Remote Desktop rights to Member Servers via GPO

Tom · 06-12-2007

Hi Folks, I've got an issue here and am losing hair by the minute:) :

I have a scenario giving me problems. I am trying to grant a specific
global group the rights to rdp to member servers(Admin mode, btw) in AD.
Members of tis group are not to be Domain Admins.

The â€œRemote Desktop Usersâ€ (RDP) group only grants access to DCâ€™s, as tested
by membership.

I have:
1. Created the GPO with the following rights to a global group
named â€œ(G)AllServerAdminsâ€

â€œAllow logon through Terminal Services:
â€œAllow logon locallyâ€ (not needed, but I'm grasping at straws here:)

2. Linked the GPO to the OU housing the member servers.
3. Verified the GPO machine policy is applied (gpresult) and that there
is no â€œBlock Inheritanceâ€ on the OU hierarchy which the Member servers reside.

A user, who is a member of the â€œ(G)AllServerAdminsâ€ group and "Remote
Desktop Usersâ€ still cannot rdp to a member server. They can successfully
rdp to a domain controller which seems backwards.

Naturally, if I manually add the â€œ(G)AllServerAdminsâ€ to the local
â€œAdministratorsâ€ group on a member server, everything works fine. The
problem is that we donâ€™t want to have to touch every member box to do this,
as it defeats the purpose of the GPO.

Am I going to have to script the addition of the global group to local
Administrators group? Seems like this should have been an obvious GPO, as
it's entirely to much work to do something so basic.

You'd think we'd be able to add group membership to local groups by GPO.

Thanks in advance!

Tom

neo [mvp outlook] · 06-12-2007

I'll make a dangerous assumption that you are working with a Windows 2000
SP4 or better Active Directory Domain + Member servers, but have you tried
using a Restricted Groups* GPO to populate the Remote Desktop Users group
with your domain group?

/neo

* In this case, I'm thinking about the bottom half that covers Member Of.
(e.g. you type in "(G)AllServerAdmins" and then say this should be a member
of Remote Desktop Users)

"Tom" <Tom@discussions.microsoft.com> wrote in message
news:2E2091F4-3A67-43B3-ADAA-D860F51FDD56@microsoft.com...
> Hi Folks, I've got an issue here and am losing hair by the minute:) :
>
> I have a scenario giving me problems. I am trying to grant a specific
> global group the rights to rdp to member servers(Admin mode, btw) in AD.
> Members of tis group are not to be Domain Admins.
>
> The "Remote Desktop Users" (RDP) group only grants access to DC's, as
> tested
> by membership.
>
> I have:
> 1. Created the GPO with the following rights to a global group
> named "(G)AllServerAdmins"
>
> "Allow logon through Terminal Services:
> "Allow logon locally" (not needed, but I'm grasping at straws
> here:)
>
> 2. Linked the GPO to the OU housing the member servers.
> 3. Verified the GPO machine policy is applied (gpresult) and that
> there
> is no "Block Inheritance" on the OU hierarchy which the Member servers
> reside.
>
> A user, who is a member of the "(G)AllServerAdmins" group and "Remote
> Desktop Users" still cannot rdp to a member server. They can successfully
> rdp to a domain controller which seems backwards.
>
> Naturally, if I manually add the "(G)AllServerAdmins" to the local
> "Administrators" group on a member server, everything works fine. The
> problem is that we don't want to have to touch every member box to do
> this,
> as it defeats the purpose of the GPO.
>
> Am I going to have to script the addition of the global group to local
> Administrators group? Seems like this should have been an obvious GPO, as
> it's entirely to much work to do something so basic.
>
> You'd think we'd be able to add group membership to local groups by GPO.
>
> Thanks in advance!
>
> Tom
>

Tom · 06-12-2007

Hi Neo, not a dangerous asssumption, as we are talking about 2ksp4 and
higher. My understanding of Restricted groups is that the GPO will totally
replace the target group membership, which might be a problem with the
developers and we have not examined the local group membership for ACE's that
would be removed inadvertantly.

Is there a way to "merge" the restricted group into local group membership?

Thanks for your reply!

