Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Allow Terminal Server RDP Access to Servers via Group Policy
Allow Terminal Server RDP Access to Servers via Group Policy [message #156047] Tue, 09 June 2009 14:41 Go to next message
Wes H  is currently offline Wes H
Messages: 6
Registered: June 2009
Junior Member
Ok, this is a weird one. I have created a new user called netadmin and then
put it into our AD 2003 builtin group called Remote Desktop Users. I then
went to AD and default domain policy and enabled two things:

1. Local Policy: allow login through terminal server (for that user
netadmin and domain admins and remote desktop users)

2. Went to admin templates, windows components, terminal services and
enabled Allow users to connect via terminal services.

Now heres the weird thing. I can only RDP to workstations with that new
account...works like a charm, but I cannot use that account for any servers
(non domain controllers I mean). Am I missing something?
Re: Allow Terminal Server RDP Access to Servers via Group Policy [message #156048 is a reply to message #156047] Tue, 09 June 2009 15:23 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Wes H" <WesH@discussions.microsoft.com> wrote in message
news:17F642DC-B05D-4B49-819B-0A9C69D8EE36@microsoft.com...
> Ok, this is a weird one. I have created a new user called netadmin and
> then
> put it into our AD 2003 builtin group called Remote Desktop Users. I then
> went to AD and default domain policy and enabled two things:
>
> 1. Local Policy: allow login through terminal server (for that user
> netadmin and domain admins and remote desktop users)
>
> 2. Went to admin templates, windows components, terminal services and
> enabled Allow users to connect via terminal services.
>
> Now heres the weird thing. I can only RDP to workstations with that new
> account...works like a charm, but I cannot use that account for any
> servers
> (non domain controllers I mean). Am I missing something?


What error are you getting when you attempt to logon? Possibly, "... can't
logon interactively...?"

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay
Re: Allow Terminal Server RDP Access to Servers via Group Policy [message #156049 is a reply to message #156047] Tue, 09 June 2009 15:13 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Wes,

Are the servers itself enabled for remote desktop connection via system properties?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Ok, this is a weird one. I have created a new user called netadmin
> and then put it into our AD 2003 builtin group called Remote Desktop
> Users. I then went to AD and default domain policy and enabled two
> things:
>
> 1. Local Policy: allow login through terminal server (for that user
> netadmin and domain admins and remote desktop users)
>
> 2. Went to admin templates, windows components, terminal services and
> enabled Allow users to connect via terminal services.
>
> Now heres the weird thing. I can only RDP to workstations with that
> new account...works like a charm, but I cannot use that account for
> any servers (non domain controllers I mean). Am I missing something?
>
Re: Allow Terminal Server RDP Access to Servers via Group Policy [message #156052 is a reply to message #156047] Tue, 09 June 2009 16:12 Go to previous messageGo to next message
Marcin  is currently offline Marcin  United States
Messages: 273
Registered: July 2009
Senior Member
Wes,
Settings assigned via default domain policy can be overriden/blocked on an
OU level (where you server computers reside). You would want to check
resulting GP settings on one of them to determine what restictions are in
place.
Btw. note that the Remote Desktop Users domain local group is of no
relevance here - this plays role when granting ability to log on via
Terminal Services to domain controllers...

hth
Marcin

"Wes H" <WesH@discussions.microsoft.com> wrote in message
news:17F642DC-B05D-4B49-819B-0A9C69D8EE36@microsoft.com...
> Ok, this is a weird one. I have created a new user called netadmin and
> then
> put it into our AD 2003 builtin group called Remote Desktop Users. I then
> went to AD and default domain policy and enabled two things:
>
> 1. Local Policy: allow login through terminal server (for that user
> netadmin and domain admins and remote desktop users)
>
> 2. Went to admin templates, windows components, terminal services and
> enabled Allow users to connect via terminal services.
>
> Now heres the weird thing. I can only RDP to workstations with that new
> account...works like a charm, but I cannot use that account for any
> servers
> (non domain controllers I mean). Am I missing something?
Re: Allow Terminal Server RDP Access to Servers via Group Policy [message #156156 is a reply to message #156052] Thu, 11 June 2009 06:10 Go to previous messageGo to next message
Wes H  is currently offline Wes H
Messages: 6
Registered: June 2009
Junior Member
Ok, so I ended up using Restricted groups in Active Directory to do this
instead of the way I mentioned before. I added a user to the Remote Desktop
group and it propagated to all the PCs and servers, but it seemed to
OVERWRITE all the users we already manually put on certain PCs with the
policy. Is that by design? How can I remedy this without having to go to
each PC? I thought it would just ADD this new account to the local remote
desktop group, not overwrite it. Any thoughts?

-Wes



"Marcin" wrote:

> Wes,
> Settings assigned via default domain policy can be overriden/blocked on an
> OU level (where you server computers reside). You would want to check
> resulting GP settings on one of them to determine what restictions are in
> place.
> Btw. note that the Remote Desktop Users domain local group is of no
> relevance here - this plays role when granting ability to log on via
> Terminal Services to domain controllers...
>
> hth
> Marcin
>
> "Wes H" <WesH@discussions.microsoft.com> wrote in message
> news:17F642DC-B05D-4B49-819B-0A9C69D8EE36@microsoft.com...
> > Ok, this is a weird one. I have created a new user called netadmin and
> > then
> > put it into our AD 2003 builtin group called Remote Desktop Users. I then
> > went to AD and default domain policy and enabled two things:
> >
> > 1. Local Policy: allow login through terminal server (for that user
> > netadmin and domain admins and remote desktop users)
> >
> > 2. Went to admin templates, windows components, terminal services and
> > enabled Allow users to connect via terminal services.
> >
> > Now heres the weird thing. I can only RDP to workstations with that new
> > account...works like a charm, but I cannot use that account for any
> > servers
> > (non domain controllers I mean). Am I missing something?
>
>
>
Re: Allow Terminal Server RDP Access to Servers via Group Policy [message #156163 is a reply to message #156156] Thu, 11 June 2009 07:37 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Wes,

You have to pay attention of the "Members of this group" and "This group
is a member of". See following article:
http://www.frickelsoft.net/blog/?p=13

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Ok, so I ended up using Restricted groups in Active Directory to do
> this instead of the way I mentioned before. I added a user to the
> Remote Desktop group and it propagated to all the PCs and servers, but
> it seemed to OVERWRITE all the users we already manually put on
> certain PCs with the policy. Is that by design? How can I remedy
> this without having to go to each PC? I thought it would just ADD
> this new account to the local remote desktop group, not overwrite it.
> Any thoughts?
>
> -Wes
>
> "Marcin" wrote:
>
>> Wes,
>> Settings assigned via default domain policy can be overriden/blocked
>> on an
>> OU level (where you server computers reside). You would want to check
>> resulting GP settings on one of them to determine what restictions
>> are in
>> place.
>> Btw. note that the Remote Desktop Users domain local group is of no
>> relevance here - this plays role when granting ability to log on via
>> Terminal Services to domain controllers...
>> hth
>> Marcin
>> "Wes H" <WesH@discussions.microsoft.com> wrote in message
>> news:17F642DC-B05D-4B49-819B-0A9C69D8EE36@microsoft.com...
>>
>>> Ok, this is a weird one. I have created a new user called netadmin
>>> and
>>> then
>>> put it into our AD 2003 builtin group called Remote Desktop Users.
>>> I then
>>> went to AD and default domain policy and enabled two things:
>>> 1. Local Policy: allow login through terminal server (for that user
>>> netadmin and domain admins and remote desktop users)
>>>
>>> 2. Went to admin templates, windows components, terminal services
>>> and enabled Allow users to connect via terminal services.
>>>
>>> Now heres the weird thing. I can only RDP to workstations with that
>>> new
>>> account...works like a charm, but I cannot use that account for any
>>> servers
>>> (non domain controllers I mean). Am I missing something?
Re: Allow Terminal Server RDP Access to Servers via Group Policy [message #156170 is a reply to message #156163] Thu, 11 June 2009 07:45 Go to previous messageGo to next message
Wes H  is currently offline Wes H
Messages: 6
Registered: June 2009
Junior Member
Thanks, yeah I just saw that post after I wrote the reply. Duh! Anyway I
can recover the original users that were in there?

