Tech Tips / Windows 2000 Server / Terminal Services

Setting local logon access for Terminal Services

This tip is inspired by that wonderful logon error dialog that informs users they do not have the access rights to log on locally. Surely such users rip their hair out, screaming that it's not local at all. Isn't remotely accessing the applications what Terminal Services is all about? Well, yes and no. This particular security setting is designed to help you manage who has access to potentially exploitable systems.

Note: If you already use Terminal Services or plan to, then we strongly suggest that you limit the TS server to only the applications that it will serve; otherwise it presents a very ripe target for crackers.

Here we go:

  1. Go to Start | Programs | Administrative Tools and open the Domain Controller Security Policy console.
  2. The tree will be completely collapsed, so select Windows Settings | Security Settings | Local Policies and choose the User Rights Assignment object. A list of registry objects will appear in the right pane.
  3. Locate the Log On Locally object and right-click it. Select the Security item.
  4. Make sure the Define These Policy Settings check box at the top of the dialog box is selected.
  5. To add users to this security object, click Add and enter the name of the user or group object to add. Click the Browse button to select from a list of qualified object names.
  6. Click OK a few times. Those users now have access to the server and can run shell sessions or published applications.

Contact Us | Authors | Subject Index | RSS Feeds

Copyright ©2007