Article

gvenkata's picture
article
Reads:

12931

Score:
0
0
 
Comments:

5

Using Dynamic Local User Policy in Windows Server 2008 R2 Remote Desktop Session Host

Author Info

2 April 2010 - 10:06am
Submitted by: gvenkata

(View Disclaimer)

Written by: Venkata Kumar Gorantla, Hannatti Sanjeevkumar, Sambit Dash
Reviewed by: Anju Dagliya

Note: The Remote Desktop Session Host on a Windows Server 2008 R2 device is the same as Terminal Server on a Windows Server 2003 device.

If you launch a remote desktop session from a Windows Vista or a Windows 7 Device to a Windows Server 2008 R2 device, you are prompted to specify the Windows credentials. This is because the Network Level Authentication feature of the RDC client 6.1 or higher requires Windows user credentials to be specified before the remote desktop session is launched. However, the Windows credentials are not available at this point of time for Dynamic Local Users.

The goal of this article is to enable the Dynamic Local Users to log into the Windows Server 2008 R2 Remote Desktop Session Host.

Prerequisite

  1. Ensure that Remote Desktop services are installed on the Windows Server 2008 R2 device.
  2. A Dynamic Local User Policy that has Use user source credentials and Manage existing user account (if any) options enabled is already created.

Method 1

Steps:

  1. On the Windows Server 2008 R2 device, create local user account for all the existing eDirectory users. The account must be created with the same name as the eDirectory username and the User must change password at next logon option selected.
  2. Make each of the users a member of Remote Desktop Users.
  3. Do the following, to change the Windows password to match with Novell Client password:
    1. Right-click Novell Client.
    2. Click Novell Client Properties.
    3. Click Advanced Login and set the Show login Windows Password Synchronization setting On.
  4. Perform the following steps to enable the TSAUTOADMIN logon policy on the device:
    1. Open the registry editor.
    2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login and add the following:
      Value Type=REG_SZ, Name=TSClientAutoAdminLogon, Data=1
      Value Type=REG_SZ, Name=DefaultLoginProfile, Data= Default
    3. Close the registry editor.
  5. From a Windows Vista or Windows 7 device, launch a Remote Desktop session to the Windows Server 2008 R2 device and specify the Windows user credentials you created in Step 1.
  6. A Novell Client window is displayed. Click Cancel.
  7. In the next screen, click Novell Logon.
  8. Enter the Novell logon credentials to authenticate to eDirectory.
  9. In the Novell Login screen, specify the context and eDirectory server and click Apply.
    The following warning message is displayed:
    The Local Computer username or password is not valid
  10. Click OK.
  11. Specify the Windows credentials and select the Change your Windows password to match your Novell password after a successful login option.
    The password of the existing user is synchronized with the eDirectory password and the DLU policy settings are applied to the user account.

Method 2

Steps:

  1. On the Windows Server 2008 R2 device, create a user who has the minimum required rights to launch a Remote Desktop session. Communicate these credentials to all the eDirectory users.
  2. From a Windows Vista or Windows 7 device, launch a RDP session to the Windows Server 2008 R2 device and specify the user credentials you created in Step 1.
  3. A Novell Client window is displayed. Click Cancel.
  4. In the next screen, click Novell Logon.
  5. Enter the DLU user credentials. On successful login, a DLU user is created.

Note: This method poses a security risk because the credentials of the user account created in step 1 has been communicated to all the eDirectory users.


Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.




User Comments

gemme's picture

Not much of a solution

Submitted by gemme on 14 April 2010 - 1:59pm.

It was nice to come across a fix to this issue. I'm working on setting up a Windows 2008 terminal server with Zen 10 dlu for users and was curious about this from Windows 7/vista clients.

I'm glad to see I'm not the only one to run into this, but I can't be the only one that neither methods are possible. I can't create thousands of users local just for this, and method 2 wouldn't go over well with users.

Hopefully there will be a way to address this in the future release of Zen perhaps.

caritas-geldern's picture

Proper Solution ?

Submitted by caritas-geldern on 15 October 2010 - 2:00am.

I fully agree with gemme. Is there already a professional solution ? Cause Novell can not expect that we create on every Remote Desktop Host localy over 200 users...

Calimero's picture

Solution !?

Submitted by Calimero on 9 March 2011 - 2:37am.

After the prerequisite go to your Windows 2008 R2 Server and open Group Policy Editor.

Then in "Computer Configuration --> Administrative Templates --> Windows Components --> Remote Desktop Services --> Remote Desktop Session Host --> Security" enable "Require use of specific security layer for remote (RDP) connections" and set the security layer to RDP.

This works for me! When I open a remote session on that server I get only one Login Screen where I enter my DLU enabled user and password and it works on my Windows 7 just like it worked before on my XP.

Would be nice to know if you get the same result

gemme's picture

Good find

Submitted by gemme on 11 April 2011 - 12:10pm.

Thank you Calimero. That fix works.

alphonzo1's picture

Thank you Calimero!

Submitted by alphonzo1 on 28 June 2011 - 12:15pm.

Appreciate you sharing the real solution!

© 2013 Novell