Wikis - Page

Using Dynamic Local User Policy in Windows Server 2008 R2 Remote Desktop Session Host

0 Likes

Written by: Venkata Kumar Gorantla, Hannatti Sanjeevkumar, Sambit Dash

Reviewed by: Anju Dagliya



Note: The Remote Desktop Session Host on a Windows Server 2008 R2 device is the same as Terminal Server on a Windows Server 2003 device.



If you launch a remote desktop session from a Windows Vista or a Windows 7 Device to a Windows Server 2008 R2 device, you are prompted to specify the Windows credentials. This is because the Network Level Authentication feature of the RDC client 6.1 or higher requires Windows user credentials to be specified before the remote desktop session is launched. However, the Windows credentials are not available at this point of time for Dynamic Local Users.



The goal of this article is to enable the Dynamic Local Users to log into the Windows Server 2008 R2 Remote Desktop Session Host.



Prerequisite




  1. Ensure that Remote Desktop services are installed on the Windows Server 2008 R2 device.

  • A Dynamic Local User Policy that has Use user source credentials and Manage existing user account (if any) options enabled is already created.



Method 1



Steps:



  1. On the Windows Server 2008 R2 device, create local user account for all the existing eDirectory users. The account must be created with the same name as the eDirectory username and the User must change password at next logon option selected.

  • Make each of the users a member of Remote Desktop Users.

  • Do the following, to change the Windows password to match with Novell Client password:

    1. Right-click Novell Client.

  • Click Novell Client Properties.

  • Click Advanced Login and set the Show login Windows Password Synchronization setting On.


  • Perform the following steps to enable the TSAUTOADMIN logon policy on the device:

    1. Open the registry editor.

  • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login and add the following:

    Value Type=REG_SZ, Name=TSClientAutoAdminLogon, Data=1

    Value Type=REG_SZ, Name=DefaultLoginProfile, Data= Default

  • Close the registry editor.


  • From a Windows Vista or Windows 7 device, launch a Remote Desktop session to the Windows Server 2008 R2 device and specify the Windows user credentials you created in Step 1.

  • A Novell Client window is displayed. Click Cancel.

  • In the next screen, click Novell Logon.

  • Enter the Novell logon credentials to authenticate to eDirectory.

  • In the Novell Login screen, specify the context and eDirectory server and click Apply.

    The following warning message is displayed:

    The Local Computer username or password is not valid

  • Click OK.

  • Specify the Windows credentials and select the Change your Windows password to match your Novell password after a successful login option.

    The password of the existing user is synchronized with the eDirectory password and the DLU policy settings are applied to the user account.



Method 2



Steps:



  1. On the Windows Server 2008 R2 device, create a user who has the minimum required rights to launch a Remote Desktop session. Communicate these credentials to all the eDirectory users.

  • From a Windows Vista or Windows 7 device, launch a RDP session to the Windows Server 2008 R2 device and specify the user credentials you created in Step 1.

  • A Novell Client window is displayed. Click Cancel.

  • In the next screen, click Novell Logon.

  • Enter the DLU user credentials. On successful login, a DLU user is created.


Note: This method poses a security risk because the credentials of the user account created in step 1 has been communicated to all the eDirectory users.



Labels:

How To-Best Practice
Comment List
Parents
  • After the prerequisite go to your Windows 2008 R2 Server and open Group Policy Editor.

    Then in "Computer Configuration --> Administrative Templates --> Windows Components --> Remote Desktop Services --> Remote Desktop Session Host --> Security" enable "Require use of specific security layer for remote (RDP) connections" and set the security layer to RDP.

    This works for me! When I open a remote session on that server I get only one Login Screen where I enter my DLU enabled user and password and it works on my Windows 7 just like it worked before on my XP.

    Would be nice to know if you get the same result
Comment
  • After the prerequisite go to your Windows 2008 R2 Server and open Group Policy Editor.

    Then in "Computer Configuration --> Administrative Templates --> Windows Components --> Remote Desktop Services --> Remote Desktop Session Host --> Security" enable "Require use of specific security layer for remote (RDP) connections" and set the security layer to RDP.

    This works for me! When I open a remote session on that server I get only one Login Screen where I enter my DLU enabled user and password and it works on my Windows 7 just like it worked before on my XP.

    Would be nice to know if you get the same result
Children
No Data
Related
Recommended