Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Can domain users RDP to domain controllers?
Can domain users RDP to domain controllers? [message #364805] Mon, 11 January 2010 02:29 Go to next message
Domon  is currently offline Domon  United States
Messages: 19
Registered: July 2009
Junior Member
Hi guys

Can I check with you guys if by default can a domain users RDP to a
domain controller? I tried putting the account into the remote desktop
users group which has the allow logon via terminal services. I also
grant it the "allow logon locally" rights. But while I am able to log on
to the DC locally with that account, I am not able to RDP into it.

Is only domain admins able to RDP to DC only?

Regards


--
Domon
------------------------------------------------------------ ------------
Domon's Profile: http://forums.techarena.in/members/48096.htm
View this thread: http://forums.techarena.in/active-directory/1292003.htm

http://forums.techarena.in
Re: Can domain users RDP to domain controllers? [message #364835 is a reply to message #364805] Mon, 11 January 2010 04:24 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Domon,

By default domain users are not allowed to logon to a DC. And this shouldn't
be changed, a DC is the heart of the domain. Why should they be able to logon
to it?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi guys
>
> Can I check with you guys if by default can a domain users RDP to a
> domain controller? I tried putting the account into the remote desktop
> users group which has the allow logon via terminal services. I also
> grant it the "allow logon locally" rights. But while I am able to log
> on to the DC locally with that account, I am not able to RDP into it.
>
> Is only domain admins able to RDP to DC only?
>
> Regards
>
> http://forums.techarena.in
>
Re: Can domain users RDP to domain controllers? [message #364897 is a reply to message #364805] Mon, 11 January 2010 06:34 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
By default, domain users shouldn't be able to remote logon (RDP) to DC's or
servers.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Domon" <Domon.44mdrh@DoNotSpam.com> wrote in message
news:Domon.44mdrh@DoNotSpam.com...
>
> Hi guys
>
> Can I check with you guys if by default can a domain users RDP to a
> domain controller? I tried putting the account into the remote desktop
> users group which has the allow logon via terminal services. I also
> grant it the "allow logon locally" rights. But while I am able to log on
> to the DC locally with that account, I am not able to RDP into it.
>
> Is only domain admins able to RDP to DC only?
>
> Regards
>
>
> --
> Domon
> ------------------------------------------------------------ ------------
> Domon's Profile: http://forums.techarena.in/members/48096.htm
> View this thread: http://forums.techarena.in/active-directory/1292003.htm
>
> http://forums.techarena.in
>
Re: Can domain users RDP to domain controllers? [message #364988 is a reply to message #364805] Mon, 11 January 2010 07:29 Go to previous messageGo to next message
Domon  is currently offline Domon  United States
Messages: 19
Registered: July 2009
Junior Member
Hi Guys

Really thanks for the prompt reply.

Actually, there is an application installed in this DC and the
application team wants a normal user account with permission just enough
to administer the application. So, I am thinking of giving them a domain
user account and grant them enough permission to perform their
administration, probably granting the acount full control on the
application related folders ( located seperated from the system drive).
Wonder is there a better solution?

Is promoting a server to an DC result in domain users not able to
remote logon (RDP) to the node?

Regards


--
Domon
------------------------------------------------------------ ------------
Domon's Profile: http://forums.techarena.in/members/48096.htm
View this thread: http://forums.techarena.in/active-directory/1292003.htm

http://forums.techarena.in
Re: Can domain users RDP to domain controllers? [message #365030 is a reply to message #364988] Mon, 11 January 2010 09:05 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Lets stay with the first error and move on once that is resolved or open up
a seperate thread on the SBS NewsGroup.

So could you provide previous info requested?

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Domon" <Domon.44mrnc@DoNotSpam.com> wrote in message
news:Domon.44mrnc@DoNotSpam.com...
>
> Hi Guys
>
> Really thanks for the prompt reply.
>
> Actually, there is an application installed in this DC and the
> application team wants a normal user account with permission just enough
> to administer the application. So, I am thinking of giving them a domain
> user account and grant them enough permission to perform their
> administration, probably granting the acount full control on the
> application related folders ( located seperated from the system drive).
> Wonder is there a better solution?
>
> Is promoting a server to an DC result in domain users not able to
> remote logon (RDP) to the node?
>
> Regards
>
>
> --
> Domon
> ------------------------------------------------------------ ------------
> Domon's Profile: http://forums.techarena.in/members/48096.htm
> View this thread: http://forums.techarena.in/active-directory/1292003.htm
>
> http://forums.techarena.in
>
Re: Can domain users RDP to domain controllers? [message #365138 is a reply to message #365030] Mon, 11 January 2010 10:39 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:OkUIXftkKHA.2160@TK2MSFTNGP02.phx.gbl...
> Lets stay with the first error and move on once that is resolved or open
> up a seperate thread on the SBS NewsGroup.
>
> So could you provide previous info requested?
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>


Paul, is this machine an SBS box? Looking back in this thread, I couldn't
find that info.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.
Re: Can domain users RDP to domain controllers? [message #365139 is a reply to message #364805] Mon, 11 January 2010 10:44 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Domon" <Domon.44mdrh@DoNotSpam.com> wrote in message
news:Domon.44mdrh@DoNotSpam.com...
>
> Hi guys
>
> Can I check with you guys if by default can a domain users RDP to a
> domain controller? I tried putting the account into the remote desktop
> users group which has the allow logon via terminal services. I also
> grant it the "allow logon locally" rights. But while I am able to log on
> to the DC locally with that account, I am not able to RDP into it.
>
> Is only domain admins able to RDP to DC only?
>
> Regards


As Paul and Meinolf mentioned, by default Domain Users are not permitted to
logon on to a DC.

