Logging for remote dialup users

Similar Messages

• Remote Desktop Service Manager - configure permissions for Remote Desktop Users to Send Message, Disconnect, Logoff

  Hello, dear colleagues.
  We are using Windows Server 2012 R2 as Remote Desktop Server. Also use Windows Server 2008 R2 with Remote Desktop Service Manager to control RDS user sessions (Send Message, Disconnect, Logoff, Query Info). 
  Send Message, Disconnect, Logoff options works only for users in Administrators group.
  I can't to configure permissions for Remote Desktop Users, specific user or AD group. 
  To set permissions I'm running RDS Host Configuration on Windows Server 2008 R2 and connect to Windows Server 2012 R2. Then double-click
  RDP-Tcp, Security tab, add specific user account , AD group or configure
  advanced permissions
  for Remote Desktop Users.  
  But, as I sad above, these options works only for users in Administrators group. How to make it work for Remote Desktop Users or specific user, AD group?
  Thanks.
  P.S. If move specific user from Remote Desktop Users group to Administrators group on
  Windows Server 2012 R2 - it works. 

  Hi,
  You can prevent administrators from changing the permissions for a connection by applying the
  Do not allow local administrators to customize permissions Group Policy setting. 
  This Group Policy setting is located in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
  Apart there is one command with which you can set the permission for that check the related
  article. Additionally checkthis
  thread for more detail.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Routing issue for remote vpn user and spoke

  Hi all,
  i have configure VPN (see attached file)
  before upgrading ASA from 8.3 to 8.4,  SPOKES was able to communicate between them and  also remote VPN users was able to access spoke site.
  after upgrade  ASA HUB, neither spoke-to-spoke  nor remoteuser---to---spoke cannot communicate
  here is NAT exemption configuration on ASA HUB.  only this ASA have been upgrade. nothing have been done on other site
  object network 172.17.8.0
  subnet 172.17.8.0 255.255.255.0
  object network 10.100.96.0
  subnet 10.100.96.0 255.255.240.0
  object network VPN-SUBNET
  subnet 172.20.1.0 255.255.255.0
  nat (outside,outside) source static 172.17.8.0 172.17.8.0 destination static 10.100.96.0 10.100.96.0
  nat (outside,outside) source static 10.100.96.0 10.100.96.0 destination static 172.17.8.0 172.17.8.0
  nat (outside,outside) source static VPN-SUBNET VPN-SUBNET destination static 10.100.96.0 10.100.96.0
  nat (outside,outside) source static VPN-SUBNET VPN-SUBNET destination static 172.17.8.0 172.17.8.0
  same-security traffic permit intra-interface
  same-security traffic permit inter-interface
  Please do you know what can be the problem ?
  thanks so much for your help

  Since you are not NATing any of those traffic and it's a u-turn traffic, pls remove those 4 NAT statements. They are not required at all.
  Pls "clear xlate" after removing it and let us know how it goes.

• Group Policy for Remote Desktop Users

  Hi,
  Currently my users use desktops and have user and computer GPOs applied (typical things like logon scripts etc.) at the OU level where they reside e.g. Finance Users, Sales Users etc.
  I am planning a Remote Desktop 2012 environment.
  I have read the following:
  TechNet cc779327
  So, my understanding is that I create a new OU for my Remote Desktop Server only (not users), and create a new security Group for my RD Users and a security group for my RD server.
  Remote Desktop Servers OU
             * RD User GPO (filter on RD User security Group and RD Computer Security Group)
             * RD Computer GPO (filter on RD User security Group and RD Computer Security Group)
  I then apply all computer settings to the RD Computer GPO (loopback processing, Windows installer, hide shortcuts etc.).
  I then apply all user settings to the RD User GPO (app specific, templates etc.)
  Why not consolidate the two GPOs into one?
  If I set computer settings in the computer GPO, and apply it as above to filter to the RD Server group and RD Users Group will this apply to only users un the RD User Group...or ALL users since I added the server to the filter?
  If a user currently gets a setting in their normal OU e.g. Finance logon script, will they still get it on the Remote Desktop? Or do I need to copy that GPO setting to my new RD User GPO also?
  Am I right to add both RD Server and RD User groups to the filter on both RD User and RD Computer GPOs?
  Loopback processing - merge or replace typically for Remote Desktop?

