> I stumbled over exactly the same problem and I was unable to
> find resolve. My conclusion: even when you a User Account, which
> is in the Domain User group, is added to the Remote Desktop User
> group, this setup (a AD DC together with TS on one box) refuses
> to have this type of User log in using Remote Desktop.
>
> I am convinced now that the MS developers on purpose have chosen
> to built in the security to have a User NOT to login when a TS
> and AD DC are running on one box. Somehow the system checks if
> both TS and AD DC are on one box or not.
>
> Pretty smart. However, why does MS sell WS Server 2008 with some
> 18 Server Roles, knowing that they cannot be run on one box? I
> now know that TS, TS License Server, DNS Server and AD DC all
> should be run on separate Hardware Servers to make it secure.
> So, in fact one needs at least 5 hardware servers (or can they
> be run on Virtual Servers?).
>
> "Vera Noest [MVP]" wrote:
>
>> And keep in mind that *hiding* drives is merely a cosmetic
>> thing, it will still be fairly easy for users to get to those
>> drives. The only mechanism which truly disables access is NTFS
>> permissions. But as Jeff says, running TS on a DC is a disaster
>> waiting to happen...
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting:
http://ts.veranoest.net>> ___ please respond in newsgroup, NOT by private email ___
>>
>> Jeff Pitsch <jeff.pitsch.fake[ at ]jeffpitschconsulting.com> wrote
>> on 04 nov 2008 in microsoft.public.windows.terminal_services:
>>
>> > It is a colossal security flaw to allow your users on the
>> > domain controller. It's not MS"s fault you've gone against
>> > best practices and decided to use your DC as a terminal
>> > server. there is a way to prevent users access to the local
>> > drives and that is through group policy. It is two settings
>> > you need to set and you are good to go. Is it perfect?
>> > Nope but it's the best we have right now. If you are
>> > truly, TRULY
>> > concerned about security you'll buy another server and NOT
>> > let your users on the domain controller to begin with. If
>> > your users are truly that savvy then why would you allow them
>> > on in the first place?
>> >
>> > I'm sorry if this comes across the wrong way but I don't see
>> > how this is MS"s fault in this case. there are legitimate
>> > reasons to allow users access to the server drives.
>> >
>> > And yes you can always directly edit the registry to hide the
>> > drives but then you lose the capability to filter who gets
>> > hidden drives and who doesn't.
>> >
>> > Jeff Pitsch
>> > Microsoft MVP - Terminal Services
>> >
>> > S H A R I Q U E wrote:
>> >> I do Know about Group Policies to block access to certain
>> >> Folder/Drives. Cant I use any other method to achieve the
>> >> same.It is security breach and any technical user can play
>> >> havoc with DC.I dont know it is default feature of Terminal
>> >> Service to expose drive into open or not.If it yes, then it
>> >> is colossal security flaw.what i mean there should be a
>> >> prevention to local drive of TS server.
>> >>
>> >> regards
>> >>
>> >>
>> >> "Jeff Pitsch" wrote:
>> >>
>> >>> You can use group policy to hide the server drives. Are
>> >>> you familiar with group policy?
>> >>>
>> >>> Jeff Pitsch
>> >>> Microsoft MVP - Terminal Services
>> >>>
>> >>> S H A R I Q U E wrote:
>> >>>> Now, i am able to logon using domain users thanks to
>> >>>> modifcation of local security policy.
>> >>>> i have installed word viewer on WIN2K8 and provided
>> >>>> access to WINXP client through TS RemoteApp Manager. I can
>> >>>> run application at WINXP client successfully.
>> >>>> one thing which is quite alarming is that after opening
>> >>>> WordViewer at client side.When i goto File/Open, it gives
>> >>>> domain user access to root of c driver and shows my local
>> >>>> drive as network drive. How can i prevent users from
>> >>>> accessing drives of WIN2K8 server.??
>> >>>>
>> >>>>
>> >>>> "Jeff Pitsch" wrote:
>> >>>>
>> >>>>> Is the terminal server also a domain controller? If not,
>> >>>>> you need to add the users to the Remote Desktop User
>> >>>>> group that is local to the terminal server.
>> >>>>>
>> >>>>> Jeff Pitsch
>> >>>>> Microsoft MVP - Terminal Services
>> >>>>>
>> >>>>> S H A R I Q U E wrote:
>> >>>>>> I have created a Remote App programe in Windows Server
>> >>>>>> 2008 TS.From Windows XP client having latest RDC 6.x
>> >>>>>> installed, i can run the application successfully using
>> >>>>>> Administrator account.When i try to run same application
>> >>>>>> using domain use account, i get error that "To log on to
>> >>>>>> this remote computer, you must be be granted the Allow
>> >>>>>> log on through Terminal Services right. By default,
>> >>>>>> members of the Remote Desktop Users group have this
>> >>>>>> right...etc..."
>> >>>>>>
>> >>>>>> i have added the domain user/computer account in
>> >>>>>> Remote Desktop uses group in AD even after that i am
>> >>>>>> getting error. what piece of configuration I am
>> >>>>>> missing.bear in mind that i am runnin this setup in VM
>> >>>>>> with default number of TS licenses, that is, two.