a subset of your users to a
subset of your Terminal Servers.
And sooner or later, you'll get the need for a dedicated TS with
some special program, only for some special users.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

 

[Vera Noest [MVP]]

That's not correct, Rob.
For the mentioning of the "Remote Desktop Users" group we can
deduce that the TS is running 2003. Then you do *not* need the user
right to Logon Locally. That was true on W2K, but not on 2003.

And without the proper permissions on the rdp-tcp connection, you
won't be able to connect, no matter what Logon user rights you
have.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

=?Utf-8?B?Um9iIChNaWNyb3NvZnQp?=
<RobMicrosoft@discussions.microsoft.com> wrote on 22 jul 2007:

> Allow logon through terminal Services as well as allow logon
> locally should let you logon with those users as long as you are
> running Terminal Server and not remote desktop.
>
> "roga" wrote:
>
>> All I want to do is set a group policy which allows members of
>> an existing security group to log on via RDP without me having
>> to make them members of the local "remote desktop users" group.
>>
>> The group policy "Allow log on through Terminal Services" "
>> looks like it should do the job, but I have never managed to
>> get it to work.
>>
>> can someone give me some pointers?
>>
>> regards
>>
>> roga

 

[Roger Abell [MVP]]

"Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message
news:Xns99768D84F7BDCveranoesthemutforsse@207.46.248.16...
> "roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> wrote
> on 23 jul 2007:
>
>> "Vera Noest [MVP]" wrote
>>> Why do you not want to use the group which is especially
>>> created to ensure that members receive all the rights and
>>> permissions they need?
>>
>> Because if I do it in GP I only have to do it once for the
>> domain
>>
>> If I have to add to local groups on each TS it means I have to
>> touch each machine ...
>
> Agreed. But if you bypass the recommended method of:
> Users in Global groups, Global groups in Local groups, Local group
> gets permissions, then you will also loose a level of flexibility.
> It will be impossible to differentiate between the Terminal
> Servers, i.e. you can not allow only a subset of your users to a
> subset of your Terminal Servers.
> And sooner or later, you'll get the need for a dedicated TS with
> some special program, only for some special users.

I do not follow any of that posting.
The poster may use Restricted Group definitions on a per GPO
basis to effect membership adjustments to local groups on any
selected collection of TS servers. Doing so can add either a
domain global or a domain local to the machine local group,
and the effect is the same in either case.
I do however agree that there seems no good reason to reinvent
the machine local Remote Desktop Users group, and that one in
fact would be doing just that, defining a new machine local that
is identical in grants as the existing Remote Desktop Users group

Roger

 

[Roger Abell [MVP]]

Right on both counts, provided . . .
There are basically two things carried by the Remote Desktop Users
group, as you have indicated a couple times: the user right to log on
through TS, and the permissions on the rdp-tcp connectoid. However,
I often recommend that people take control over the Users group on
their domain joined machines, in which case they may have removed
Authenticated Users, Domain Users, and/or Interactive from Users
and/or from the user rights normally granted to Users . The precise
impact would depend on how they have hardened their server. In
most all cases, sufficient grants over Windows binaries and temp
areas does result if, in this case, the group made a member of the
Remote Desktop Users group is also made a member of Users, both
of course doable via GPO targetting.

Roger

"Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message
news:Xns99768E5EFCDECveranoesthemutforsse@207.46.248.16...
> That's not correct, Rob.
> For the mentioning of the "Remote Desktop Users" group we can
> deduce that the TS is running 2003. Then you do *not* need the user
> right to Logon Locally. That was true on W2K, but not on 2003.
>
> And without the proper permissions on the rdp-tcp connection, you
> won't be able to connect, no matter what Logon user rights you
> have.
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> *----------- Please reply in newsgroup -------------*
>
> =?Utf-8?B?Um9iIChNaWNyb3NvZnQp?=
> <RobMicrosoft@discussions.microsoft.com> wrote on 22 jul 2007:
>
>> Allow logon through terminal Services as well as allow logon
>> locally should let you logon with those users as long as you are
>> running Terminal Server and not remote desktop.
>>
>> "roga" wrote:
>>
>>> All I want to do is set a group policy which allows members of
>>> an existing security group to log on via RDP without me having
>>> to make them members of the local "remote desktop users" group.
>>>
>>> The group policy "Allow log on through Terminal Services" "
>>> looks like it should do the job, but I have never managed to
>>> get it to work.
>>>
>>> can someone give me some pointers?
>>>
>>> regards
>>>
>>> roga