  Hi,
  Thank you for posting in Windows Server Forum.
  Create OU for RDS Server in Active Directory. Create security group for users who will use Remote Desktop Host (i.e. RDS Users). Create GPO (i.e. RDS Server Lock Down). In Security Filtering delete Authenticated Users, add RDS Server Account, and the security
  group created in previous step.
  Please check beneath article might useful for better understanding.
  Lock Down Remote Desktop Services Server 2012
  How to secure your remote desktop server with GPO
  Hope it helps!
  Thanks,
  Dharmesh

• Console.log for remote device?

  I have everything setup so far. Inspect is pretty nice so far, I was doing everything manually with Charles, Weinre and vhosts, but the shadowing function of EI is pretty nice!
  So, I'd like to see my console.logs in the Remote Inspection, but I don't see anything when I refresh the iPad. I have a very simple "Ready" message that shows up in the Dev Tools Console in Chrome on my desktop. Should I be able to see that log if I refresh in the remote iPad? (I'm also using the .xip.io vhost approach)
  Thanks!

  You should be able to see all of your console.log messages from the inspected device in the weinre window, but there is one caveat to that and I think that's why you're not seeing your "Ready" message. For the page to be instrumented properly for remote inspection to work we have to inject a snippet of javascript into your page. We do that injection in the page load complete event on the device. That means that any log messages that happen prior to or within a short period after the page complete event can be missed. Any other log messages should work correctly and show up in the weinre window.
  You might get better results if you put the weinre javascript reference into the page yourself, but I haven't tried it out.
  Hope this helps,
  Mark

• How I can disable Firefox from browsing Local drives of servers for remote desktop users in Windows Server 2008 R2 SP1??

  Hi ..
  Recently I came across a security hazard in firefox. it displays C and D rives content when "C:\" or "D:\" is typed in browser address bar. is there any workaround for restricting domain users to restrict this on firefox 12 ??
  Thanks

  Hiya,
  It could sound like that one indeed. There are a few options to go for, however it should be fairly easy to find out :)
  Create a test GPO and apply to a limited amount of users. GPUpdate and verify that the GPO has been applied using rsop.msc
  Then open the application to test and see if it has the desired effect. You might need to change more than one setting, depending on the application and desired behavior.

• P2 Log for HVX-200 users

  Imagine Products, the makers of HD LOG, have now released P2 Log (http://www.imagineproducts.com/P2log.htm). This is a low cost P2 viewer for the Mac. It only costs $99 (much better than the HD Log's cost of $699) so now it is VERY affordable.
  Shane

  And for us PAL lot this is currently the answer to FCP not having its own 720p 25/50 support. The engineers at Imagine figured out a very successful way to allow 720p 25/50 to be worked with in FCP. I tested it in HD Log and it works very well, but I was unwilling to stump up $700. Now its a steal!

• Any logs for 'Create/Drop Users'

  Hello all,
  -Are there any logs that can be referred to verify when a user was created and dropped etc?
  -Alter log seems only logging startup/shutdown, redo switches, creating/dropping tablespaces.
  -Is there a way to restore a schema completely?
  I havent got a lot of experience, and little more than no in terms of backups and restores.
  Thank you!

  Thanks,
  Hi,
  You can check the CREATED column of DBA_USERS to know
  the date on which the user was created. If you want
  to make a note of the date at which the user was
  created and the date at which the user was dropped,
  create a seperate procedure that will allow you to
  carry out this.
  Thats a very good point, and sounds very useful. But need more advice on this please. How about a trigger or something that can log these details into some table.
  Is there a way to restore a schema completely?
  Yes by EXP u can export a particular schema only and
  u can import the same using IMP.
  How can I set this up to automate this on a regular basis?
  Thanks again both of you!
  N

• Utility to show download time (for dialup users)?

  I manage a site for the local Friends of the library
  www.forl.org
  We live in a rural area where there are still many dial-up users: either high speed is too expensive, or unavailable. As I make additions & changes, I'd like to keep an eye on how long a page takes for a dialup user to download. This sort of thing used to be standard in html editors but now there's the assumption that everyone has broadband and I have not found anything for OS X that will do this task.
  Any suggestions?
  Thanks.

