Allow Terminal Server RDP Access to Servers via Group Policy

Ok, this is a weird one. I have created a new user called netadmin and then
put it into our AD 2003 builtin group called Remote Desktop Users. I then
went to AD and default domain policy and enabled two things:

1. Local Policy: allow login through terminal server (for that user
netadmin and domain admins and remote desktop users)

2. Went to admin templates, windows components, terminal services and
enabled Allow users to connect via terminal services.

Now heres the weird thing. I can only RDP to workstations with that new
account...works like a charm, but I cannot use that account for any servers
(non domain controllers I mean). Am I missing something?

Hello Wes,

Are the servers itself enabled for remote desktop connection via system properties?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Ok, this is a weird one. I have created a new user called netadmin
> and then put it into our AD 2003 builtin group called Remote Desktop
> Users. I then went to AD and default domain policy and enabled two
> things:
>
> 1. Local Policy: allow login through terminal server (for that user
> netadmin and domain admins and remote desktop users)
>
> 2. Went to admin templates, windows components, terminal services and
> enabled Allow users to connect via terminal services.
>
> Now heres the weird thing. I can only RDP to workstations with that
> new account...works like a charm, but I cannot use that account for
> any servers (non domain controllers I mean). Am I missing something?
>

"Wes H" <WesH@discussions.microsoft.com> wrote in message
news:17F642DC-B05D-4B49-819B-0A9C69D8EE36@microsoft.com...
> Ok, this is a weird one. I have created a new user called netadmin and
> then
> put it into our AD 2003 builtin group called Remote Desktop Users. I then
> went to AD and default domain policy and enabled two things:
>
> 1. Local Policy: allow login through terminal server (for that user
> netadmin and domain admins and remote desktop users)
>
> 2. Went to admin templates, windows components, terminal services and
> enabled Allow users to connect via terminal services.
>
> Now heres the weird thing. I can only RDP to workstations with that new
> account...works like a charm, but I cannot use that account for any
> servers
> (non domain controllers I mean). Am I missing something?


What error are you getting when you attempt to logon? Possibly, "... can't
logon interactively...?"

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay

Wes,
Settings assigned via default domain policy can be overriden/blocked on an
OU level (where you server computers reside). You would want to check
resulting GP settings on one of them to determine what restictions are in
place.
Btw. note that the Remote Desktop Users domain local group is of no
relevance here - this plays role when granting ability to log on via
Terminal Services to domain controllers...

hth
Marcin

"Wes H" <WesH@discussions.microsoft.com> wrote in message
news:17F642DC-B05D-4B49-819B-0A9C69D8EE36@microsoft.com...
> Ok, this is a weird one. I have created a new user called netadmin and
> then
> put it into our AD 2003 builtin group called Remote Desktop Users. I then
> went to AD and default domain policy and enabled two things:
>
> 1. Local Policy: allow login through terminal server (for that user
> netadmin and domain admins and remote desktop users)
>
> 2. Went to admin templates, windows components, terminal services and
> enabled Allow users to connect via terminal services.
>
> Now heres the weird thing. I can only RDP to workstations with that new
> account...works like a charm, but I cannot use that account for any
> servers
> (non domain controllers I mean). Am I missing something?

Ok, so I ended up using Restricted groups in Active Directory to do this
instead of the way I mentioned before. I added a user to the Remote Desktop
group and it propagated to all the PCs and servers, but it seemed to
OVERWRITE all the users we already manually put on certain PCs with the
policy. Is that by design? How can I remedy this without having to go to
each PC? I thought it would just ADD this new account to the local remote
desktop group, not overwrite it. Any thoughts?

-Wes



"Marcin" wrote:

> Wes,
> Settings assigned via default domain policy can be overriden/blocked on an
> OU level (where you server computers reside). You would want to check
> resulting GP settings on one of them to determine what restictions are in
> place.
> Btw. note that the Remote Desktop Users domain local group is of no
> relevance here - this plays role when granting ability to log on via
> Terminal Services to domain controllers...
>
> hth
> Marcin
>
> "Wes H" <WesH@discussions.microsoft.com> wrote in message
> news:17F642DC-B05D-4B49-819B-0A9C69D8EE36@microsoft.com...
> > Ok, this is a weird one. I have created a new user called netadmin and
> > then
> > put it into our AD 2003 builtin group called Remote Desktop Users. I then
> > went to AD and default domain policy and enabled two things:
> >
> > 1. Local Policy: allow login through terminal server (for that user
> > netadmin and domain admins and remote desktop users)
> >
> > 2. Went to admin templates, windows components, terminal services and
> > enabled Allow users to connect via terminal services.
> >
> > Now heres the weird thing. I can only RDP to workstations with that new
> > account...works like a charm, but I cannot use that account for any
> > servers
> > (non domain controllers I mean). Am I missing something?
>
>
>

Hello Wes,

You have to pay attention of the "Members of this group" and "This group
is a member of". See following article:
http://www.frickelsoft.net/blog/?p=13

