Explanation of RDP-TCP Permissions in Windows 2000

ID: Q243554

The information in this article applies to:
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Server

SUMMARY

This article describes the permissions available for an RDP-TCP connection in Windows 2000.


MORE INFORMATION

You can use Terminal Services Configuration to modify the permissions of a Terminal Services Connection. By default, there is one RDP-TCP connection. 


Permission         Description
---------------------------------------------------------------------------
Connect            Connect to another session.

Disconnect         Disconnect a session.

Logoff             Log off a user from a session. Be aware that logging
                   off a user without warning can result in loss of data at 
                   the client computer.

Logon              Log on to a session on the server.

Message            Send a message to another user's sessions.

Query Information  Query sessions and servers for information.

Remote Control     View or actively control another user's session.

Reset              End a session. Be aware that ending a session without
                   warning can result in loss of data at the client 
                   computer.

Set Information    Configure connection properties.

Virtual Channels   Use virtual channels.
There are three basic levels of permissions. 

Permission Level   Description
-------------------------------------------------------------
Guest Access       Logon
User Access        Query Information, Logon, Message, Connect
Full Control       All
It is important to understand the way these permissions work before you modify them. By default, the only permission that you need to explicitly grant is the Logon right. Without the Logon permission, a user cannot establish a Terminal Services session. A user, unless explicitly denied, has all of the listed permissions on his or her own connection, even though they are not explicitly granted. Besides Logon, the other permissions listed in this article govern what permissions a user has on another user's connection.

If you deny a user a particular permission, that user does not have that permission on his or her session, nor does he or she have the permission on any other sessions. Keeping with the Windows 2000 security model, an explicit deny takes precedence over an explicit grant.

Additional query words:

Keywords : kbnetwork ntsecurity
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo


Last Reviewed: December 29, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.