  Fast connection speed doesn't automatically translate to fast page load times. Ask anyone on a modern "high speed" connection.
  Web browsers still use "cached files" to intercept previously load page elements (until the cache is cleared) to assist page load times.
  The speed of your server (combined by your connection speed) and "bandwidth usage" is a better guide. Your files are served by Apple and the largest file on your start page is:
  http://web.mac.com/akantha/forl/Scripts/iWebSite.js (made by the iWeb software and also cached) at 109KB's.
  http://www.mac.com/st/1/sharedassets/1.1/Common/Templates/Watercolor/About%20Me/ navgb_blue-1.jpg is the third largest page element. You can view the individual files use in your Web pages by using the Safari Activity window.
  Since you have no control over the server speed or the "bandwidth" limits (both controlled by your MobileMe account) there is little you can do to "speed things up".
  My 2¢?
  Don't worry about things out of your control. Your pages and your service is just fine for dial up users.

• Change evtloglvl for a single user using srvmgr?

  We want to analyze some problems in our environment with one specific user.
  We use Oracle Siebel 8.2.2.3.
  We know commands for changing evtloglvl for components, but not for users.
  Is there any possibility to change the evtloglvl based on a user that log's in?
  We didn't find anything in the bookshelf.

  Also, depending on what you want to know maybe this document will be useful
  How to enable object manager logging for only one user? (Doc ID 751270.1)
  Thanks,
  Florin

• AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

  Hi,
  I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
  Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
  The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
  I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
  ping inside 10.10.10.56
  However when I configure the ASA for the AAA group with commands:
  aaa-server ACSAuth protocol radius
  aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
  Then when I do the show run, here is the result:
  aaa-server ACSAuth protocol radius
  aaa-server host 10.10.10.56
  key AcsSecret123
  From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
  (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
  Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
  Your help will be really appreciated!
  Thanks.
  Best Regards,
  Jo

  AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
  http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

• Can't change search options in Outlook 2007 on Windows Server 2008R2 Remote Desktop Users

  One of my users is trying to change search options in Outlook 2007.
  But he can't change the search options.
  He is working with Outlook 2007 on Remote Desktop Services 2008 r2.
  We doen't use cache mode on terminal server.
  Any sugesstion how we can enabling search options for remote desktop  users ?

  Hi Roel,
  Thank you for posting in Windows Server Forum.
  To customize Instant Search options by using Group Policy 
  - In Group Policy, load the Office Outlook 2007 template (Outlk12.adm).
  - To customize how results are displayed, under
  User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options\Preferences\Search Options, double-click the setting that you want to set. For example, double-click Turn off wordwheel.
  - Click Enabled. For hit highlighting color, choose a color from the Background Color drop-down list.
  - Click OK.
  More information.
  Configure Instant Search options in Outlook 2007
  http://technet.microsoft.com/en-in/library/cc178983(v=office.12).aspx
  In addition, perform below steps to edit the registry key and check.
  Step 1: Open the Registry Editor application.
  Step 2: In the Registry Editor, click the Edit menu and select Find. Type PreventIndexingOutlook in the search field and click Find Next.
  Step 3: Right click PreventIndexingOutlook and select Modify. Change its Value data to
  0 and click OK.
  Step 4: Search again by clicking the Edit menu and select Find. Type SetupCompletedSuccessfully in the search field and click Find Next. Locate this key.
  Step 5: Right click the SetupCompletedSuccessfully key and select Modify. Change its Value Data to 0 and click OK.
  Step 6: Restart your computer and you will now be able to perform advanced searches in Microsoft Outlook.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Users cannot log into Remote Desktop after 3/11/2015 update!

  I have a simple network where users can log into a Windows SBS 2008 server with Remote Desktop to access various applications.  This worked quite smoothly until this morning, after the updates of last evening. (3/11/2015)
  When users tried to log into the Remote Desktop this morning their credentials were rejected, as if their username and/or password were incorrect.  Even I (as the administrator) could not log in remotely.  Finally I connected a monitor and keyboard
  directly to the server and was able to log in without an issue.  After logging in directly I was able to connect through remote desktop.
  This method worked for my other users as well - after I logged them in directly they were able to use remote desktop no problem.
  The trouble is that I have a couple dozen users, and this is an issue that should not be occurring.  What happened in the last update to cause remote desktop to reject users credentials?  Why does it only work after the user logs in directly? 
  And most importantly, how do I fix this?
  A few notes:
  Simply browsing for files on the server also asks for the user's name and password, and this works as well.  This is only a remote desktop issue.
  I have already checked to make sure the domain was correct.  It was.
  I have already checked to make sure the usernames and passwords were correct.  They were.
  I have already checked to make sure this was not a unique issue for a single (or limited number) of users.  This issue effected
  all users all the network.
  Thank you very much for your help,
  Dustin

