Disable "Allow logon to terminal server"

View Full Version : Disable "Allow logon to terminal server"

=?Utf-8?B?SmFzb24gQ29vaw==?=

Is there a way to remotely manage (script, GPO, etc) the local account
property, "Allow logon to terminal server" for local accounts on Windows 2000
servers? The domain is also Windows 2000.

Steven L Umbach

You could remote in via TS to manage those accounts or use security policy
to manage the user right for "logon locally" which a user will need to
access a TS in W2K. In Windows 2003 that has been changed to a separate user
right called "allow logon through Terminal Services". That can be configured
through Local Security Policy or you can put the computer in an
Organizational Unit with it's own GPO with the logon locally configured to
your needs. User rights are accessible through computer
configuration/Windows settings/security settings/local policies/user rights.
That will not directly configure the user's local account but they can not
logon without the logon locally user right. -- Steve

"Jason Cook" wrote in message
news:1518C02B-BBCA-4C9C-B5AE-1E35C9B4FA99@microsoft.com...
> Is there a way to remotely manage (script, GPO, etc) the local account
> property, "Allow logon to terminal server" for local accounts on Windows
> 2000
> servers? The domain is also Windows 2000.

=?Utf-8?B?SmFzb24gQ29vaw==?=

Steve,

Thanks for the response. Let me add a little more background which should
further explain my issue. I need to disable the permission, "Allow logon to
terminal server," for over 2000 administrative service accounts located on
800 servers and due to some archaic applications I can not always remove the
security permission, "logon locally". Manually disabling this property per
account is not an option I can realistically implement.

Also, the member server and domain are all Windows 2000 so I do not have the
TS luxuries provided by Windows 2003 GPOs.

My gut instinct is that there is likely a way to set this account property
via a script but I’ve exhausted several searching trying to find it. Any
additional thoughts would be appreciated…

Thanks for the response. Let me add a little additional background which
should further explain my issue. I need to disable the permission, "Allow
logon to terminal server," for over 2000 accounts located on 700 servers but
in some instance I can not remove the security permission, "logon locally".

"Steven L Umbach" wrote:

> You could remote in via TS to manage those accounts or use security policy
> to manage the user right for "logon locally" which a user will need to
> access a TS in W2K. In Windows 2003 that has been changed to a separate user
> right called "allow logon through Terminal Services". That can be configured
> through Local Security Policy or you can put the computer in an
> Organizational Unit with it's own GPO with the logon locally configured to
> your needs. User rights are accessible through computer
> configuration/Windows settings/security settings/local policies/user rights.
> That will not directly configure the user's local account but they can not
> logon without the logon locally user right. -- Steve
>
>
> "Jason Cook" wrote in message
> news:1518C02B-BBCA-4C9C-B5AE-1E35C9B4FA99@microsoft.com...
> > Is there a way to remotely manage (script, GPO, etc) the local account
> > property, "Allow logon to terminal server" for local accounts on Windows
> > 2000
> > servers? The domain is also Windows 2000.
>
>
>

Steven L Umbach

Hmm. I don't know of a way to automate that account property. You might also
want to post in a Terminal Services newsgroup. I don't know how many TS you
have but it might be feasible to take a look at configuring the RDP
permissions on each TS to allow only specified domain groups permissions in
Terminal Services Configuration connections/RDP/properties. If you have
domain servers/computers that you never want to allow access to a TS you
could implement a ipsec filtering policy that uses block filter action to
deny any outbound traffic for port 3389 from that computer. Ipsec policies
can be easily managed via Group Policy computer configuration.--- Steve

