Active Directory
Domain Controller (AD-DS) is an important Windows Infrastructure role. In some
circumstances you will have to provide remote access (RDP) to your helpdesk-
and/or support personnel to connect to those machines. For me I needed to
develop a plan to allow non “Domain
Admin” personnel to remotely connect to our branch office DC’s.
Allowing non admin users to remotely connect to a
domain controller requires couple of steps. Creating a security group and
changing the “Default Domain Controller” group policy is how achieved that in
my configuration.
If you don’t do anything then most probably people
will contact you saying their remote desktop connection has been denied. E.g.
Remote Desktop Connection:
The connection was denied because the user account is not authorized for remote
login.
Start with creating a new windows security group.
Add all required
user accounts to the new security group. After you are have added the user
accounts, make the new security group member of “Remote Desktop Users”
builtin group. Without this step these users won’t be allowed to use the Remote
Desktop Protocol on the Windows Server.
Start Group Policy Management Editor and edit “Default
Domain Controller” policy. Locate “Allow log on through Remote Desktop
Services” User rights setting (Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment\). Add the new security group
and close the management console.
If you are too quick trying to log on with a
supporter account, Domain Controller will shows you the following message.
CloseTo log on this remote computer, you must be granted the
Allow log on through Terminal Services right. By default, members of the
Administrators group have this right. If you are not a member of Administrators
group or another group that has this right, or if the Administrators group does
not have this right, you must be granted this right manually.
Make sure to
wait that the “Default Domain Controller” policy
has been processed or run gpupdate /force. I
run the gpupdate command line and tried to log on with a supporter account. The remote desktop connection
worked successfully and I was not a domain admin with this supporter account!
Comments