|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
New AD installation issueI am not a pro in AD so the following problem is greek to me but may be a simple/obvious fix. A colleague has created a new domain for a new application's requirements. Then a second (DB) server was added to the domain. The new AD accounts all work fine on the DC, but I could not login to the DB server with the AD account. (I am a member of the Administrators group). The error that I received when I attempted to login was: (paraphrase) "You dot not have permission to log on remotely." I logged into the DB server with the local admin account and started poking around. The first thing I did was check the "Allow log on through Terminal Services" security setting in the machine's group policy, but "Remote Desktop Users" (of which I am a part of) has been added to this setting. I opened up a command line as my AD account, which authenticates correctly. I decided to check the RSoP for my AD account. I ran gpresult and it returned a message saying that my AD account did not have RSoP data. This is the point where I either went down the wrong path, don't know what the hell im doing, or both! Any help would be appreciated. P.S. Forest Functional Level: 2008 Domain Functional Level: 2008 DB Server OS: Server 2008 Standard SP1 AD DC OS: Server 2008 Standard SP1 Norm wrote:
> Hello, Membership of the Administrators group in the domain gives you admin access > > I am not a pro in AD so the following problem is greek to me but may > be a simple/obvious fix. > > A colleague has created a new domain for a new application's > requirements. Then a second (DB) server was added to the domain. The > new AD accounts all work fine on the DC, but I could not login to the > DB server with the AD account. (I am a member of the Administrators > group). The error that I received when I attempted to login was: > (paraphrase) "You dot not have permission to log on remotely." > to the domain controllers (and Active Directory). However membership will not grant you admin access to member servers or client computers in the domain - as you have found out :) Membership of the Domain Admins group grants you admin privileges to the entire domain. This is because the Domain Admins group is a member of the Administrators group for the domain, and it is also automatically added to the local administrators group of any server or workstation joined to the domain. So in your case your AD account will either need to be added to Domain Admins for the domain, or it will need to added to the local administrators group (if you really need full admin access that is) for your DB server. This is usually the better option as it is not always desireable to grant individuals blanket admin access throughout the domain. -- Peter <X-Files fan>
Show quote
Hide quote
On Mar 15, 12:59 am, "Trust No One®" <dana.scu***@usa.xnet> wrote: Thanks for the reply Peter. Everything worked fine after I added my> Norm wrote: > > Hello, > > > I am not a pro in AD so the following problem is greek to me but may > > be a simple/obvious fix. > > > A colleague has created a new domain for a new application's > > requirements. Then a second (DB) server was added to the domain. The > > new AD accounts all work fine on the DC, but I could not login to the > > DB server with the AD account. (I am a member of the Administrators > > group). The error that I received when I attempted to login was: > > (paraphrase) "You dot not have permission to log on remotely." > > Membership of the Administrators group in the domain gives you admin access > to the domain controllers (and Active Directory). However membership will > not grant you admin access to member servers or client computers in the > domain - as you have found out :) > > Membership of the Domain Admins group grants you admin privileges to the > entire domain. This is because the Domain Admins group is a member of the > Administrators group for the domain, and it is also automatically added to > the local administrators group of any server or workstation joined to the > domain. > > So in your case your AD account will either need to be added to Domain > Admins for the domain, or it will need to added to the local administrators > group (if you really need full admin access that is) for your DB server. > This is usually the better option as it is not always desireable to grant > individuals blanket admin access throughout the domain. > > -- > Peter <X-Files fan> self to the Domain Admins. However, why would I need to be a member of Domain Admins in order to log into the machine remotely when my user is already a member of Remote Desktop users? That is my main source of confusion. Norm wrote:
> I would check whether Remote Desktop Users has been removed from the "Allow > Thanks for the reply Peter. Everything worked fine after I added my > self to the Domain Admins. However, why would I need to be a member of > Domain Admins in order to log into the machine remotely when my user > is already a member of Remote Desktop users? That is my main source of > confusion. logon through Terminal Services" user rights assignment for the DB Server. Quickest way would be to run an RSOP on the DB Server. I remember having a similar problem in our DMZ AD forest (Windows 2003). We had applied a lockdown template in the Windows 2003 Security Guide. That template restricted the Allow Logon through Terminal Services right to Adminstrators only. I don't know whether similar lockdown apply to Windows 2008. I haven't played with it yet :( You can also try checking the permissions on the RDP-TCP adapter in Terminal Services Configuration on the DB server. Verify that Remote Desktop users is in there. -- Peter <X-Files fan> Trust No One® wrote:
> Norm wrote: Sorry - you already mentioned that this was the first thing you checked :)>> >> Thanks for the reply Peter. Everything worked fine after I added my >> self to the Domain Admins. However, why would I need to be a member >> of Domain Admins in order to log into the machine remotely when my >> user is already a member of Remote Desktop users? That is my main >> source of confusion. > > I would check whether Remote Desktop Users has been removed from the > "Allow logon through Terminal Services" user rights assignment for > the DB Server. Doh! -- Peter <X-Files fan> .. Hello Norm,
For complete access on all domain machines you need to be in the domain admins group. Or if forest access is needed in the enterprise admins group. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Show quoteHide quote > Hello, > > I am not a pro in AD so the following problem is greek to me but may > be a simple/obvious fix. > > A colleague has created a new domain for a new application's > requirements. Then a second (DB) server was added to the domain. The > new AD accounts all work fine on the DC, but I could not login to the > DB server with the AD account. (I am a member of the Administrators > group). The error that I received when I attempted to login was: > (paraphrase) "You dot not have permission to log on remotely." > > I logged into the DB server with the local admin account and started > poking around. The first thing I did was check the "Allow log on > through Terminal Services" security setting in the machine's group > policy, but "Remote Desktop Users" (of which I am a part of) has been > added to this setting. > > I opened up a command line as my AD account, which authenticates > correctly. I decided to check the RSoP for my AD account. I ran > gpresult and it returned a message saying that my AD account did not > have RSoP data. > > This is the point where I either went down the wrong path, don't know > what the hell im doing, or both! > > Any help would be appreciated. > > P.S. > Forest Functional Level: 2008 > Domain Functional Level: 2008 > DB Server OS: Server 2008 Standard SP1 > AD DC OS: Server 2008 Standard SP1 |
|||||||||||||||||||||||
Other interesting topics