Skip to main content

How to permit users to logon remotely to a Domain Controller


Active Directory Domain Controller (AD-DS) is an important Windows Infrastructure role. In some circumstances you will have to provide remote access (RDP) to your helpdesk- and/or support personnel to connect to those machines. For me I needed to develop a plan to allow non “Domain Admin” personnel to remotely connect to our branch office DC’s.
Allowing non admin users to remotely connect to a domain controller requires couple of steps. Creating a security group and changing the “Default Domain Controller” group policy is how achieved that in my configuration.
If you don’t do anything then most probably people will contact you saying their remote desktop connection has been denied. E.g.
Remote Desktop Connection: The connection was denied because the user account is not authorized for remote login.

Start with creating a new windows security group.

Add all required user accounts to the new security group. After you are have added the user accounts, make the new security group member of “Remote Desktop Users” builtin group. Without this step these users won’t be allowed to use the Remote Desktop Protocol on the Windows Server.

Start Group Policy Management Editor and edit “Default Domain Controller” policy. Locate “Allow log on through Remote Desktop Services” User rights setting (Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\). Add the new security group and close the management console.

If you are too quick trying to log on with a supporter account, Domain Controller will shows you the following message.
CloseTo log on this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Administrators group have this right. If you are not a member of Administrators group or another group that has this right, or if the Administrators group does not have this right, you must be granted this right manually.

Make sure to wait that the “Default Domain Controller” policy has been processed or run gpupdate /force. I run the gpupdate command line and tried to log on with a supporter account. The remote desktop connection worked successfully and I was not a domain admin with this supporter account!


Labels:

Comments

Post a Comment

Popular posts from this blog

Installing Nagios 4 on Ubuntu 14 04 LTS

1 comment
Read more

AWS Certification Q&A

The AWS Certified Solutions Architect – Associate Level exam is intended for individuals with experience designing distributed applications and systems on the AWS platform. I am listing many sample certification questions and answers while will help to face the certification successfully Keep in mind that the answers for each question might change due to the advancement of AWS and please try to find the answer in more logical manner Answers are below of the page Sample Questions for Amazon Web Services Associate Solutions Architect Certification What does Amazon S3 stand for? A Simple Storage Solution. B Storage Storage Storage (triple redundancy Storage). C Storage Server Solution. D Simple Storage Service. You must assign each server to at least _____ security group A 3 B 2 C 4 D 1 - Before I delete an EBS volume, what can I do if I want to recreate the volume later? A Create a copy of the EBS volume (not a snapshot) B Store a snapshot of the volume C Downlo...
Post a Comment
Read more