-1

How can I grant console access permission (via MSTSC.EXE /ADMIN) to a normal RDP user who is not a administrator or domain admin? We are using a load-balanced terminal server farm running on Windows Server 2008 R2

I have added the user to a new Active Directory security group. This group has been granted access to login via RDP in system properties > remote > remote desktop users. The group has also been listed, via group policy, to Allow log on through Remote Desktop Services AND Allow log on locally, under GPEDIT > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment

When attempting to login, we receive the message "The requested session access is denied"

Any ideas how to go about this? Effectively just want to grant 1 user the ability to log on to either RDP server directly, using mstsc /admin, bypassing the load-balancer.

Relevant post by someone seeking the same ability which may be of use: https://social.technet.microsoft.com/Forums/windowsserver/en-US/7dcfb01d-734d-4f17-8afa-ca487d6949d6

Thanks all!

aciid
  • 11
  • 1
  • 2
  • 7

1 Answers1

0

You should probably add the user to the security descrpitor. The article here describes how to do it via WMI.

Reply from a colleague on this:

If without “/admin” and user can logon, it is likely that user is not in console security descriptor

HKLM\System\CurrentControlSet\Control\Terminal Server\winstations\Console\Security (or maybe default security)

No UX tool to modify SD only WMI https://support.microsoft.com/en-us/kb/290720

cdavid
  • 497
  • 6
  • 11
  • Thanks that put me on the right track, in the end used following command & all is good! `code` WMIC RDPermissions where "TerminalName='console'" call AddAccount "domain\UserName", 2 – aciid Oct 11 '16 at 07:53