What I Learned Today About Windows 2003 Security Policies
The MCW Web server runs at a locked, remote, hosted location in Los Angeles. We get our service from a great local company, US Internet, and they're incredibly helpful and supportive. None of us lives nearby (at least, not anymore). We use Terminal Server to access the server, and occasionally the hosting company folks drop by to do some things that we can't handle remotely. (PC Anywhere used to work, but to be honest, it's got some issues with Windows Remote Access, so it hasn't worked in a while.)
Today, I needed to add in Russ Nemhauser as a user so he could do some work on the site for us, but I didn't want to add him as a member of the Administrators group. Not really knowing what I was doing, I found local security policies that allowed me to grant him access to log in locally, and to log in using Terminal Server. Seemed like the right thing to do.
Was I wrong, or what? Because we had never had a discrete policy concerning the ability to log in using Terminal Server, anyone who had rights to log in locally could log in using Terminal Server. But the moment I created the policy and added Russ to it, suddenly, he was the only person who could log in using Terminal Server. And he's not an administrator! Yikes. No one can log in but Russ, and no one can add administrators into the policy.
Luckily, the folks at US Internet can bail us out this time. But what other havoc might I have caused by poking around at security policies on a remote computer? I'm amazed I got off this lucky.
Kids, don't try this at home. It's way too easy to lock yourself out. I certainly proved that. Ain't no one logging in to our server remotely that can fix the problem. The moral of this story: Don't poke around at security, hoping you'll figure it out. Get help.
Update, a few days later:
Once we got the machine rebooted, it was easy enough to get in using PC Anywhere and grant rights back to log in using Terminal Server. One important issue I haven't worked out: Once we log in using TS, PCA no longer works. We get the "blue checkerboard of death." (If you've been there, you know what I'm talking about). Only done a little research on this one, but hope to work it out soon. We've found that the combination of TS and PCA (or some other remote control tool that isn't TS) makes the best combination of remote support tools.