"Jason Cook" wrote in message
news:003E21EE-8B2F-4352-BF39-60D00D42B459@microsoft.com...
> Steve,
>
> Thanks for the response. Let me add a little more background which should
> further explain my issue. I need to disable the permission, "Allow logon
> to
> terminal server," for over 2000 administrative service accounts located on
> 800 servers and due to some archaic applications I can not always remove
> the
> security permission, "logon locally". Manually disabling this property
> per
> account is not an option I can realistically implement.
>
> Also, the member server and domain are all Windows 2000 so I do not have
> the
> TS luxuries provided by Windows 2003 GPOs.
>
> My gut instinct is that there is likely a way to set this account property
> via a script but I've exhausted several searching trying to find it. Any
> additional thoughts would be appreciated.
>
>
> Thanks for the response. Let me add a little additional background which
> should further explain my issue. I need to disable the permission, "Allow
> logon to terminal server," for over 2000 accounts located on 700 servers
> but
> in some instance I can not remove the security permission, "logon
> locally".
>
> "Steven L Umbach" wrote:
>
>> You could remote in via TS to manage those accounts or use security
>> policy
>> to manage the user right for "logon locally" which a user will need to
>> access a TS in W2K. In Windows 2003 that has been changed to a separate
>> user
>> right called "allow logon through Terminal Services". That can be
>> configured
>> through Local Security Policy or you can put the computer in an
>> Organizational Unit with it's own GPO with the logon locally configured
>> to
>> your needs. User rights are accessible through computer
>> configuration/Windows settings/security settings/local policies/user
>> rights.
>> That will not directly configure the user's local account but they can
>> not
>> logon without the logon locally user right. -- Steve
>>
>>
>> "Jason Cook" wrote in message
>> news:1518C02B-BBCA-4C9C-B5AE-1E35C9B4FA99@microsoft.com...
>> > Is there a way to remotely manage (script, GPO, etc) the local account
>> > property, "Allow logon to terminal server" for local accounts on
>> > Windows
>> > 2000
>> > servers? The domain is also Windows 2000.
>>
>>
>>

=?Utf-8?B?SmFzb24gQ29vaw==?=

Steve thanks for your help. Amazingly enough I’ve found a scriptable method
for setting the account property, "Allow logon to terminal server.” I just
came across the Sysinternals tool “TSCMD.exe” which can set this property
along with several other TS account properties.

http://www.systemtools.com/download/tscmd.zip

With the discovery of this tool it will be trivial now to create a VBS or
Batch script to disable this property for any number of local server
accounts. Now the only challenge is monitoring compliance...

"Steven L Umbach" wrote:

> Hmm. I don't know of a way to automate that account property. You might also
> want to post in a Terminal Services newsgroup. I don't know how many TS you
> have but it might be feasible to take a look at configuring the RDP
> permissions on each TS to allow only specified domain groups permissions in
> Terminal Services Configuration connections/RDP/properties. If you have
> domain servers/computers that you never want to allow access to a TS you
> could implement a ipsec filtering policy that uses block filter action to
> deny any outbound traffic for port 3389 from that computer. Ipsec policies
> can be easily managed via Group Policy computer configuration.--- Steve
>
>
> "Jason Cook" wrote in message
> news:003E21EE-8B2F-4352-BF39-60D00D42B459@microsoft.com...
> > Steve,
> >
> > Thanks for the response. Let me add a little more background which should
> > further explain my issue. I need to disable the permission, "Allow logon
> > to
> > terminal server," for over 2000 administrative service accounts located on
> > 800 servers and due to some archaic applications I can not always remove
> > the
> > security permission, "logon locally". Manually disabling this property
> > per
> > account is not an option I can realistically implement.
> >
> > Also, the member server and domain are all Windows 2000 so I do not have
> > the
> > TS luxuries provided by Windows 2003 GPOs.
> >
> > My gut instinct is that there is likely a way to set this account property
> > via a script but I've exhausted several searching trying to find it. Any
> > additional thoughts would be appreciated.
> >
> >
> > Thanks for the response. Let me add a little additional background which
> > should further explain my issue. I need to disable the permission, "Allow
> > logon to terminal server," for over 2000 accounts located on 700 servers
> > but
> > in some instance I can not remove the security permission, "logon
> > locally".
> >
> > "Steven L Umbach" wrote:
> >
> >> You could remote in via TS to manage those accounts or use security
> >> policy
> >> to manage the user right for "logon locally" which a user will need to
> >> access a TS in W2K. In Windows 2003 that has been changed to a separate
> >> user
> >> right called "allow logon through Terminal Services". That can be
> >> configured
> >> through Local Security Policy or you can put the computer in an
> >> Organizational Unit with it's own GPO with the logon locally configured
> >> to
> >> your needs. User rights are accessible through computer
> >> configuration/Windows settings/security settings/local policies/user
> >> rights.
> >> That will not directly configure the user's local account but they can
> >> not
> >> logon without the logon locally user right. -- Steve
> >>
> >>
> >> "Jason Cook" wrote in message
> >> news:1518C02B-BBCA-4C9C-B5AE-1E35C9B4FA99@microsoft.com...
> >> > Is there a way to remotely manage (script, GPO, etc) the local account
> >> > property, "Allow logon to terminal server" for local accounts on
> >> > Windows
> >> > 2000
> >> > servers? The domain is also Windows 2000.
> >>
> >>
> >>
>
>
>

