2

I am relatively new to Windows Server and would like someone to confirm if my understanding of the permissions required for users to logon to a Windows 2008 R2 server on a Windows domain is correct:

  1. Anyone in the Administrators group can log into the server physically at the server or through a remote mstsc window by specifying their username in Logon window.

  2. The Administrators group can do everything the other groups can.

  3. Anyone in the Remote Desktop group can run mstsc from a client computer and see the server's log on screen.

  4. Anyone in the users group can log onto the server at its login screen.

So therefore the following scenarios are true:

  1. User DOMAIN\JOHN is in the Remote Desktop Users on DOMAIN\SERVER1 group but not the users group on that server. User DOMAIN\JANE is in the users group but not the Remote Desktop Users group.

    • John can start an mstsc from DOMAIN\PC1 as DOMAIN\JOHN and he will see the login screen but will not be able to sign in as DOMAIN\JOHN however, could sign in as DOMAIN\JANE.
  2. User DOMAIN\JAMES is in the Administrators Group on DOMAIN\SERVER1 but not in the Users or Remote Desktop Users group. He will be able to start an mstsc session on DOMAIN\SERVER1 from DOMAIN\PC2 as DOMAIN\JAMES and see the login screen and login as DOMAIN\JAMES.

  3. User DOMAIN\JACK is in the Users group on DOMAIN\SERVER1 but not in the Remote Desktop Users group. Jack can gain access to the server but only through physical access to the server itself (because he cannot get to the server via RDP).

  4. User DOMAIN\JILL is logged into DOMAIN\PC1, runs mstsc, enters the username DOMAIN\JOHN in the Logon settings of mstsc, sees the server login screen and enters DOMAIN\JANE and the server desktop appears.

Sorry if this seems fairly trivial but it is my understanding from a bit of reading and it would be great if someone could confirm if I am correct.

1 Answer 1

1

It depends.

The answer to your questions depends on whether the users and groups you are considering have the necessary User Rights to logon the computer.

Permission to log on a Windows Server is controlled via two Group Policy settings. They're both located at:

Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment

If you're instead editing Local Group Policy (vs. Domain GP), the settings are found at:

Local Policies/User Rights Assignment

The two settings and their function are as follows:

1. "Allow log on locally"

According to TechNet:

This policy setting determines which users can start an interactive session on the computer.

In other words, this controls who can logon via the computer's "physical" console. In the case of a virtual machine this would be a logon through the virtual machine management interface.

The above article confirms this right is not needed to establish a Remote Desktop session:

Users who do not have this right are still able to start a remote interactive session on the computer if they have the Allow logon through Remote Desktop Services right.

Unless the computer is a domain-member or Domain Controller computer:

Users must have this user right to log on over a Remote Desktop Services or Terminal Services session that is running on a Windows-based member computer or domain controller.

2. "Allow log on through Remote Desktop Services"

According to TechNet:

This policy setting determines which users or groups can access the logon screen of a remote computer through a Remote Desktop Services connection. It is possible for a user to establish a Remote Desktop Services connection to a particular server but not be able to log on to the console of that same server.

The reason a user might be able to establish a Remote Desktop session but not be able to logon to the console is because the latter requires the "Allow log on locally" right, which as mentioned above, isn't required in all cases to logon remotely.


The TechNet articles linked above explain what users and groups are assigned these logon rights by default. However, by editing these two settings that can be changed. It is for that reason that the answer to your questions depends on how your server (and the domain it's in) is configured.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .