In a previous article, Windows Server Hacks: Remotely Enable Remote Desktop, we covered a simple trick that lets you enable Remote Desktop on a remote server if you forgot to do so before shipping it out to a remote location. That way you can remotely log on to your servers even if no administrator is present at the remote site. While Remote Desktop is a great tool for remote management, it also has its hazards, and you want to be careful whom you allow to use it. This article examines how to control who has access to this feature and how to lock it down using Group Policy.
When you enable Remote Desktop on a server, by default anyone who belongs to the local Administrators group on the machine can log on to it remotely using Remote Desktop Connection (or Remote Desktop Web Connection). Since the Domain Admins global group is added to this local Administrators group by default, this means any administrator can log on to the machine remotely.
If you want to give other users (such as Bob Smith in the Help Desk department) the ability to log on to servers, you can add them to the Remote Desktop Users group, which is found in the Builtin container for your domain in Active Directory Users and Computers (ADUC):
Figure 1. Remote Desktop Users group in ADUC
To give Bob the necessary privileges to log on remotely using Remote Desktop Connection, add his user account to this group:
Figure 2. Adding Bob to the Remote Desktop Users group using ADUC
Because Remote Desktop Users is a built-in local group, adding members to it in ADUC gives Bob remote log-on capability for all domain controllers in the domain. If you want to give him such capability over a member server instead, you can use the System tool in Control Panel on that server. To do it, open System, switch to the Remote tab, and click on Select Remote Users. Then find Bob's account in the directory and add him to the list of users who can remotely log on to the system:
Figure 3. Adding Bob to the Remote Desktop Users group using the System tool in Control Panel
Now even if Bob is added to the Remote Desktop Users group and he tries to log on using Remote Desktop Connection to a remote machine that has Remote Desktop enabled, Remote Desktop Connection will start, the Windows log-on box will be displayed, and a dialog box will appear saying "The local policy of this system does not permit you to log on interactively." What's wrong? You still have to enable a policy setting on the remote machine to enable Bob to log on remotely. This policy setting is found at Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and is called "Allow log on through Terminal Services." You have to enable this policy on the remote machine and add Bob to the list of users who have interactive rights:
Figure 4. Policy setting for enabling interactive log-on using Remote Desktop
You configure this policy setting in one of several ways:
Once you perform these two steps--adding Bob to the Remote Desktop Users group and using Group Policy to grant him the user right of being able to log on to the remote machine using Terminal services--Bob can open Remote Desktop Connection in Accessories -> Communications, enter his username and password, and log on to the remote machine. Of course, once he logs on, he will be able to perform only those tasks for which his group membership allows. If Bob has an ordinary user account, for example, he can view system settings but not modify them:
Figure 5. Enabling Bob to log on to a server remotely doesn't mean he can administer it
Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.
Return to the Windows DevCenter
Copyright © 2009 O'Reilly Media, Inc.