Can domain users RDP to domain controllers?

[Domon]

Hi guys

Can I check with you guys if by default can a domain users RDP to a domain controller? I tried putting the account into the remote desktop users group which has the allow logon via terminal services. I also grant it the "allow logon locally" rights. But while I am able to log on to the DC locally with that account, I am not able to RDP into it.

Is only domain admins able to RDP to DC only?

Regards

By default domain users are not allowed to logon to a DC. And this shouldn't
be changed, a DC is the heart of the domain. Why should they be able to logon
to it?

By default, domain users shouldn't be able to remote logon (RDP) to DC's or
servers.

[Domon]

Actually, there is an application installed in this DC and the application team wants a normal user account with permission just enough to administer the application. So, I am thinking of giving them a domain user account and grant them enough permission to perform their administration, probably granting the acount full control on the application related folders ( located seperated from the system drive). Wonder is there a better solution?

Is promoting a server to an DC result in domain users not able to remote logon (RDP) to the node?

Lets stay with the first error and move on once that is resolved or open up
a seperate thread on the SBS NewsGroup.

So could you provide previous info requested?

Paul, is this machine an SBS box? Looking back in this thread, I couldn't
find that info.

As Paul and Meinolf mentioned, by default Domain Users are not permitted to
logon on to a DC.

If you really need them to logon, they also need Interactive Rights. That is
done manually.by running the following command

ntrights -u Users +r SeInteractiveLogonRight
or
ntrights -u TheUser'sAccountName +r SeInteractiveLogonRight

You will need the ntrights.exe from the resource kit installed to run it.

HOWEVER, I recommend to put the app on a non-DC. And yes, to answer your
other question, when you promote a machine to a DC, this security does go
into afffect.

I would be hesitant about this. If possible, move the application OFF
a domain controller onto a member server, even if it's virtual - then
the application support folks can do what they like. You have to open
up too many security holes to allow anyone but a domain admin to log
into a DC.

Applications don't belong on Domain Controllers as well as standard users
shouldn't be allowed anything but authentication to a DC. (OK perhaps an
LDAP query, but that's about all.)

Assuming that the APP can be remotely accessed, why not administer that App
from another server or workstation?

[Domon]

I know the normal practice is that we should have a delicated server for the DC. Probably the apps team did it because they have some contraints. Any way, I probably need to ensure i can allow domain users to RDP to DC as the last resort in case they don't want to move the apps.

Is ntrights -u Users +r SeInteractiveLogonRight the same as granting the rights "allow logon locally" in the GPO settings? If yes, then I think it still have not solve the issue. I think it 's likely to due to the hardening template created by our security team.

I tried on a non-hardened DC and it's works..

I looked through the template and noticed that the "Bypass traverse checking" right has been removed for all groups and users. I tried granting the authorized users this right and it works. Once it is removed, I got an userinit.exe error (The application failed to intialize properly (0xc0000142)).

The problem is that my security team is not willing to grant the right. They want us to grant it in folder/file permission instead.

Has anyone done this kind of configuration before?

No, they are two separate Rights. They would need both assigned to them.
There is nothing in the GUI to assign the interactive rights. If you ask me,
it was a security precaution to not make it easy to assign it.

If there's a hardening template, then we need to know either which template
is being used. If it's one of the secure DC templates available with the OS,
or a custom made one. If it was a custom template, we'll need to know what's
in the template to ascertain if it is preventing users to connect.

Not that I know of other than manually assigning it using ntrights. And it
wouldn't be a file/folder permission. It's one of the *right* required to
access a domain controller.

[Domon]

Hi Guys

I tried using the ntrights.exe to assign the authorized users "SeInteractiveLogonRight" and I noticed that the default domain controller security policy setting has included the users for the "Allow logon locally" right. That's why I am wondering if they are the same.

I also tried on a newly installed win2k3 server and normal users also has problem logging through RDP. So, I am pretty sure that it is related to the Bypass Traverse Checking / Traverse folder thing.

Anyway, do Microsoft published any article on how the logon process works, including the files and components involved? I would like to know more about the userinit.exe file and how it is involved in the logon process as it is giving a error (The application failed to intialize properly (0xc0000142)).

Thanks

Regards