Tom

"neo [mvp outlook]" wrote:

> I'll make a dangerous assumption that you are working with a Windows 2000
> SP4 or better Active Directory Domain + Member servers, but have you tried
> using a Restricted Groups* GPO to populate the Remote Desktop Users group
> with your domain group?
>
> /neo
>
> * In this case, I'm thinking about the bottom half that covers Member Of.
> (e.g. you type in "(G)AllServerAdmins" and then say this should be a member
> of Remote Desktop Users)
>
> "Tom" <Tom@discussions.microsoft.com> wrote in message
> news:2E2091F4-3A67-43B3-ADAA-D860F51FDD56@microsoft.com...
> > Hi Folks, I've got an issue here and am losing hair by the minute:) :
> >
> > I have a scenario giving me problems. I am trying to grant a specific
> > global group the rights to rdp to member servers(Admin mode, btw) in AD.
> > Members of tis group are not to be Domain Admins.
> >
> > The "Remote Desktop Users" (RDP) group only grants access to DC's, as
> > tested
> > by membership.
> >
> > I have:
> > 1. Created the GPO with the following rights to a global group
> > named "(G)AllServerAdmins"
> >
> > "Allow logon through Terminal Services:
> > "Allow logon locally" (not needed, but I'm grasping at straws
> > here:)
> >
> > 2. Linked the GPO to the OU housing the member servers.
> > 3. Verified the GPO machine policy is applied (gpresult) and that
> > there
> > is no "Block Inheritance" on the OU hierarchy which the Member servers
> > reside.
> >
> > A user, who is a member of the "(G)AllServerAdmins" group and "Remote
> > Desktop Users" still cannot rdp to a member server. They can successfully
> > rdp to a domain controller which seems backwards.
> >
> > Naturally, if I manually add the "(G)AllServerAdmins" to the local
> > "Administrators" group on a member server, everything works fine. The
> > problem is that we don't want to have to touch every member box to do
> > this,
> > as it defeats the purpose of the GPO.
> >
> > Am I going to have to script the addition of the global group to local
> > Administrators group? Seems like this should have been an obvious GPO, as
> > it's entirely to much work to do something so basic.
> >
> > You'd think we'd be able to add group membership to local groups by GPO.
> >
> > Thanks in advance!
> >
> > Tom
> >
>
>
>

neo [mvp outlook] · 07-12-2007

Then you are left with a computer startup script GPO that checks the members
of this group and adds your domain group via the net localgroup /add
command.

"Tom" <Tom@discussions.microsoft.com> wrote in message
news:843A1EC9-D9C0-41EE-BB7B-C1655A29026E@microsoft.com...
> Hi Neo, not a dangerous asssumption, as we are talking about 2ksp4 and
> higher. My understanding of Restricted groups is that the GPO will
> totally
> replace the target group membership, which might be a problem with the
> developers and we have not examined the local group membership for ACE's
> that
> would be removed inadvertantly.
>
> Is there a way to "merge" the restricted group into local group
> membership?
>
> Thanks for your reply!
>
> Tom
>
> "neo [mvp outlook]" wrote:
>
>> I'll make a dangerous assumption that you are working with a Windows 2000
>> SP4 or better Active Directory Domain + Member servers, but have you
>> tried
>> using a Restricted Groups* GPO to populate the Remote Desktop Users group
>> with your domain group?
>>
>> /neo
>>
>> * In this case, I'm thinking about the bottom half that covers Member Of.
>> (e.g. you type in "(G)AllServerAdmins" and then say this should be a
>> member
>> of Remote Desktop Users)
>>
>> "Tom" <Tom@discussions.microsoft.com> wrote in message
>> news:2E2091F4-3A67-43B3-ADAA-D860F51FDD56@microsoft.com...
>> > Hi Folks, I've got an issue here and am losing hair by the minute:) :
>> >
>> > I have a scenario giving me problems. I am trying to grant a specific
>> > global group the rights to rdp to member servers(Admin mode, btw) in
>> > AD.
>> > Members of tis group are not to be Domain Admins.
>> >
>> > The "Remote Desktop Users" (RDP) group only grants access to DC's, as
>> > tested
>> > by membership.
>> >
>> > I have:
>> > 1. Created the GPO with the following rights to a global group
>> > named "(G)AllServerAdmins"
>> >
>> > "Allow logon through Terminal Services:
>> > "Allow logon locally" (not needed, but I'm grasping at straws
>> > here:)
>> >
>> > 2. Linked the GPO to the OU housing the member servers.
>> > 3. Verified the GPO machine policy is applied (gpresult) and that
>> > there
>> > is no "Block Inheritance" on the OU hierarchy which the Member servers
>> > reside.
>> >
>> > A user, who is a member of the "(G)AllServerAdmins" group and "Remote
>> > Desktop Users" still cannot rdp to a member server. They can
>> > successfully
>> > rdp to a domain controller which seems backwards.
>> >
>> > Naturally, if I manually add the "(G)AllServerAdmins" to the local
>> > "Administrators" group on a member server, everything works fine. The
>> > problem is that we don't want to have to touch every member box to do
>> > this,
>> > as it defeats the purpose of the GPO.
>> >
>> > Am I going to have to script the addition of the global group to local
>> > Administrators group? Seems like this should have been an obvious GPO,
>> > as
>> > it's entirely to much work to do something so basic.
>> >
>> > You'd think we'd be able to add group membership to local groups by
>> > GPO.
>> >
>> > Thanks in advance!
>> >
>> > Tom
>> >
>>
>>
>>

