Skip to main content

How to permit users to logon remotely to a Domain Controller


Active Directory Domain Controller (AD-DS) is an important Windows Infrastructure role. In some circumstances you will have to provide remote access (RDP) to your helpdesk- and/or support personnel to connect to those machines. For me I needed to develop a plan to allow non “Domain Admin” personnel to remotely connect to our branch office DC’s.
Allowing non admin users to remotely connect to a domain controller requires couple of steps. Creating a security group and changing the “Default Domain Controller” group policy is how achieved that in my configuration.
If you don’t do anything then most probably people will contact you saying their remote desktop connection has been denied. E.g.
Remote Desktop Connection: The connection was denied because the user account is not authorized for remote login.

Start with creating a new windows security group.

Add all required user accounts to the new security group. After you are have added the user accounts, make the new security group member of “Remote Desktop Users” builtin group. Without this step these users won’t be allowed to use the Remote Desktop Protocol on the Windows Server.

Start Group Policy Management Editor and edit “Default Domain Controller” policy. Locate “Allow log on through Remote Desktop Services” User rights setting (Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\). Add the new security group and close the management console.

If you are too quick trying to log on with a supporter account, Domain Controller will shows you the following message.
CloseTo log on this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Administrators group have this right. If you are not a member of Administrators group or another group that has this right, or if the Administrators group does not have this right, you must be granted this right manually.

Make sure to wait that the “Default Domain Controller” policy has been processed or run gpupdate /force. I run the gpupdate command line and tried to log on with a supporter account. The remote desktop connection worked successfully and I was not a domain admin with this supporter account!


Labels:

Comments

Post a Comment

Popular posts from this blog

There are currently no logon servers available to service the logon request

When bringing a new server on line, you may see an error that says: The Security System detected an authenticaton error for the server ldap/xxxxxxxt. The failure code from the authentication protocal Kerberos was "There are currently no logon servers available to service the logon request. Event id: 40960 category: SPENGO (Negotiator) (0xc000005e) This issue is the result of missing or the inability to contact the DNS SRV (SeRVice) records. You just brought a new server on line. To complete the process, the server has to register its own host A record and SVR record in DNS. To do this, Type the following at the command prompt: IPconfig /flushdns IPconfig /registerdns net stop netlogon net start netlogon flushing DNS will remove all old or improper DNS records registering dns records registers your Host A record restarting the netlogon will register your SRV records. __________________________________________________________________________________ Speaking of ...
Post a Comment
Read more

test vpn bandwidth and speed with iperf

This article explains how to use a free utility called iPerf to test the speed of a VPN connection. In this example I am running iPerf on windows but there are other versions available (i.e. Linux). Download iPerf from  http://linhost.info/2010/02/iperf-on-windows/ Put a copy on 2 computers with 1 either side of the VPN. In this example I have put in the c:\triangle folder On the “server” PC open a cmd prompt and navigate to the folder containing iperf. Note on computers running Win7 or Win2008 I recommend running the cmd prompt in elevated mode. Run the command  iperf –s On the “client” PC open a cmd prompt and again navigate to the folder containing iperf. Run the command  iperf –c After a short while the estimated bandwidth is displayed.
1 comment
Read more

How fix Virtual Memory Too low in Windows XP,Vista,Windows 7,Windows Server 2003

Some times i got the icon on below right side of my system in Windows XP,Vista,Windows 7,Windows Server 2000,2003.How can Fix this solution.Here the solution. This solution work for all types of Windows i.e windows 95 to Windows 7. Virtual Memory is the space your computer uses when it's short of RAM(Random Access Memory),which is the memory used when running programs like Microsoft word,Power Point and other application  in our system . Solution 1:   Try to increase Your RAM size. Solution 2:   Change the Paging Size of drive as shown below steps                    1.Go to MyComputer--> Right Click--> Click Properties.                    2.Click Advanced tab from  System Properties tab.                    3.Click Sett...
Post a Comment
Read more