If you really need them to logon, they also need Interactive Rights. That is
done manually.by running the following command

ntrights -u Users +r SeInteractiveLogonRight
or
ntrights -u TheUser'sAccountName +r SeInteractiveLogonRight

You will need the ntrights.exe from the resource kit installed to run it.

HOWEVER, I recommend to put the app on a non-DC. And yes, to answer your
other question, when you promote a machine to a DC, this security does go
into afffect.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.
Re: Can domain users RDP to domain controllers? [message #365230 is a reply to message #365138] Mon, 11 January 2010 12:15 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Wrong thread on part of the answer. Sorry they are blurring together.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:Ob3RBUukKHA.2160@TK2MSFTNGP02.phx.gbl...
> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
> news:OkUIXftkKHA.2160@TK2MSFTNGP02.phx.gbl...
>> Lets stay with the first error and move on once that is resolved or open
>> up a seperate thread on the SBS NewsGroup.
>>
>> So could you provide previous info requested?
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>
>
> Paul, is this machine an SBS box? Looking back in this thread, I couldn't
> find that info.
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance,
> please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>
>
>
Re: Can domain users RDP to domain controllers? [message #365295 is a reply to message #364988] Mon, 11 January 2010 13:14 Go to previous messageGo to next message
lanwench  is currently offline lanwench  United States
Messages: 1684
Registered: July 2009
Senior Member
On Mon, 11 Jan 2010 19:59:17 +0530, Domon <Domon.44mrnc@DoNotSpam.com>
wrote:

>
>Hi Guys
>
>Really thanks for the prompt reply.
>
>Actually, there is an application installed in this DC and the
>application team wants a normal user account with permission just enough
>to administer the application. So, I am thinking of giving them a domain
>user account and grant them enough permission to perform their
>administration, probably granting the acount full control on the
>application related folders ( located seperated from the system drive).
>Wonder is there a better solution?
>
>Is promoting a server to an DC result in domain users not able to
>remote logon (RDP) to the node?
>
>Regards


I would be hesitant about this. If possible, move the application OFF
a domain controller onto a member server, even if it's virtual - then
the application support folks can do what they like. You have to open
up too many security holes to allow anyone but a domain admin to log
into a DC.
Re: Can domain users RDP to domain controllers? [message #365308 is a reply to message #365230] Mon, 11 January 2010 13:24 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:OBdr8JvkKHA.1824@TK2MSFTNGP04.phx.gbl...
> Wrong thread on part of the answer. Sorry they are blurring together.
>

Sometimes they do blurr into one big thread! :-)

Cheers!
Re: Can domain users RDP to domain controllers? [message #365322 is a reply to message #365295] Mon, 11 January 2010 13:36 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
Lanwench [MVP - Exchange] wrote:
> On Mon, 11 Jan 2010 19:59:17 +0530, Domon <Domon.44mrnc@DoNotSpam.com>
> wrote:
>
>>
>> Hi Guys
>>
>> Really thanks for the prompt reply.
>>
>> Actually, there is an application installed in this DC and the
>> application team wants a normal user account with permission just
>> enough to administer the application. So, I am thinking of giving
>> them a domain user account and grant them enough permission to
>> perform their administration, probably granting the acount full
>> control on the application related folders ( located seperated from
>> the system drive). Wonder is there a better solution?
>>
>> Is promoting a server to an DC result in domain users not able to
>> remote logon (RDP) to the node?
>>
>> Regards
>
>
> I would be hesitant about this. If possible, move the application OFF
> a domain controller onto a member server, even if it's virtual - then
> the application support folks can do what they like. You have to open
> up too many security holes to allow anyone but a domain admin to log
> into a DC.

Applications don't belong on Domain Controllers as well as standard users
shouldn't be allowed anything but authentication to a DC. (OK perhaps an
LDAP query, but that's about all.)



--
/kj
Re: Can domain users RDP to domain controllers? [message #365459 is a reply to message #364988] Mon, 11 January 2010 15:47 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Hi
Assuming that the APP can be remotely accessed, why not administer that App
from another server or workstation?

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.




