Terminal server logon failing – seems domain policy not taking effect?

pts.
Tags:
Management
Microsoft Windows
OS
Security
Servers
SQL Server
I have several policies in place, but the one thats bugging me is the ability to log onto terminal servers. This is defined at Domain level for Domain Admins (myself) to be able to log into terminal services. All other policies below this one are DENIED as being applied to Domain Admins. When I reach my member server policy, even though it is DENIED as being applied to me, I cannot access my terminal server unless I add domain admins in again to the highest-ranking GP (the terminal servers policy). This shouldnt be the case - it should be cumulative as domain admins are applied the right to log on at the domain level policy, and no other policies are applied to Domain Admins. Any assistance greatly appreciated.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Remember that an explicit denial trumps all other rights verses an implicit denial can be overridden. If you are part of a group that is explicitly denied access than no matter what other group you belong to you will be denied.

Discuss This Question: 5  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Rhbmcse
    Whan I say DENIED I mean that the policy security is denied to the domain administrators group - therefore the entire policy should not apply to the group. I know what explicit deny does and how carefully it should be used. Am I right in saying that computer settings are not cumulative - ie a DOMAIN policy stating that group x can log onto terminal services would not necessarily carry over to say the TERMINAL server policy. It seems in 2003 GP that only the user settings portion of the group policy are affected by the explicit DENY which is set in the security of the particular policy...???
    0 pointsBadges:
    report
  • Tangor64
    A DENY is a DENY. That is, it doesn't matter what is or isn't cumulative. DENY overrides everything no matter what level it's applied on. example: A friend of mine set up a system and was locking it down. He DENIED access to the EVERYONE group for the root directory, made some more changes and rebooted. He didn't realize his mistake until he couldn't log in and went back over his notes. (no, this actually wasn't me, though I've made some boners of my own.) My suggestion is to tripple-check your policies and permissions. Modify any DENIES you have set and make sure that, no matter the level, they can't lock out either you, individually, or the admins as a group. I know, you've probably already done that. That's why I say tripple-check, because the stone left unturned probably hides the key.
    0 pointsBadges:
    report
  • Shootfirst
    When troubleshooting GP, start by looking at the RSOP. If you don't have GPMC, install it and check the GP result against the account in question. You will see the winning GP which is at the lower container (OU) when there is conflict in the settings. If you want the highest GP (domain level) to take precedence, you should use the enforced option on that GP.
    0 pointsBadges:
    report
  • Squibc4
    Check whether you having any deny access entry in any other group which you have membership If not run ?secedit? command in your server and wait for server replication or do it forcefully
    0 pointsBadges:
    report
  • Rhbmcse
    Hmmm, I dont think Im being understood here... Let me break it down Policy1 - Entire policy set to APPLY Policy2 - Entire policy set to DENY Policy3 - Entire policy set to DENY We are not talking about a SPECIFIC ITEM IN THE POLICY We are talking about not applying the entire policy to a group of users - ie domain admins in this instance. The settings defined in policy one should be applied irrespective of policies 2 and 3 as they should not be being applied at all. When I look at RSOP all the computer settings are being applied for all policies, the user settings are not being applied as per the DENY "Apply group policy" in Policies 2 & 3. This has noting to do with a DENY, which i know trumps everything. We are talking about deny "apply this group policy". From what I gather, irrespective of whether its set to apply the policy or not, the computer settings always get applied, its just the user settings which are not applied if the policy is set to not apply to a specific group. Thank you for all your help. This seems to have cleared the issue up now - it was my understanding of the above.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following