Hi Folks, I've got an issue here and am losing hair by the minute:) :
I have a scenario giving me problems. I am trying to grant a specific
global group the rights to rdp to member servers(Admin mode, btw) in AD.
Members of tis group are not to be Domain Admins.
The “Remote Desktop Users†(RDP) group only grants access to DC’s, as tested
by membership.
I have:
1. Created the GPO with the following rights to a global group
named “(G)AllServerAdminsâ€
“Allow logon through Terminal Services:
“Allow logon locally†(not needed, but I'm grasping at straws here:)
2. Linked the GPO to the OU housing the member servers.
3. Verified the GPO machine policy is applied (gpresult) and that there
is no “Block Inheritance†on the OU hierarchy which the Member servers reside.
A user, who is a member of the “(G)AllServerAdmins†group and "Remote
Desktop Users†still cannot rdp to a member server. They can successfully
rdp to a domain controller which seems backwards.
Naturally, if I manually add the “(G)AllServerAdmins†to the local
“Administrators†group on a member server, everything works fine. The
problem is that we don’t want to have to touch every member box to do this,
as it defeats the purpose of the GPO.
Am I going to have to script the addition of the global group to local
Administrators group? Seems like this should have been an obvious GPO, as
it's entirely to much work to do something so basic.
You'd think we'd be able to add group membership to local groups by GPO.
Thanks in advance!
Tom
Bookmarks