G
Guest
Hi,
I'm trying to allow a support person to logon on via TS to a Win2003 DC in
order to create shares and shut it down if necessary (the server is a
combined DC and File&Print server in another country).
I've added the user to every group under the sun, but the only way to get a
TS logon to work appears to be to make him a domain admin.
Am I being realy dumb ? Have I missed something obvious ?
More Info:
The user ServerUser: is a member of "server operators", "backup ops",
"printer ops"
If have modified the DC GPO so that each of these groups can "log on
locally" and "log on via TS" (NB: I allowed ServerUser to log on to member
servers by modifying the member server GPO this way, so thought this would
work).
I've found a TechNet article (KB267553) that talks about adding
tsInternetUser for Pre Win2000 access. Now my given domain is entirely WinXP
clients, Win2K3 (DC's 2003 native) and a few Win2Ksp4 member servers, I
should not need to do this.
But when I tried this in my test domain it it worked ! - am I opening some
massive security hole by doing this ?
Any help or suggestions appreciated.
Thanks in advance.
I'm trying to allow a support person to logon on via TS to a Win2003 DC in
order to create shares and shut it down if necessary (the server is a
combined DC and File&Print server in another country).
I've added the user to every group under the sun, but the only way to get a
TS logon to work appears to be to make him a domain admin.
Am I being realy dumb ? Have I missed something obvious ?
More Info:
The user ServerUser: is a member of "server operators", "backup ops",
"printer ops"
If have modified the DC GPO so that each of these groups can "log on
locally" and "log on via TS" (NB: I allowed ServerUser to log on to member
servers by modifying the member server GPO this way, so thought this would
work).
I've found a TechNet article (KB267553) that talks about adding
tsInternetUser for Pre Win2000 access. Now my given domain is entirely WinXP
clients, Win2K3 (DC's 2003 native) and a few Win2Ksp4 member servers, I
should not need to do this.
But when I tried this in my test domain it it worked ! - am I opening some
massive security hole by doing this ?
Any help or suggestions appreciated.
Thanks in advance.