User rights,

75 pts.
Active Directory
Digital certificates
Identity & Access Management
Microsoft Windows
Security tokens
Single sign-on
SQL Server
Key applications/services: Active Directory, Domain controller, Terminal Services, Dentrix. 2 Servers running Win server 2003 standard. Network Setup, server3 hosts database/application called Dentrix. Server4 hosts the client for Dentrix and is a terminal server so that remote users can access program. This client needs to be run as (minimum) poweruser when run on a "normal" desktop/server, easy. However, I have server4 running as a BDC. The only way I have been able to get the client software to run properly is to make those remote users administrators in AD, (AAAHHH)!! I cannot make server3 a DC per the vendor, conflicts will arise. These are the only two servers at this site, my primary DC is at HQ (connectivity via PTP T1), my only other choice is to demote server4 and have no BDC, if I cannot find an alternative. How do I emulate a poweruser for a user logging into a terminal server that is also a domain controller?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Only administrators (local user or domain user) can login to a domain controller either locally or via terminal services (RDP) as specified by the domain controller security policy or the domain controllers GPO (modify these at your own risk…!)

Discuss This Question: 4  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Astronomer
    You need to have a client system that isn't a domain controller. Is the domain native 2003? If not, you might consider building an old workstation as a local domain controller running 2000. At the TV station I support they needed an isolated domain and didn't have a budget for real servers. I built two old workstations with server 2000 as dedicated domain controllers. This has worked well for them. They imaged the boxes and if either dies, they can just reimage another old workstation. The other option would be to build a dedicated terminal service server. I would check the load before trying this. Sorry I don't have a better solution for you. rt
    15 pointsBadges:
  • Sonyfreek
    GForsythe: A power user is a user who hasn't taken the time to become an administrator. It's very trivial to obtain admin privileges for any power user. Whomever created the application Dentrix (never heard of it) doesn't know what they're doing. I'm not sure if this the dental program that comes up first in the search on Google, but I would not trust a product that _REQUIRES_ the user to be a member of Power Users or Administrators either on the server or the client. It's poor coding. If you decide to stay with the vendor of this product, as I'm sure your company has some outlay on it, the best approach to secure it is to download the Regmon, Filemon, and possibly the diskmon tools from Microsoft; formerly Sysinternals. These tools will monitor what the application is trying to do to the registry, file system, and the hard drive itself in an effort to see what it's being denied access to. Running any of these tools generates a lot of output, so use only one at a time. What to look for: Check out the process when using the Power User or Administrative account to see what's supposed to happen, then run it as a regular user. Grant the user full permission to individual reg keys or full permissions to the path (directory structure) to fix the problem. Unfortunately, unless you get into the weeds, registry permissions are not as easy to assign as file permissions. For Regmon: look for access denied to create, modify, or delete reg keys. Note the keys trying to be accessed. For Filemon: look for access denied to create, modify, or delete both files and directories. Typically, the program tries to write back to the Program Files directory or the Windows directory. You typically can fix the problem by allowing access for the specific directory(ies) or file(s) that the program is trying to work on. For both apps, be secure and only give rights where necessary and document what you change. Don't just give full permissions to the Program Files directory to get it to work. Good luck, SF
    0 pointsBadges:
  • Gforsythe
    Finally, someone who agrees about the poor programing of this application. I had this baby dropped in my lap, the Dental director and CEO came to me and said, we just bought this, call this person and find out what we need to run it and get it here, we go live in 2 months. That was about 1 month after I started this job. The guys at CDW are good, but not good enough... As far as the coding, it gets worse. They say that for any user to run the program, they need to be built as a poweruser on EACH WORKSTATION that they may access, that is 10 workstations, 11 personel (locally) plus 10 remote. Each local user must have a drive mapped to the other server, sql client needs to be configured, and once dentrix set up the basics on one workstation, i needed to export/import 2 registry directories in order for it to work on all the others. Those registry settings are hkey_current_user specific, you start to see the scope of my problems, the registry settings had to be run when each user was logged in, but only once. They do not support Active Directory support of any sort, etc...... The application works great, and is very user friendly, once setup properly. It's kinda like going from a windows server to a older version of redhat. Windows does it all for you, but Linux will do it better, once it is setup right(not to compare linux to dentrix by any means, God bless Linus).
    75 pointsBadges:
  • Sonyfreek
    One has to wonder how you, as the administrator, and management/CEO, as the one ultimately responsible for the security of the system, will ensure HIPAA compliance on an application that requires elevated user privileges... As a power user on the workstation, the user could change the local time, which would totally mess up the log times, even withstanding that they have excessive privileges to the Windows directory and can replace a trusted program with a trojanized version of the same to gain local administrator. Of course, the user doesn't even have to do anything complex considering they are all domain admin on the server side... It really sounds like this was an "upgrade" from a Windows 9x environment with programmers who didn't understand the XP/2003 models. Here's a nice Microsoft article to show to management: "A member of the Power Users group may be able to gain administrator rights and permissions in Windows Server 2003, Windows 2000, or Windows XP" So, how does Microsoft recommend preventing it from happening: Do not use the Power Users group." It's such a problem that Vista is getting rid of the Power Users group totally. Enough said. I still suggest tearing apart the program's attempts to write to protected files and registry settings using an administrator vs. normal user comparison. Hopefully, the program doesn't require something crazy like direct access to hardware or memory that normal users aren't capable of doing. I'd much rather accept the risk of someone screwing up their local copy of the program's directory and risk having incorrect/corrupted data than having users romping around as pseudo admins. It will probably take a lot of coffee and time going through the printouts of the comparisons, but it's worth it in the long run. Once you have a well known working config, either image the computers and/or write batch files/scripts to set them up appropriately. Of course, then document what you've done so the next guy that comes upon this problem has a roadmap. Unfortunately, the money's already spent or I'd suggest buying someone else's product and wishing this company out of business for their shoddy programming practices. Good luck, SF
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: