So To allow my IT Staff to Remote Desktop to the Server machines without
being a Domain Admin, I followed the how to on Creating the Restricted Group
and then Adding that group to the Local Remote Desktop Users group.
The IT staff can login just fine. If I as Sam User to the Remote Desktop
Users group on the local server they are not allowed in and get the message
about having to be added to the group.
What gives? Did I setup the Restricted Group Wrong?
If I understand correctly, you add a group IT Staff and a user account Sam
to the Remote Desktop Users group on the servers by configuring the
Restricted Group policy. You find that the user who is a member of the IT
Staff group can logon the server remotely. However, you cannot logon the
server remotely with the Sam user account and get the following message:
"To log on this remote computer, you must be granted the Allow log on
through Terminal Service right¡*"
Before we go any further, I would like to collect the following information
with you:
1. Is the user account Sam a member of the IT Staff group or Remote Desktop
Users group?
2. What operating system is running on the servers?
3. Are the servers Domain Controllers?
4. Please run the following commands on a server:
gpresult /v > gpresult.txt
net user sam /domain > sam.txt
net localgroup "remote desktop users" > group.txt
Note: Press Enter after each command.
Then, zip and upload the files above to the following space:
https://sftasia.one.microsoft.com/ch...0861-4778-4e5f
-810a-f360adbd5d5f
Password: WwQGjr3Kz179Tt
Zip file has been uploaded
Not quite. I Created a Group called LocalAdmins in AD, then with Restricted
Group policy I added that group to the Server's Remote Desktop Users group.
I've then gone to the local Server's Remote Desktop Users group to add
additional users/groups that I would like to have the ability to remote
desktop to that server.
1. Is the user account Sam a member of the IT Staff group or Remote Desktop
Users group?
The user that is Denied is a Member of the Local Server's Remote
Desktop Users Group and is NOT a member of the IT Staff group
2. What operating system is running on the servers?
Win2003 R2 SP2
3. Are the servers Domain Controllers?
No
Based on the gpresult.txt file, I found that only the LocalAdmins has the
RemoteInteractiveLogonRight right on the server. This means that the Remote
Desktop Users group does not have permission to logon this server remotely.
As a result, the user cannot logon remotely, although it is a member of
Remote Desktop Users group.
Please edit the GPO: servers, and add the Remote Desktop Users group in the
policy Allow log on through Terminal Services to check if the issue can be
resolved.
In addition, it looks as if there is something wrong with the Restricted
Groups policy:
Restricted Groups
-----------------
GPO: Servers
Groupname: HAYDON-MILL\LocalAdmins
Members: N/A
That configuration means that no user/group should belong to the group
LocalAdmins.
For more information about restricted groups policy, please refer to the
following article:
Description of Group Policy Restricted Groups
http://support.microsoft.com/kb/279301
How's everything going?
I'm wondering if the issue has been resolved or if you have any further
questions. Please feel free to respond to the newsgroups if you need any
additional help.
I set up the Restricted group as Directed by a How-To I found. It implied
that if you added users to the Group name that it would wipe out any users
that were actually in the Group that is Manages in AD vs. the RG Policy.
Yes, Adding the RDU group to the Allow log on through Terminal Services
fixed the issue.
Member
I am having a similar issue with setting users to log into our lab. I am trying to create users so that I can keep a track of who is logged in at a given moment. I have a 2008 domain controller and I want to enable the remote desktop for users. But when i try to log on to a computer I get an error saying that
The requested session is access denied.
Can you help.??
Posting Permissions
Reply With Quote
Bookmarks