Remote Desktop and Service Pack 2

Hi, i have a problem with Remote Desktop that i hope somebody can help me
with:

Under WindowsXP Gold/SP1 we used make use of Remote Desktop functionality.
Normally, users must be a member of the local 'Remote Desktop Users' group
before they could logon via Remote Desktop. However, if they were already
logged into the target workstation (and had locked it etc) then they could
Remote Desktop to it without being in the local Remote Desktop Users group.
This was most useful, as it meant that people could use their 'own' machine,
but not connect to any others.

Under WindowsXP SP2, this no longer works and users MUST be a member of the
'Remote Desktop Users' group before connecting. (BTW I know that this is not
a firewall issue, as if i place the user account into the Remote Desktop
users group they can connect OK). A little digging with Security Analysis
shows the following:

SP1 - Allow Logon Through Terminal Services = Administrators, Users
SP2 - Allow Logon Through Terminal Services = Administrators, Remote Desktop
Users

Ok, so i found a difference. so I used GP to add the Users group into the
'Allow Logon Through Terminal Services' right. However, sadly this now means
that ANYBODY can Remote Desktop to a machine, which is not what i want.

Does anybody know if this change in SP2 was deliberate, and if a workaround
exists? We are keen to make the Remote Desktop functionaility available to
the person who is currently logged on to the workstation, without having to
put individuals into the local group, and without letting anybody else
connect

Many thanks
--
Jim Watts,
Technology Consultant
Information Systems Services
University of Southampton

Hi Jim,

I would like to confirm my understanding of this issue. I assume that:

1. User1 as a normal user on machine1, use1 logon to machine1 locally and
then lock machine1

2. Use1 logon to machine 2 locally and rdp to machine1.

This can be done successfully in Windows XP SP1; however, you need to use
Use1 to local remote desktop users group in XP2 to achieve this goal.

One question is that are they in the domain environment or a workgroup?

I am currently setting up the environment to test this issue. Now I have
build up two machines, one is XP with SP1 and other is XP with SP2
installed. They are both in domain called win2k3dom. There is use named
test.

The following steps I will do are as follows:
Use Test to logon to XPSP1 and lock it.
Use Test to logon to the XPSP2 and remote to XPSP1.
Use Test to logon to XPSP2 and lock it.
Use Test to logon to XPSP1 and remote to XPSP2.

NOTE: Test will only be in the local user group.

Are the steps correct? If not, please provide the detailed steps how to
reproduce this issue.

Thank you for your patience!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

================================================== ===

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.

Ok, thanks for your response.

Yes, your test environment looks correct. I have just duplicated it as well,
and i find exactly what you find. This is odd, as i'm sure that we used to
be able to remote desktop to machines while having the currently logged on
user NOT a member of the local remote desktop users group, but that doesnt
seem to have been the case.

Thanks for your testing efforts, and sorry to have wasted your time.

--
Jim Watts,
Technology Consultant
Information Systems Services
University of Southampton

"Rebecca Chen [MSFT]" wrote in message
...
Hi Jim,

I use the following steps to test this issue:

The environment:
================
1. Machine1 called rebcxp with SP1 installed.
2. Machine2 called rebcxpsp2 with SP2 isntalled.
3. The domain named win2k3dom and user called test, which is a normal
domain users member as well as the both local users member.

Steps performed:
===============
1. Use test to logon to rebcxp and lock the machine.
2. Use test to logon to rebcxpsp2 and RDP to rebcxp by using test account.
3. Get the error: "the local policy of the system does not permit you to
logon interactively"
4. Use domain administrator account to logon to the rebcxpsp2 machine and
RDP to rebcxp by using test, also get this error, please see my screen
shot.
5. Get the same result if I lock rebcxpsp2 and RDP from rebcxp.

Refer to the following article to add the test to rebcxp remote desktop
group member, I can then use rebcxpsp2 machine to RDP to rebcxp. I have
not
seen any difference between XP SP1 machine and SP2 machine.

289289 Remote desktop connection "The local policy of this system does not
http://support.microsoft.com/?id=289289

If this is not your case, please let me know the detailed steps to
reproduce this issue.

I look forward to your reply.

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

================================================== ===

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

================================================== ===
This posting is provided "AS IS" with no warranties, and confers no
rights.

Hi Jim,

Thanks for keep me updated!

I am glad to hear you have the same result as I have tested. I guess may be
a group has been added to local Remote Desktop Users group instead of the
individual user in the original XP SP1 machine.

If there is anything we can help or you have further update, let's get in
touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

================================================== ===

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.