Enabling users to connect remotely to the server

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Enabling users to connect remotely to the server

To enable users to connect remotely to a terminal server, you must ensure that:

  • Remote Desktop is enabled on the server. For instructions on how to enable Remote Desktop, see Enable or disable Remote Desktop.

  • Users have the appropriate rights and permissions to log on remotely to the server.

To perform these two tasks, you must be logged on as a member of the Administrators group.

Using the Remote Desktop Users group to grant access to a terminal server

You can easily manage permissions and rights for a terminal server on a per-computer basis, by using the Remote Desktop Users group. The Remote Desktop Users group is one of the built-in users groups available when you install one of the Windows Server 2003 operating systems. Members of this group are able to log on remotely to a terminal server on which Remote Desktop is enabled.

By default, the Remote Desktop Users group is not populated. Therefore, you must decide which users and groups should have access to log on remotely to a terminal server, and then add them to this group. For instructions on how to add users to the Remote Desktop Users group, see Add users to the Remote Desktop Users group.

It is highly recommended that you use the Remote Desktop Users group to grant individuals access to terminal servers, rather than assigning the required permissions manually

Caution

If you alter the default permissions on the Remote Desktop Users group or remove this group, members of this group might lose the ability to log on remotely to terminal servers.

Assigning Permissions Manually

In some cases, it might be necessary to manage access to a terminal server on a per-connection basis and to manually customize rights and permissions. Keep in mind that if you do not use the Remote Desktop Users group to grant users access to log on to a terminal server, you must assign those users the same rights and permissions manually. The required rights and permissions are as follows:

Right or permission Comments

Allow log on through Terminal Services

This right determines which users or groups have permission to log on as a Terminal Services client.

Configure by navigating to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\.

For configuration instructions, see Edit security settings on a Group Policy object.

User Access

  • This permission type grants the following special permissions: Query Information, Logon, and Connect. These special permissions allow a user to:

  • Log on to a session on the terminal server.

  • Query information about a session.

  • Send messages to other user sessions.

  • Connect to another session.

Configure by using Terminal Services Configuration.

For configuration instructions, see Change the permissions a user or group has to a connection.

You can also explicitly deny an individual user access to a terminal server by modifying that user's terminal server profile. Doing this is useful if you have granted a large group access to a terminal server, but want to make individual exceptions as needed. For instructions, see Deny a user permissions to log on to terminal servers.

See Also

Concepts

Managing Terminal Services users
Configuring Terminal Services with TSCC