  I'm curious here...  If the server is rebooted, does it put the RDS users back into a "credentials failed" situation?  If so, could you please have them log in with credentials:
  domain.local\username    (I suspect they may be currently using domain\username)
  and see if that fixes the RDS problem without having to first log into the server directly.
   The ".local" may be ".lan" or ".somethingelse" depending on how you initially configured your domain, but the default for SBS 2008 is ".local"
  Merv Porter
  =========================
  That's a good question - the server will auto-reboot this evening and I'll test again in the morning. 
  You are correct that we've been using domain\username.  I tried domain.local\username (which is the way we've set up), and that did not work either.
  I'll let you know how things turn out tomorrow morning.  I don't want to mess with my users anymore today. :P
  Dustin

• The connection was denied because the user account is not authorized for remote login

  Using Terminal Server 2008 not able to get non administrator users to login to the remote desktop. Have tried from Windows server 2008 and from Windows servers 2003. Get error login in "The connection was denied because the user account is not authorized for remote login" from Windows Server 2008. Error "The requested session access is denied" from Windows Server 2000.

  Is that seriously the only way to do this? Doesn't this render the "Allow log on through Terminal Services" GP Setting useless?
  I would like to know this answer, as well.  I have created a new AD group for my assistant admins called "Domain Admins (limited)".  I have added this group to the GP setting "Allow log on through Terminal Services", but the
  assistant admins cannot log in through RDP.  It 'feels like' this is all I would need to do.
  Craig
  Found some good info
  here. There are really two things required for a user to connect to a server via RDP. You can configure one of them via Group Policy but not the other.
  1) Allow log on through Terminal Services can be configured through Group Policy, no problem.
  2) Permissions on the RDP-listener must also be granted.  If your user is a member of the local Administrators group or the local Remote Desktop Users group then this is handled.  If you are trying to utilize a new, custom group (as I am),
  then there isn't a way to do this via group policy (that I have found).
  EDIT: Found the answer.  I am creating a blog post to outline the steps.  They aren't hard, but they're not self-explanatory.  It deals with the Restricted Groups mentioned above, but it's still automate-able using Group Policy so that you
  don't have to touch each computer.  I think the above poster (Andrey Ganev) got it right, but
  I had trouble deciphering his instructions.
  Here is my blog post that walks through this entire process, step-by-step.

• AD SSO not happening for Remote Users

  Dear Members
  I am having an issue with the NAC Deployment for Remote users (Users behind WAN Router)
  Windows AD SSO (2008) is happening for LAN users successfullly, however remote users
  are not able to do AD SSO.
  it is ensured that remote users even in unauthenticated state can reach Active directory. there is no filtering
  on any of the device across the path, for this communication.
  When i use Kerbtray on the remote PC, i found no tickets at all.(i am logged in thru Domain)
  what could be going wrong, is it delay (as they are wan user) which might attribute this issue, and if so, where are the needed parameters that can be tuned for AD SSO to happen.
  Any help will ne highly appreciated.
  thanks
  Ahad

  Hi Ahad,
  As long as ALL the policies in Table 8-1 are configured for the Unauthenticated Role
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1174219
  the CAS should be out of the picture for what concerns the communication between the PC and Kerberos.
  If the Kerbtray.exe output for a failing user is empty, it means that the unsuccessful users do not have any Service Ticket (ST) at all.
  This points to an issue with AD (considering the fact that the CAS is already allowing all the traffic to/from AD).
  The failing users are either unable to send the Ticket-Granting Ticket (TGT) to AD, or they are unable to obtain the Service Ticket (ST) from AD.
  The CAS during this phase is neither performing any actions nor blocking any traffic, since all the communications to/from AD are already fully open in the unauthenticated role.
  Regards,
  Fede
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.