Deny DC logon rights

  • Thread starter Thread starter pdbasham
  • Start date Start date
P

pdbasham

Hi All

I have 2 DC's in my home testlab. My daughter is using an
old laptop with Win2k Pro installed and is running
terminal services sessions on one of the DC's. The
terminal service is running in administrator mode.

I want her to continue to be able to access the server in
terminal services mode, but not to be able to logon
locally to the DC. I can configure this so it is the
opposite of what I require, but how do I achieve my
desired result.

Win2k server SP4 and all up to date fixes. Any help would
be appreciated.

Regards
Paul Basham
 
You can't. That is the main reason why Terminal Services should
never run in Application mode on a DC.
Remote Administration mode is meant for Administrators, and those
should have Logon Locally rights.

The only thing that I can think of is a quick-and-dirty and
certainly not foolproof workaround:
write a small batchfile that runs as her login script. Check the
variable %clientname% or %sessionname% (check which one you need
with set | more on the console of the server). If this equals to
"Console", log her off immediately. Make sure that she has Read +
Execute rights to this script, but not Delete. Make sure she can't
change her own account settings.

Or just have a serious talk with her and explain her why she
shouldn't do this :-)
 
Vera

Many thanks for your quick reply.

I think the peptalk will be the order of the day :-)

Regards
Paul Basham
 
Back
Top