 

[Vera Noest [MVP]]

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote on 24 jul 2007 in
microsoft.public.windows.terminal_services:

> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote
> in message
> news:Xns99768D84F7BDCveranoesthemutforsse@207.46.248.16...
>> "roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk>
>> wrote on 23 jul 2007:
>>
>>> "Vera Noest [MVP]" wrote
>>>> Why do you not want to use the group which is especially
>>>> created to ensure that members receive all the rights and
>>>> permissions they need?
>>>
>>> Because if I do it in GP I only have to do it once for the
>>> domain
>>>
>>> If I have to add to local groups on each TS it means I have to
>>> touch each machine ...
>>
>> Agreed. But if you bypass the recommended method of:
>> Users in Global groups, Global groups in Local groups, Local
>> group gets permissions, then you will also loose a level of
>> flexibility. It will be impossible to differentiate between the
>> Terminal Servers, i.e. you can not allow only a subset of your
>> users to a subset of your Terminal Servers.
>> And sooner or later, you'll get the need for a dedicated TS
>> with some special program, only for some special users.
>
> I do not follow any of that posting.
> The poster may use Restricted Group definitions on a per GPO
> basis to effect membership adjustments to local groups on any
> selected collection of TS servers. Doing so can add either a
> domain global or a domain local to the machine local group,
> and the effect is the same in either case.
> I do however agree that there seems no good reason to reinvent
> the machine local Remote Desktop Users group, and that one in
> fact would be doing just that, defining a new machine local that
> is identical in grants as the existing Remote Desktop Users
> group
>
> Roger

But the OP wanted to assign all necessary user rights and
permissions in one big sweep (a single domain-wide GPO).
I agree that populating the Remote Desktop Users group through GPOs
is a very efficient way of doing it, but if/when you need to
differentiate between Terminal Servers, the OP would still need to
use multiple GPOs.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

 

[roga]

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
news:Xns9977E840D4062veranoesthemutforsse@207.46.248.16...
>
> But the OP wanted to assign all necessary user rights and
> permissions in one big sweep (a single domain-wide GPO).

No I didn't Vera, I said nothing about which OU's I was going to assign the
GPO to. (Although I can see why you took it that way)

> I agree that populating the Remote Desktop Users group through GPOs
> is a very efficient way of doing it, but if/when you need to
> differentiate between Terminal Servers, the OP would still need to
> use multiple GPOs.

I would need one GPO and enable it for whatever OU's and security groups
necessary, wouldnt I?

regards

roga

 

[Vera Noest [MVP]]

"roga" <{news2005}REMOVE_THIS_UPPERCASE_2_REPLY@roga.co.uk> wrote
on 24 jul 2007 in microsoft.public.windows.terminal_services:

> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote
> in message
> news:Xns9977E840D4062veranoesthemutforsse@207.46.248.16...
>>
>> But the OP wanted to assign all necessary user rights and
>> permissions in one big sweep (a single domain-wide GPO).
>
> No I didn't Vera, I said nothing about which OU's I was going to
> assign the GPO to. (Although I can see why you took it that way)
>
>> I agree that populating the Remote Desktop Users group through
>> GPOs is a very efficient way of doing it, but if/when you need
>> to differentiate between Terminal Servers, the OP would still
>> need to use multiple GPOs.
>
> I would need one GPO and enable it for whatever OU's and
> security groups necessary, wouldnt I?

Not if you need to differentiate between Terminal Servers, which
was the only thing I wanted to point out from the beginning: you
try to use a shortcut now, but be aware that it could bite you
later.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___