I am relatively new to Windows Server and would like someone to confirm if my understanding of the permissions required for users to logon to a Windows 2008 R2 server on a Windows domain is correct:
Anyone in the Administrators group can log into the server physically at the server or through a remote mstsc window by specifying their username in Logon window.
The Administrators group can do everything the other groups can.
Anyone in the Remote Desktop group can run mstsc from a client computer and see the server's log on screen.
Anyone in the users group can log onto the server at its login screen.
So therefore the following scenarios are true:
User
DOMAIN\JOHN
is in the Remote Desktop Users onDOMAIN\SERVER1
group but not the users group on that server. UserDOMAIN\JANE
is in the users group but not the Remote Desktop Users group.- John can start an mstsc from
DOMAIN\PC1
asDOMAIN\JOHN
and he will see the login screen but will not be able to sign in asDOMAIN\JOHN
however, could sign in asDOMAIN\JANE
.
- John can start an mstsc from
User
DOMAIN\JAMES
is in the Administrators Group onDOMAIN\SERVER1
but not in the Users or Remote Desktop Users group. He will be able to start an mstsc session onDOMAIN\SERVER1
fromDOMAIN\PC2
asDOMAIN\JAMES
and see the login screen and login asDOMAIN\JAMES
.User
DOMAIN\JACK
is in the Users group onDOMAIN\SERVER1
but not in the Remote Desktop Users group. Jack can gain access to the server but only through physical access to the server itself (because he cannot get to the server via RDP).User
DOMAIN\JILL
is logged intoDOMAIN\PC1
, runs mstsc, enters the usernameDOMAIN\JOHN
in the Logon settings of mstsc, sees the server login screen and entersDOMAIN\JANE
and the server desktop appears.
Sorry if this seems fairly trivial but it is my understanding from a bit of reading and it would be great if someone could confirm if I am correct.