"Domon" <Domon.44mrnc@DoNotSpam.com> wrote in message
news:Domon.44mrnc@DoNotSpam.com...
>
> Hi Guys
>
> Really thanks for the prompt reply.
>
> Actually, there is an application installed in this DC and the
> application team wants a normal user account with permission just enough
> to administer the application. So, I am thinking of giving them a domain
> user account and grant them enough permission to perform their
> administration, probably granting the acount full control on the
> application related folders ( located seperated from the system drive).
> Wonder is there a better solution?
>
> Is promoting a server to an DC result in domain users not able to
> remote logon (RDP) to the node?
>
> Regards
>
>
> --
> Domon
> ------------------------------------------------------------ ------------
> Domon's Profile: http://forums.techarena.in/members/48096.htm
> View this thread: http://forums.techarena.in/active-directory/1292003.htm
>
> http://forums.techarena.in
>
Re: Can domain users RDP to domain controllers? [message #366692 is a reply to message #364805] Tue, 12 January 2010 19:46 Go to previous messageGo to next message
Domon  is currently offline Domon  United States
Messages: 19
Registered: July 2009
Junior Member
Hi Guys

I know the normal practice is that we should have a delicated server
for the DC. Probably the apps team did it because they have some
contraints. Any way, I probably need to ensure i can allow domain users
to RDP to DC as the last resort in case they don't want to move the
apps.

Is ntrights -u Users +r SeInteractiveLogonRight the same as granting
the rights "allow logon locally" in the GPO settings? If yes, then I
think it still have not solve the issue. I think it 's likely to due to
the hardening template created by our security team.

I tried on a non-hardened DC and it's works..

Regards


--
Domon
------------------------------------------------------------ ------------
Domon's Profile: http://forums.techarena.in/members/48096.htm
View this thread: http://forums.techarena.in/active-directory/1292003.htm

http://forums.techarena.in
Re: Can domain users RDP to domain controllers? [message #366702 is a reply to message #366692] Tue, 12 January 2010 20:39 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Domon" <Domon.44pjnb@DoNotSpam.com> wrote in message
news:Domon.44pjnb@DoNotSpam.com...
>
> Hi Guys
>
> I know the normal practice is that we should have a delicated server
> for the DC. Probably the apps team did it because they have some
> contraints. Any way, I probably need to ensure i can allow domain users
> to RDP to DC as the last resort in case they don't want to move the
> apps.
>
> Is ntrights -u Users +r SeInteractiveLogonRight the same as granting
> the rights "allow logon locally" in the GPO settings? If yes, then I
> think it still have not solve the issue. I think it 's likely to due to
> the hardening template created by our security team.
>
> I tried on a non-hardened DC and it's works..
>
> Regards


No, they are two separate Rights. They would need both assigned to them.
There is nothing in the GUI to assign the interactive rights. If you ask me,
it was a security precaution to not make it easy to assign it.

If there's a hardening template, then we need to know either which template
is being used. If it's one of the secure DC templates available with the OS,
or a custom made one. If it was a custom template, we'll need to know what's
in the template to ascertain if it is preventing users to connect.

Ace
Re: Can domain users RDP to domain controllers? [message #370673 is a reply to message #366702] Mon, 18 January 2010 01:56 Go to previous messageGo to next message
Domon  is currently offline Domon  United States
Messages: 19
Registered: July 2009
Junior Member
Hi Guys

Sorry for the late reply.

I looked through the template and noticed that the "Bypass traverse
checking" right has been removed for all groups and users. I tried
granting the authorized users this right and it works. Once it is
removed, I got an userinit.exe error (The application failed to
intialize properly (0xc0000142)).

The problem is that my security team is not willing to grant the right.
They want us to grant it in folder/file permission instead.

Has anyone done this kind of configuration before?

Regards

Lip Ann


--
Domon
------------------------------------------------------------ ------------
Domon's Profile: http://forums.techarena.in/members/48096.htm
View this thread: http://forums.techarena.in/active-directory/1292003.htm

http://forums.techarena.in
Re: Can domain users RDP to domain controllers? [message #370734 is a reply to message #370673] Mon, 18 January 2010 05:37 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Domon" <Domon.44z9nb@DoNotSpam.com> wrote in message
news:Domon.44z9nb@DoNotSpam.com...
>
> Hi Guys
>
> Sorry for the late reply.
>
> I looked through the template and noticed that the "Bypass traverse
> checking" right has been removed for all groups and users. I tried
> granting the authorized users this right and it works. Once it is
> removed, I got an userinit.exe error (The application failed to
> intialize properly (0xc0000142)).
>
> The problem is that my security team is not willing to grant the right.
> They want us to grant it in folder/file permission instead.
>
> Has anyone done this kind of configuration before?
>
> Regards
>
> Lip Ann


Not that I know of other than manually assigning it using ntrights. And it
wouldn't be a file/folder permission. It's one of the *right* required to
access a domain controller.

Ace
Previous Topic:secured connection with the DNS
Next Topic:Configure management of OU
Goto Forum:
  


Current Time: Tue Jan 16 10:40:58 MST 2018

Total time taken to generate the page: 0.06431 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software