Remote Desktop domain User

kevinmhsieh wrote:

I suggest not doing this at all. What is the purpose of having a non-privileged user connecting to a DC via RDP? Yes, it can be done, but probably shouldn't.

Even with a domain admin credential, I rarely logon directly to a DC. Remote administration is done via my workstation [via alternate administrative credentials], or a jump station that has the tools loaded.

Ditto. Why would a user need access to a DC? If he just needs a terminal session spin up a member server if you are using VMs. 

Slyldawg wrote:

kevinmhsieh wrote:

I suggest not doing this at all. What is the purpose of having a non-privileged user connecting to a DC via RDP? Yes, it can be done, but probably shouldn't.

Even with a domain admin credential, I rarely logon directly to a DC. Remote administration is done via my workstation [via alternate administrative credentials], or a jump station that has the tools loaded.

Ditto. Why would a user need access to a DC? If he just needs a terminal session spin up a member server if you are using VMs. 

Speaking of... unless the user is going to be doing administrative tasks on the DC, this would violate the EULA. Doing non-admin tasks on Windows Server requires RDS licensing.

Spice [2] flagReport

the entire question is silly. is this a joke?

are you phishing us to see who bites?

Spice [5] flagReport

Don't do it.

Spice [4] flagReport

just do not do it...

Spice [4] flagReport

I mean everyone has essentially said the same thing here - you should never let a non-domain admin have direct access to a DC...apart from any technical issues the security issues it could raise are massive.  What is the end goal....maybe if we knew that we could help more.

Spice [2] flagReport

I'm just guessing that you would be doing this to allow the user to make changes to user details, for example, HR. You can try creating a customised MMC: //social.technet.microsoft.com/Forums/ie/en-US/2d846b28-24fc-4422-ac69-ff4fac7d7cb4/customized...

Then they would not need to access the server at all.

Joining the choir here. This is totally not best practice and potentially dangerous. What's the need for it if the user is NOT an admin?

NOOOOOOOOOOOO!!!!!!!!!!!!!!!!!!!!! Why?

Without know why, it's a hard to provide a solution.  I once had need for a non-admin user to change passwords and add user to groups, we set up delegation for them.

"I want to give an end-user access to the DC".

What could go wrong? /s

Bad bad bad, no no no.

andrewnewell2​ any update/info you want to add?

NECRO!

For anyone wondering "why do this?" I have a legitimate [I think] use case involving DPAPI encryption of PoSh credential objects. I have a service account running a script as scheduled task, with bare minimum permissions [not Domain Admin]. Task is running on the DC because it's AD related, and in order to set up the DPAPI encryption you have to create it logged in as the account on the machine it will be decrypted, because DPAPI is not portable.

I had to temporarily grant the service account domain admin in order to RDP in. Adding it to the list of users "allowed to RDP into this computer" and the RDP builtin group were not sufficient.

LanceHarmstrong wrote:

NECRO!

For anyone wondering "why do this?" I have a legitimate [I think] use case involving DPAPI encryption of PoSh credential objects. I have a service account running a script as scheduled task, with bare minimum permissions [not Domain Admin]. Task is running on the DC because it's AD related, and in order to set up the DPAPI encryption you have to create it logged in as the account on the machine it will be decrypted, because DPAPI is not portable.

I had to temporarily grant the service account domain admin in order to RDP in. Adding it to the list of users "allowed to RDP into this computer" and the RDP builtin group were not sufficient.

Sounds more like a case for running the script on a member server and installing the RSAT/PowerShell tools for ADDS.

Spice [1] flagReport