Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Create remote only user for Remote Desktop

  1. #1
    Member
    Join Date
    May 2002
    Posts
    42

    Create remote only user for Remote Desktop

    I want to Create a remote only user for Remote Desktop.

    I have 2 Win Xp Pro's, one with Remote Desktop enabled.
    On the computer with the Remote Desk. Enabled, I want to create a user that can only logon remotly.

    I created a user in the group "Remote Desktop Users" only on the Remote Desk. Enabled computer.
    When I use Remote Desktop to login from the non-enabled Remote Desk. PC with the user, It logs me on and then logs off before I even get to see the desktop.

    The only way I'm able to stay loged in, is if I add the user to the "Users" group.
    The problem with that is, the user can logon localy.

    Anyone know how I can Create a remote only user for Remote Desktop?
    Thanks
    \"keep your friends close, your enemys closer, and your administrator closest.\"

  2. #2
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741
    Sounds like there is something wrong with your settings, I just tried it and had no problem loggin on remotely with ONLY the remote desktop users account. You may recheck your settings and see whats going on, make sure you have that group also. I made the account with my administrator account and you have to make sure your administrator account is not logged on otherwise it wont connect. That may be your issue, noone can be logged on when you try your account
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi MrT,

    I am sorry that I do not know the answer to your question. Rather, I have a question for you, why would you want to do such a thing?

    Am I missing something here, after all if you trust someone enough to let them log in remotely, surely you would trust them enough to log in locally?

    OK, I do recall software that would only let a user log in from a designated workstation locally or a fixed IP address remotely.

    Your question looks somewhat different, and a chance for me to learn from both the question and the answer

  4. #4
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    I'm with nihil on this one. If you're going to make a user who can only logon remotely, obviously you're going to choose a strong password, possibly stronger than if they were a local user, although I wouldn't base the strength of the password I choose based on that, it should always be very strong. My point is, what are you afraid of? Is it you or someone else using the remote account? If it's you then you have nothing to worry about as you should be able to logon to your computer locally anyway, and why would you want to prevent yourself from that? If it's someone else, are you expecting them to come over? Because even if they did and didn't have a local account, they may have a bootdisk of some password changing program.

    All that aside, I can see how you would be curious about this. I wouldn't like it if I set up my computer to work one way, and it didn't work that way. So if you're that set on having it configured that way, I hope you figure it out.

  5. #5
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    If a user logon on remotely on a WinXP machine, the current session will be close before opening another one.

    For your remote only problem, go in Administratif Tool, Local Security Policies and look around. You'll see policies call "Deny logon locally". Add your user to this group and he'll unable to logon on locally.

    Good luck.
    -Simon \"SDK\"

  6. #6
    Member
    Join Date
    May 2002
    Posts
    42
    nihil-
    The reason for creating a Remote Only User, is to keep less holes in my system.
    The reason why I'm not going to use a 3rd party program to do this, I found Remote Desktop to be perfect for what I need to do.

    h3r3tic-
    Boot Disk will be impossible to do unless you know the CMOS password or take out the CMOS battery.
    I think I would notice someone opening up the box....unless they drugged me.

    nihil & h3r3tic-
    The main reason to all this, I find this kind of stuff fun.
    The computer is like a sandbox where there is no limit to what you can do.
    There is no other way to put it then, I'm addicted to security

    After this post, I can see someone asking me why not just use linux, well let me tell you why...
    I think windows will become verry secure, it is presently not that bad with defaults.
    I have read many books/articles written by the people who work for Microsoft, and they all agree they learn from thier mistakes and become stonger.


    Now to the problem at hand:
    I'm trying to figure out why "Users" group allows me to logon remotely.
    I removed the "Users" group from everything in Local Security Policies.
    I tried loging on with both "Remote Desktop Users" & "Users" group for the User.
    It stilled allowed me to login.
    Does anyone know anything else I can disable for "Users" group?

    After some more google searching, I found a thread about the Nvidia Display Driver Service causing this exact same problem.
    I disabled the diver just like it said.
    No luck to log in with just "Remote Desktop Users" group.


    I'll try some more googleing and some more tweaking, any sugestions would be greatly(> GREAT) appreciated.
    \"keep your friends close, your enemys closer, and your administrator closest.\"

  7. #7
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    Users is a wide use group. If a user is not part of the users group in a computer, it won't just work at all; a lot of NTFS permission in Windows are base in that users group. It's like the "Domain Users" group of a AD but locally.

    As I said prior, you only need to created a user and denied this user to logon locally. Plain and simple.
    -Simon \"SDK\"

  8. #8
    Member
    Join Date
    May 2002
    Posts
    42
    I was hoping I wouldn't have to use the "Users" group, but it looks like that's the only way..
    I Added "Remote Desktop Users" group to "Denie local logon" and edited the registery so the user wouldn't show up in the welcome screen.

    Thanks for the help anyways.
    \"keep your friends close, your enemys closer, and your administrator closest.\"

  9. #9
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    You can use group policy to deny remote logon (remote desktop/terminal services) to all users except the user that you want to use for remote desktop.

    Then use group policy to deny local logon to the user that you only want access to remote desktop/terminal services.

    If you need further help figuring out how to do this AFTER you've given it a go on your own... PM me.

    It should be pretty obvious after poking around in group policy. In your case, it will be the local "group policy".

    Start, run, mmc, add snap in, group policy, should read local security policy.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  10. #10
    Senior Member
    Join Date
    Jan 2004
    Posts
    124
    Here is what you can do.

    Ad your "remote access group" to users group.
    in Local security policy in "deny logon localy" add "remote access group"

    What do you achieve?
    when you add user to "remote access group" that user has all rights like ordinary user but it cant not log on localy
    Why bother with all this?
    it is good practice that you add permitions to groups (especialy if you have a lot of permitions to add/edit). So you make all security job once, and later just move users from one to another group.

    Imagine that you have all this set up for one user.. then you decide to delete that user... after a while you have to bring back that user, or make another with same security. Is it easier to add new user to already prepared group or do all work all over again?

    This all maybe sounds like "why should I bother with all grouping things" but you never know what future brings. One day you could be in position that you administer 10 computers with 30 users??? or maybie more
    Ikalo
    ------
    Make your knowledge your deadliest weapon.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •