+ Post New Thread
Results 1 to 9 of 9
Windows Server 2000/2003 Thread, Prevent user group from logging onto Terminal Server in Technical; ...
  1. #1

    Join Date
    Sep 2009
    Posts
    224
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    13

    Prevent user group from logging onto Terminal Server

    Hi all

    As title, Iím trying to figure out how to prevent a certain group (or groups) from logging onto a certain terminal server. To cut a long story short, I have a terminal server which I use to log into from home, and I want to make sure that my user account is the only one which can log on to it.

    We have another terminal server (which is specifically for staff), and the person who did my job before me setup the local security to allow both him and me to literally select which users are granted the ability to logon (its a case of adding the user accounts to the Remote Desktop Users local group), but this procedure doesnít work for "my" terminal server.

    Any ideas?

    Itís probably a simple procedure, but I can't figure it out.

  2. #2

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    3,029
    Thank Post
    158
    Thanked 631 Times in 564 Posts
    Rep Power
    165
    Not sure with a TS - but with a domain workstation it's done on the local machine (so the server itself in this case) with secpol.msc. Security Settings/Local Policies/USer Rights Assignment - Deny Log on Locally, and add the groups. Couldn't say for sure if this will work with your setup though.

  3. #3

    Join Date
    Sep 2009
    Posts
    224
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    13
    Yeah thats how i prevent students logging onto staff work stations, but that feature doesnt appear to be present in Server 2003. When i go to the local security settings and select that policy, i get a message saying something like the policy isnt compatible with OS's after 2000 SP1...which is a tad strange.

  4. #4

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    3,029
    Thank Post
    158
    Thanked 631 Times in 564 Posts
    Rep Power
    165
    It's not ideal for servers to be honest. Bit dirtier, but how about setting a logon script for all users, that reads the samaccountname attribute %'SAMAccountName'%, if it's not you, it just logs back off again. Should be fairly simple.

  5. #5

    Join Date
    Jan 2007
    Location
    Nottinghamshire
    Posts
    530
    Thank Post
    1
    Thanked 84 Times in 58 Posts
    Rep Power
    38
    For remote desktop on win2k3 it's just people in the local Remote Desktop Users group, I tend to add an AD group to that and edit the AD group, unless there's some other GPO overriding something, RSOP might help

  6. #6

    Join Date
    Sep 2009
    Posts
    224
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    13
    Yeah i've looked into that too. It appears that something must be overriding it on "my" server...because i've added only my username to the Remote Desktop Users group, but other members of staff are still able to log on. However, on the staff terminal server, only users who are added to this group are able to logon...which means it works for that server but not mine

  7. #7
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,490
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    52
    Quote Originally Posted by aaronjwilkinson View Post
    Yeah i've looked into that too. It appears that something must be overriding it on "my" server...because i've added only my username to the Remote Desktop Users group, but other members of staff are still able to log on. However, on the staff terminal server, only users who are added to this group are able to logon...which means it works for that server but not mine
    Log in with a account that shouldn't be getting access then run RSOP and see what is being applied.

  8. #8


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,955
    Thank Post
    232
    Thanked 909 Times in 780 Posts
    Rep Power
    305
    could you just set a deny for staff as that shold take precidence over an allow?

  9. #9

    Join Date
    Sep 2009
    Posts
    224
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    13
    Done that but, to be honest...i arent quite sure what i'm looking for in all the policy's



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 0
    Last Post: 17th May 2010, 10:25 AM
  2. Terminal Server Licenses (Devics vs User)
    By mb2k01 in forum Windows Server 2000/2003
    Replies: 5
    Last Post: 23rd March 2009, 08:37 PM
  3. ABTutor Terminal Services logging
    By kesomir in forum Network and Classroom Management
    Replies: 4
    Last Post: 26th May 2008, 07:34 PM
  4. Terminal Login - Not logging in with Admin Rights?
    By burgemaster in forum Windows
    Replies: 4
    Last Post: 15th May 2008, 06:45 PM
  5. Replies: 60
    Last Post: 13th March 2008, 06:39 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •