Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / Small Business Server / SBS 2000 / July 2003

Tip: Looking for answers? Try searching our database.

TS logon and policies

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
SuperGumby - 31 Jul 2003 02:39 GMT
Which policy disallows ordinary users from logging on to a TS on SBS with TS
in admin mode? pls.

I've checked local, domain & domain controller security policies and cannot
see why an ordinary user IS able to logon to one SBS but is not (as
expected) able to logon to another.

TIA
Reply to this Message
SuperGumby - 31 Jul 2003 03:49 GMT
ARRRRRRGGGHHH, now that I've fixed the problem I can admit my mistake. (and
add something to my wishlist)

it was my home system, BTW.

I had made the user a member of a group which was a member of
'Administrators'. Now my wishlist includes a view of the AD and linked
dependencies.

tks ur thts Kev & Mark

> Which policy disallows ordinary users from logging on to a TS on SBS with TS
> in admin mode? pls.
[quoted text clipped - 4 lines]
>
> TIA
Reply to this Message
Les Connor [SBS MVP] - 31 Jul 2003 17:13 GMT
> 'Administrators'. Now my wishlist includes a view of the AD and linked
> dependencies.

Try that Group Policy Management add-on. I see it's included in SBS2k3, but
I don't know how to use it :-(. I just browse in there, for now.

--
Les Connor
------------------
[SBS MVP]

> ARRRRRRGGGHHH, now that I've fixed the problem I can admit my mistake. (and
> add something to my wishlist)
[quoted text clipped - 17 lines]
> >
> > TIA
Reply to this Message
Garry Martin - 31 Jul 2003 17:35 GMT
http://www.joeware.net/win32/index.html
<snip>

MemberOf - How do you handle enumerating the groups a user has in Active
Directory? Especially when there could be n levels of nesting going on with
possible recursive nesting. I was wondering that myself... I checked out
Microsoft's Resource Kit Tool ifmember and it doesn't enumerate nested
groups unless the nesting is the old NT way of nesting Global groups into
Local Groups. Well I sat down this morning and worked out a solution.
MemberOf is the solution, if you just run it it will give you the groups
that the current process security context user has. You can specify a
different user if you would like. If you use the -h switch you can see usage
help. Here is a little sample run:

G:\Dev\cpp\MemberOf>memberof -u joehome\test2

MemberOf V02.00.00cpp Joe Richards (joe@joeware.net) February 2003

Group Memberships:
 [Global Security] [Domain Users] CN=Domain
Users,CN=Users,DC=joehome,DC=com
 [Global Security] [GGroup1] CN=GGroup1,OU=Test,DC=joehome,DC=com
 [Global Security] [GGroup2] CN=GGroup2,OU=Test,DC=joehome,DC=com
 [Local Security] [TestGroup2] CN=TestGroup2,OU=Test,DC=joehome,DC=com
 [Local Security] [Users] CN=Users,CN=Builtin,DC=joehome,DC=com
 [Local Security] [testgroup1] CN=testgroup1,OU=Test,DC=joehome,DC=com
 [Local Security] [testgroup3] CN=testgroup3,OU=Test,DC=joehome,DC=com
This program could be used in a logon script to check if a user is in a
specific group in the following way:

@echo off
memberof -q | find /i "[domain admins]" >null
if %ERRORLEVEL%*==0* echo "User is member of domain admins"
if %ERRORLEVEL%*==1* echo "User is not a member of domain admins"
This program works by enumerating the MemberOf attribute of a userid hence
the name, this means that the program would only display group memberships
which would be in this attribute and that includes Global/Local Groups of
the user's domain and Universal Groups of the user's Forest. For some
reason, MS doesn't include the user's Primary group in the MemberOf
attribute so the program by default will go figure out that group on the
side. If you want to disable this feature you can specify -np on the command
line.
Update: Version 2.00.00 - Complete rewrite. I was alerted to some bugs with
Universal groups which made me look at the whole thing again. Will only
currently enumerate groups that are in the direct nesting pathing. I intend
to make it find all group memberships across a forest eventually.
[Version: 2.00.00, Date: 02/25/2003]

</snip>

Signature

Garry Martin

> ARRRRRRGGGHHH, now that I've fixed the problem I can admit my mistake. (and
> add something to my wishlist)
[quoted text clipped - 17 lines]
> >
> > TIA
Reply to this Message
SuperGumby - 31 Jul 2003 23:18 GMT
hmmm, not the first useful thing I've seen from Joe.

tks for the pointer.

> http://www.joeware.net/win32/index.html
> <snip>
[quoted text clipped - 69 lines]
> > >
> > > TIA
Reply to this Message
Chad A Gross - 31 Jul 2003 05:25 GMT
Hey SG -

By default only Administrators can log in to TS in Remote Admin mode - but
you can configure it to let other groups / individual users log in as well.

Open Terminal Services Configuration in Administrative Tools, select
Connections, double-click on RDP-tcp to open its Properties.  On the
Permissions tab, add the necessary users / groups you want to allow to log
on.  Of course they are only going to be able to access the SBS Personal
Console if they aren't Administrators . . .

Signature

Chad A Gross

Lerman's Law of Technology:  Any technical problem can be overcome
given enough time and money. Corollary:  You are never given enough
time or money.

> Which policy disallows ordinary users from logging on to a TS on SBS
> with TS in admin mode? pls.
[quoted text clipped - 4 lines]
>
> TIA
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.