Microsoft KB Archive/243554

= Explanation of RDP-TCP Permissions in Windows 2000 =

Article ID: 243554

Article Last Modified on 3/2/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q243554



SUMMARY
This article describes the permissions available for an RDP-TCP connection in Windows 2000.



MORE INFORMATION
You can use Terminal Services Configuration to modify the permissions of a Terminal Services Connection. By default, there is one RDP-TCP connection.

Permission        Description --- Connect           Connect to another session.

Disconnect        Disconnect a session.

Logoff            Log off a user from a session. Be aware that logging off a user without warning can result in loss of data at                   the client computer.

Logon             Log on to a session on the server.

Message           Send a message to another user's sessions.

Query Information Query sessions and servers for information.

Remote Control    View or actively control another user's session.

Reset             End a session. Be aware that ending a session without warning can result in loss of data at the client computer.

Set Information   Configure connection properties.

Virtual Channels  Use virtual channels.

There are three basic levels of permissions.

Permission Level  Description - Guest Access      Logon User Access       Query Information, Logon, Message, Connect Full Control      All

It is important to understand the way these permissions work before you modify them. By default, the only permission that you need to explicitly grant is the Logon right. Without the Logon permission, a user cannot establish a Terminal Services session. A user, unless explicitly denied, has all of the listed permissions on his or her own connection, even though they are not explicitly granted. Besides Logon, the other permissions listed in this article govern what permissions a user has on another user's connection.

If you deny a user a particular permission, that user does not have that permission on his or her session, nor does he or she have the permission on any other sessions. Keeping with the Windows 2000 security model, an explicit deny takes precedence over an explicit grant.

Keywords: kbinfo kbnetwork KB243554

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.