Steven L Umbach

Cool. I use lot of their tools but have never run accross tscmd.exe. Thanks
for posting back with that info! --- Steve

"Jason Cook" wrote in message
news:3BF69D48-4123-484F-89BB-21550E09BFC2@microsoft.com...
> Steve thanks for your help. Amazingly enough I've found a scriptable
> method
> for setting the account property, "Allow logon to terminal server." I
> just
> came across the Sysinternals tool "TSCMD.exe" which can set this property
> along with several other TS account properties.
>
> http://www.systemtools.com/download/tscmd.zip
>
> With the discovery of this tool it will be trivial now to create a VBS or
> Batch script to disable this property for any number of local server
> accounts. Now the only challenge is monitoring compliance...
>
>
>
>
>
> "Steven L Umbach" wrote:
>
>> Hmm. I don't know of a way to automate that account property. You might
>> also
>> want to post in a Terminal Services newsgroup. I don't know how many TS
>> you
>> have but it might be feasible to take a look at configuring the RDP
>> permissions on each TS to allow only specified domain groups permissions
>> in
>> Terminal Services Configuration connections/RDP/properties. If you have
>> domain servers/computers that you never want to allow access to a TS you
>> could implement a ipsec filtering policy that uses block filter action to
>> deny any outbound traffic for port 3389 from that computer. Ipsec
>> policies
>> can be easily managed via Group Policy computer configuration.--- Steve
>>
>>
>> "Jason Cook" wrote in message
>> news:003E21EE-8B2F-4352-BF39-60D00D42B459@microsoft.com...
>> > Steve,
>> >
>> > Thanks for the response. Let me add a little more background which
>> > should
>> > further explain my issue. I need to disable the permission, "Allow
>> > logon
>> > to
>> > terminal server," for over 2000 administrative service accounts located
>> > on
>> > 800 servers and due to some archaic applications I can not always
>> > remove
>> > the
>> > security permission, "logon locally". Manually disabling this property
>> > per
>> > account is not an option I can realistically implement.
>> >
>> > Also, the member server and domain are all Windows 2000 so I do not
>> > have
>> > the
>> > TS luxuries provided by Windows 2003 GPOs.
>> >
>> > My gut instinct is that there is likely a way to set this account
>> > property
>> > via a script but I've exhausted several searching trying to find it.
>> > Any
>> > additional thoughts would be appreciated.
>> >
>> >
>> > Thanks for the response. Let me add a little additional background
>> > which
>> > should further explain my issue. I need to disable the permission,
>> > "Allow
>> > logon to terminal server," for over 2000 accounts located on 700
>> > servers
>> > but
>> > in some instance I can not remove the security permission, "logon
>> > locally".
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> You could remote in via TS to manage those accounts or use security
>> >> policy
>> >> to manage the user right for "logon locally" which a user will need to
>> >> access a TS in W2K. In Windows 2003 that has been changed to a
>> >> separate
>> >> user
>> >> right called "allow logon through Terminal Services". That can be
>> >> configured
>> >> through Local Security Policy or you can put the computer in an
>> >> Organizational Unit with it's own GPO with the logon locally
>> >> configured
>> >> to
>> >> your needs. User rights are accessible through computer
>> >> configuration/Windows settings/security settings/local policies/user
>> >> rights.
>> >> That will not directly configure the user's local account but they can
>> >> not
>> >> logon without the logon locally user right. -- Steve
>> >>
>> >>
>> >> "Jason Cook" wrote in message
>> >> news:1518C02B-BBCA-4C9C-B5AE-1E35C9B4FA99@microsoft.com...
>> >> > Is there a way to remotely manage (script, GPO, etc) the local
>> >> > account
>> >> > property, "Allow logon to terminal server" for local accounts on
>> >> > Windows
>> >> > 2000
>> >> > servers? The domain is also Windows 2000.
>> >>
>> >>
>> >>
>>
>>
>>