I've got a tech that needs to be added as an administrator and have RDP rights on a read-only domain controller in a remote site. Here's the constraints and what I've tried so far:
They can't be a Domain Admin.
They can't have admin and RDP privs on any of our other 4 DC's - that took user delegation for the DC OU out of the picture from what I understand.
I tried dsmgmt.exe and added the user to the local admin and rdp role, but they still can't remote the server.
(Followed this KB for dsmgmt -http://technet.microsoft.com/en-us/library/cc732301(WS.10).aspx)
The group that the user is in is already added via GPO in the Remote Desktop Users in the System control panel snap-in.
Added Domain Admins and the user to a security group and set that group in the 'Managed By' tab under the RODC's AD object.
Any other thoughts? I thought we were on to something when we found the dsmgmt utility, but am I missing something other than just adding the user to each role?
Thanks and a big cookie goes out to anyone who can help.
Administrative/RDP Roles on a RODC
December 3rd, 2009 7:17pm
What's the message displayed when that delegated administratorattempts tolog on to RODC via Remote Desktop?
hth
Marcin
hth
Marcin
Free Windows Admin Tool Kit Click here and download it now
December 3rd, 2009 7:37pm
To log on to this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote Desktop Users group or another group that has this right, or if the Remote Desktop User group does not have this right, you must be granted this right manually.
You used the term "delegate". Just be clear, I haven't delegated him any rights on the AD OU because I don't want him to have rights on the other DC's. Am I correct in thinking that?
You used the term "delegate". Just be clear, I haven't delegated him any rights on the AD OU because I don't want him to have rights on the other DC's. Am I correct in thinking that?
December 3rd, 2009 7:40pm
Hi,
Open gpedit.msc on RODC, or create a GPO for this RODC, add the user to the following policies:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\user Rights Assignment\Allow log on through TS.
You can also assign other rights to users here.
Thanks.
Open gpedit.msc on RODC, or create a GPO for this RODC, add the user to the following policies:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\user Rights Assignment\Allow log on through TS.
You can also assign other rights to users here.
Thanks.
Free Windows Admin Tool Kit Click here and download it now
December 10th, 2009 10:27am
Hi Mervyn
I have some problem when i trying to change Local Security policy (Allow log on through Remote Desktop Services) on RODC. Change i have made can't be saved.
February 19th, 2010 10:17am
This does not work.
Free Windows Admin Tool Kit Click here and download it now
March 6th, 2015 1:44am
This topic is archived. No further replies will be accepted.
Other recent topics