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Ok, so I ended up using Restricted groups in Active Directory to do
> this instead of the way I mentioned before. I added a user to the
> Remote Desktop group and it propagated to all the PCs and servers, but
> it seemed to OVERWRITE all the users we already manually put on
> certain PCs with the policy. Is that by design? How can I remedy
> this without having to go to each PC? I thought it would just ADD
> this new account to the local remote desktop group, not overwrite it.
> Any thoughts?
>
> -Wes
>
> "Marcin" wrote:
>
>> Wes,
>> Settings assigned via default domain policy can be overriden/blocked
>> on an
>> OU level (where you server computers reside). You would want to check
>> resulting GP settings on one of them to determine what restictions
>> are in
>> place.
>> Btw. note that the Remote Desktop Users domain local group is of no
>> relevance here - this plays role when granting ability to log on via
>> Terminal Services to domain controllers...
>> hth
>> Marcin
>> "Wes H" <WesH@discussions.microsoft.com> wrote in message
>> news:17F642DC-B05D-4B49-819B-0A9C69D8EE36@microsoft.com...
>>
>>> Ok, this is a weird one. I have created a new user called netadmin
>>> and
>>> then
>>> put it into our AD 2003 builtin group called Remote Desktop Users.
>>> I then
>>> went to AD and default domain policy and enabled two things:
>>> 1. Local Policy: allow login through terminal server (for that user
>>> netadmin and domain admins and remote desktop users)
>>>
>>> 2. Went to admin templates, windows components, terminal services
>>> and enabled Allow users to connect via terminal services.
>>>
>>> Now heres the weird thing. I can only RDP to workstations with that
>>> new
>>> account...works like a charm, but I cannot use that account for any
>>> servers
>>> (non domain controllers I mean). Am I missing something?

Thanks, yeah I just saw that post after I wrote the reply. Duh! Anyway I
can recover the original users that were in there?

-Wes



"Meinolf Weber [MVP-DS]" wrote:

> Hello Wes,
>
> You have to pay attention of the "Members of this group" and "This group
> is a member of". See following article:
> http://www.frickelsoft.net/blog/?p=13
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Ok, so I ended up using Restricted groups in Active Directory to do
> > this instead of the way I mentioned before. I added a user to the
> > Remote Desktop group and it propagated to all the PCs and servers, but
> > it seemed to OVERWRITE all the users we already manually put on
> > certain PCs with the policy. Is that by design? How can I remedy
> > this without having to go to each PC? I thought it would just ADD
> > this new account to the local remote desktop group, not overwrite it.
> > Any thoughts?
> >
> > -Wes
> >
> > "Marcin" wrote:
> >
> >> Wes,
> >> Settings assigned via default domain policy can be overriden/blocked
> >> on an
> >> OU level (where you server computers reside). You would want to check
> >> resulting GP settings on one of them to determine what restictions
> >> are in
> >> place.
> >> Btw. note that the Remote Desktop Users domain local group is of no
> >> relevance here - this plays role when granting ability to log on via
> >> Terminal Services to domain controllers...
> >> hth
> >> Marcin
> >> "Wes H" <WesH@discussions.microsoft.com> wrote in message
> >> news:17F642DC-B05D-4B49-819B-0A9C69D8EE36@microsoft.com...
> >>
> >>> Ok, this is a weird one. I have created a new user called netadmin
> >>> and
> >>> then
> >>> put it into our AD 2003 builtin group called Remote Desktop Users.
> >>> I then
> >>> went to AD and default domain policy and enabled two things:
> >>> 1. Local Policy: allow login through terminal server (for that user
> >>> netadmin and domain admins and remote desktop users)
> >>>
> >>> 2. Went to admin templates, windows components, terminal services
> >>> and enabled Allow users to connect via terminal services.
> >>>
> >>> Now heres the weird thing. I can only RDP to workstations with that
> >>> new
> >>> account...works like a charm, but I cannot use that account for any
> >>> servers
> >>> (non domain controllers I mean). Am I missing something?
>
>
>

Hello Wes,

If you don't have a list, unfortunal no.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thanks, yeah I just saw that post after I wrote the reply. Duh!
> Anyway I can recover the original users that were in there?
>
> -Wes
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Wes,
>>
>> You have to pay attention of the "Members of this group" and "This
>> group is a member of". See following article:
>> http://www.frickelsoft.net/blog/?p=13
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Ok, so I ended up using Restricted groups in Active Directory to do
>>> this instead of the way I mentioned before. I added a user to the
>>> Remote Desktop group and it propagated to all the PCs and servers,
>>> but it seemed to OVERWRITE all the users we already manually put on
>>> certain PCs with the policy. Is that by design? How can I remedy
>>> this without having to go to each PC? I thought it would just ADD
>>> this new account to the local remote desktop group, not overwrite
>>> it. Any thoughts?
>>>
>>> -Wes
>>>
>>> "Marcin" wrote:
>>>
>>>> Wes,
>>>> Settings assigned via default domain policy can be
>>>> overriden/blocked
>>>> on an
>>>> OU level (where you server computers reside). You would want to
>>>> check
>>>> resulting GP settings on one of them to determine what restictions
>>>> are in
>>>> place.
>>>> Btw. note that the Remote Desktop Users domain local group is of no
>>>> relevance here - this plays role when granting ability to log on
>>>> via
>>>> Terminal Services to domain controllers...
>>>> hth
>>>> Marcin
>>>> "Wes H" <WesH@discussions.microsoft.com> wrote in message
>>>> news:17F642DC-B05D-4B49-819B-0A9C69D8EE36@microsoft.com...
>>>>> Ok, this is a weird one. I have created a new user called
>>>>> netadmin
>>>>> and
>>>>> then
>>>>> put it into our AD 2003 builtin group called Remote Desktop Users.
>>>>> I then
>>>>> went to AD and default domain policy and enabled two things:
>>>>> 1. Local Policy: allow login through terminal server (for that
>>>>> user
>>>>> netadmin and domain admins and remote desktop users)
>>>>> 2. Went to admin templates, windows components, terminal services
>>>>> and enabled Allow users to connect via terminal services.
>>>>>
>>>>> Now heres the weird thing. I can only RDP to workstations with
>>>>> that
>>>>> new
>>>>> account...works like a charm, but I cannot use that account for
>>>>> any
>>>>> servers
>>>>> (non domain controllers I mean). Am I missing something?