-Wes



"Meinolf Weber [MVP-DS]" wrote:

> Hello Wes,
>
> You have to pay attention of the "Members of this group" and "This group
> is a member of". See following article:
> http://www.frickelsoft.net/blog/?p=13
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Ok, so I ended up using Restricted groups in Active Directory to do
> > this instead of the way I mentioned before. I added a user to the
> > Remote Desktop group and it propagated to all the PCs and servers, but
> > it seemed to OVERWRITE all the users we already manually put on
> > certain PCs with the policy. Is that by design? How can I remedy
> > this without having to go to each PC? I thought it would just ADD
> > this new account to the local remote desktop group, not overwrite it.
> > Any thoughts?
> >
> > -Wes
> >
> > "Marcin" wrote:
> >
> >> Wes,
> >> Settings assigned via default domain policy can be overriden/blocked
> >> on an
> >> OU level (where you server computers reside). You would want to check
> >> resulting GP settings on one of them to determine what restictions
> >> are in
> >> place.
> >> Btw. note that the Remote Desktop Users domain local group is of no
> >> relevance here - this plays role when granting ability to log on via
> >> Terminal Services to domain controllers...
> >> hth
> >> Marcin
> >> "Wes H" <WesH@discussions.microsoft.com> wrote in message
> >> news:17F642DC-B05D-4B49-819B-0A9C69D8EE36@microsoft.com...
> >>
> >>> Ok, this is a weird one. I have created a new user called netadmin
> >>> and
> >>> then
> >>> put it into our AD 2003 builtin group called Remote Desktop Users.
> >>> I then
> >>> went to AD and default domain policy and enabled two things:
> >>> 1. Local Policy: allow login through terminal server (for that user
> >>> netadmin and domain admins and remote desktop users)
> >>>
> >>> 2. Went to admin templates, windows components, terminal services
> >>> and enabled Allow users to connect via terminal services.
> >>>
> >>> Now heres the weird thing. I can only RDP to workstations with that
> >>> new
> >>> account...works like a charm, but I cannot use that account for any
> >>> servers
> >>> (non domain controllers I mean). Am I missing something?
>
>
>
Re: Allow Terminal Server RDP Access to Servers via Group Policy [message #156180 is a reply to message #156170] Thu, 11 June 2009 08:37 Go to previous message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Wes,

If you don't have a list, unfortunal no.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thanks, yeah I just saw that post after I wrote the reply. Duh!
> Anyway I can recover the original users that were in there?
>
> -Wes
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Wes,
>>
>> You have to pay attention of the "Members of this group" and "This
>> group is a member of". See following article:
>> http://www.frickelsoft.net/blog/?p=13
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Ok, so I ended up using Restricted groups in Active Directory to do
>>> this instead of the way I mentioned before. I added a user to the
>>> Remote Desktop group and it propagated to all the PCs and servers,
>>> but it seemed to OVERWRITE all the users we already manually put on
>>> certain PCs with the policy. Is that by design? How can I remedy
>>> this without having to go to each PC? I thought it would just ADD
>>> this new account to the local remote desktop group, not overwrite
>>> it. Any thoughts?
>>>
>>> -Wes
>>>
>>> "Marcin" wrote:
>>>
>>>> Wes,
>>>> Settings assigned via default domain policy can be
>>>> overriden/blocked
>>>> on an
>>>> OU level (where you server computers reside). You would want to
>>>> check
>>>> resulting GP settings on one of them to determine what restictions
>>>> are in
>>>> place.
>>>> Btw. note that the Remote Desktop Users domain local group is of no
>>>> relevance here - this plays role when granting ability to log on
>>>> via
>>>> Terminal Services to domain controllers...
>>>> hth
>>>> Marcin
>>>> "Wes H" <WesH@discussions.microsoft.com> wrote in message
>>>> news:17F642DC-B05D-4B49-819B-0A9C69D8EE36@microsoft.com...
>>>>> Ok, this is a weird one. I have created a new user called
>>>>> netadmin
>>>>> and
>>>>> then
>>>>> put it into our AD 2003 builtin group called Remote Desktop Users.
>>>>> I then
>>>>> went to AD and default domain policy and enabled two things:
>>>>> 1. Local Policy: allow login through terminal server (for that
>>>>> user
>>>>> netadmin and domain admins and remote desktop users)
>>>>> 2. Went to admin templates, windows components, terminal services
>>>>> and enabled Allow users to connect via terminal services.
>>>>>
>>>>> Now heres the weird thing. I can only RDP to workstations with
>>>>> that
>>>>> new
>>>>> account...works like a charm, but I cannot use that account for
>>>>> any
>>>>> servers
>>>>> (non domain controllers I mean). Am I missing something?
Previous Topic:creating a FOREST ROOT DOMAIN
Next Topic:Multihomed domain.
Goto Forum:
  


Current Time: Tue Jan 16 04:17:24 MST 2018

Total time taken to generate the page: 0.04417 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software