Term Serv - User rights 1

[JPL910]

ALCON:
My Terminal Services issue is that when a user logs onto the terminal server with RDP, one particular application does not work unless the user is a member of the domain admin group.

- I have a user, UserX, who can log onto the terminal server and run all (email, office apps, rightfax) but one application. The application has a SQL backend but the user cannot get past the logon screen. If I add UserX to any standard Domain group, the user is still unable to logon to this application. As soon as I put UserX into the Domain Administrators group, the application works without error.
I then tried RDP for UserX on other computers (non servers - XP Pro workstations) and was able to run the SQL application without issue and without being in the Domain Admin group. On these computers, UserX is not even set as a local admin and everything works fine. It is isolated to the terminal server that the account needs to be a domain admin for it to connect.

Note: I have tried putting UserX as a local administrator on the terminal server, and still no luck. It seems to only work when UserX is a member of Domain Admins.

Any ideas or suggestions are greatly appreciated.

 

[acl03]

Are there any special group policy objects being applied to the terminal server?

Can you put the TS in the same OU as your XP Pro workstations and see if it works without UserX being a domain admin?

Thanks,
Andrew

Hard work often pays off over time, but procrastination pays off right now!

 

[JPL910]

Andrew,
There aren’t any special policies being applied to the Terminal Server.
I have the computer located in the same OU as the workstations that the user is successfully able (RDP) to use the application without being a member of the Domain Admin group.

 

[victorv]

hi,

... trying to startup my brain after launch and coffe...

some spread considerations:

- Exists a "Terminal server users" group : try to add.

- Try login by that user directely at the server console.

- How is done the SQL connection ? is the DB on this server?

- Which privileges has a Domain Admin vs a Local Admin?
* he is administrator of any computers (may be that such application uses something in othe server: DB?...)
.....

- If this application is very important and you have patience and time, download regmon utility
(before was sysinternal, now M$)
and filtering around application name, see wich registry are succesfully opened while D.Admin run appl, and
what happens when UserX does the same thing.

Filter by image name, and start the monitor as later possible, and stop asap: you will see tens, hundreds of entries!

May be that the applicatione setup has budly protected some
registers in a way that just Domain Admins (probably the one who has done the setup) can access it.
If you discover them, fire! sorry, unprotect them.

bye
vic

 

[acl03]

Great suggestions, Vic. I'm curious to see the results.

Thanks,
Andrew

Hard work often pays off over time, but procrastination pays off right now!

 

[JPL910]

Thanks for the advice Vic. I will try the regmon this week.

As for the other items:

- User is in Term Serv group (Tried putting in other OU as well. Still no change

- Logged in directly at console. No good

- SQL DB not located on same server. Connects via ODBC (TCP/IP)

Thank you,
JPL

 

[JPL910]

Tried Regmon. To be honest I have no idea what I am looking for/at.

When logged on as userx and the account is removed from DomAdmin, the application still fails. If I right-click and select "Run-As" and use my username/password (I am DomAdmin) it works perfectly.

I have tried uninstalling the application and reinstalling under userx account, the Dom Admin account and still no luck.

Any other ideas or suggestions?

 

[rajneesh123]

you can add the user in local group on the host. The group name is d-com.
Try and let us know the result.

 

[JPL910]

Rajneesh
I tried adding the user to the Distributed Com Users group. Still no luck. The only way for the account to work is when it is located in the Domain Administrator group, which obviously I cannot do.