Active Directory permission : log on to domain controller

dessin bureau windows

How to permit to log on DC

 

Symptom

  • Customer has an « Administration » Domain with DCs running Win2016 in « Forest A » and a Production Domain with DCs running Win2008R2 in « Forest B » (Single domain)
  • There is a Two-way trust in place between the Forests

Active Directory logo

  • Currently, in order for the « Administration » Domain administrators to log on to DCs in the Production domain via RDP, they have added them to the Domain Admins Group in production
  • They would like to be able to achieve this goal without adding the Forest A Administrators to the Domain Admins group (or equivalent) in Forest B

 

  • They want to know what are the required privileges or necessary rights to achieve this

 

Cause

  • Configuration

 

Resolution

  • In order to allow the Administrators from Forest A to logon to the DCs in Forest B without being added to the Forest B Domain Admins group we performed the following actions:outils ressources tournevis et clé

 

    • We created a new Domain Local Security Group in Forest B and a new Global Security Group in Forest A and added the user from Forest A to the group which in turn was added to the Local security group in Forest B
    • We added the Local group to the “Allow Logon Locally” user right in the Default Domain Controllers Policy in Forest B
    • We also added the group to the “Allow Logon Through Remote Desktop Services” user right in the Default Domain Controllers Policy in Forest B
    • In the “Remote” tab /”Select Users” of the “System Properties” on a DC in Forest B we added the group to the “Remote Desktop Users” list

 

 

    • Also, in the Remote Desktop Console on the Server, you added the new Group to the “Remote Desktop Users”

never stop learning sur mac book

 

More information

Grant a Member the Right to Logon Locally

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee957044(v%3dws.10)

 

Allow log on locally – security policy setting

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/allow-log-on-locally

 

“Allow Logon through Terminal Services” group policy and “Remote Desktop Users” group.

https://blogs.technet.microsoft.com/askperf/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group/

 

Allow log on through Remote Desktop Services

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services

http://woshub.com/allow-non-administrators-rdp-access-to-domain-controller/

 

logo2 itconsult

Laisser un commentaire