Allow Log On Through TS GP - SBS2k3 RWW Group - Deny RDP to server

Discussion in 'Windows Small Business Server' started by Wopster, Jun 3, 2008.

  1. Wopster

    Wopster Guest

    Hello All,

    Is it normal for my SBS box to allow a normal user (not in the
    administrators group) the ability to RDP into my server? My users are a
    member of these groups: Domain Power Users, Domain Users, Mobile Users, and
    Users and they can still logon via RDP to my server.

    For some reason I thought by default they would be denied logon through TS
    to the server itself by a GP? Is this assumption wrong? (SBS2k3 R2)

    My default domain controller policy states 'Not Defined' for Allow Log On
    Through Terminal Services.

    I had previously removed the RWW group from most of my users thinking this
    would not only deny them access to RWW but also to logging onto my SBS box?

    If I define 'Allow Log On Through Terminal Services' and add the
    Administrators group, would this be the correct way to only allow members of
    the Administrators group to access the SBS box via RDP AND still allow normal
    users access to their workstations via RWW (if they are a member of the RWW
    group)?

    As always thank you for your assistance,
    Tony
     
    Wopster, Jun 3, 2008
    #1
    1. Advertisements

  2. "Domain Power Users" is a pretty heavy security group. If you go into the
    Server Mgmt Console -> Security Groups and look at the properties, it's a
    member of just about every admin group I can think of. One of those is
    "Remote Operators," which is where they get their RDP access.

    The comment for Domain Power Users says that members can not log onto the
    server locally. However, Domain Power Users is a member of Print Operators,
    a group which can log on locally. Unless there's a non-obvious way that
    Domain Power Users can belong to Print Operators but still not log on
    locally, they can do that too.

    Personally, I don't have any Domain Power Users. Do you have a need for
    users to have this level of access? If not, I recommend that you remove
    them from that security group, and put them into a more restrictive group
    that only allows the rights they need.

    The RWW group does just what it says - allows access to RWW - without
    allowing any other increased rights. Once they get into RWW, the RDP
    settings on the client PCs or the server will apply.
     
    Dave Nickason [SBS MVP], Jun 3, 2008
    #2
    1. Advertisements

  3. Wopster

    Wopster Guest

    You answered my question perfectly. Thank you very much.

    Tony
     
    Wopster, Jun 3, 2008
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.