AJ · 07-12-2007

On Dec 7, 9:33 am, "neo [mvp outlook]"
<n...@discussions.microsoft.com> wrote:
> Then you are left with a computer startup script GPO that checks the members
> of this group and adds your domain group via the net localgroup /add
> command.
>
> "Tom" <T...@discussions.microsoft.com> wrote in message
>
> news:843A1EC9-D9C0-41EE-BB7B-C1655A29026E@microsoft.com...
>
>
>
> > Hi Neo, not a dangerous asssumption, as we are talking about 2ksp4 and
> > higher. My understanding of Restricted groups is that the GPO will
> > totally
> > replace the target group membership, which might be a problem with the
> > developers and we have not examined the local group membership for ACE's
> > that
> > would be removed inadvertantly.
>
> > Is there a way to "merge" the restricted group into local group
> > membership?
>
> > Thanks for your reply!
>
> > Tom
>
> > "neo [mvp outlook]" wrote:
>
> >> I'll make a dangerous assumption that you are working with a Windows 2000
> >> SP4 or better Active Directory Domain + Member servers, but have you
> >> tried
> >> using a Restricted Groups* GPO to populate the Remote Desktop Users group
> >> with your domain group?
>
> >> /neo
>
> >> * In this case, I'm thinking about the bottom half that covers Member Of.
> >> (e.g. you type in "(G)AllServerAdmins" and then say this should be a
> >> member
> >> of Remote Desktop Users)
>
> >> "Tom" <T...@discussions.microsoft.com> wrote in message
> >>news:2E2091F4-3A67-43B3-ADAA-D860F51FDD56@microsoft.com...
> >> > Hi Folks, I've got an issue here and am losing hair by the minute:) :
>
> >> > I have a scenario giving me problems. I am trying to grant a specific
> >> > global group the rights to rdp to member servers(Admin mode, btw) in
> >> > AD.
> >> > Members of tis group are not to be Domain Admins.
>
> >> > The "Remote Desktop Users" (RDP) group only grants access to DC's, as
> >> > tested
> >> > by membership.
>
> >> > I have:
> >> > 1. Created the GPO with the following rights to a global group
> >> > named "(G)AllServerAdmins"
>
> >> > "Allow logon through Terminal Services:
> >> > "Allow logon locally" (not needed, but I'm grasping at straws
> >> > here:)
>
> >> > 2. Linked the GPO to the OU housing the member servers.
> >> > 3. Verified the GPO machine policy is applied (gpresult) and that
> >> > there
> >> > is no "Block Inheritance" on the OU hierarchy which the Member servers
> >> > reside.
>
> >> > A user, who is a member of the "(G)AllServerAdmins" group and "Remote
> >> > Desktop Users" still cannot rdp to a member server. They can
> >> > successfully
> >> > rdp to a domain controller which seems backwards.
>
> >> > Naturally, if I manually add the "(G)AllServerAdmins" to the local
> >> > "Administrators" group on a member server, everything works fine. The
> >> > problem is that we don't want to have to touch every member box to do
> >> > this,
> >> > as it defeats the purpose of the GPO.
>
> >> > Am I going to have to script the addition of the global group to local
> >> > Administrators group? Seems like this should have been an obvious GPO,
> >> > as
> >> > it's entirely to much work to do something so basic.
>
> >> > You'd think we'd be able to add group membership to local groups by
> >> > GPO.
>
> >> > Thanks in advance!
>
> >> > Tom- Hide quoted text -
>
> - Show quoted text -

restricted groups can be used to add a domain group to a local group
on member servers.. it would not replace the existing local group
memberships on the member servers if you set the restricted groups
group policy correctly..

all the best!!

Ajay Sarkaria

neo [mvp outlook] · 07-12-2007

Thanks for mentioning this as I forgot to mention that the member of portion
is a merge and not a replace.

"AJ" <ajsarkaria@gmail.com> wrote in message
news:0c430d53-31b8-4e6b-9f65-1069116f4a4b@i12g2000prf.googlegroups.com...
> On Dec 7, 9:33 am, "neo [mvp outlook]"
> <n...@discussions.microsoft.com> wrote:
>> Then you are left with a computer startup script GPO that checks the
>> members
>> of this group and adds your domain group via the net localgroup /add
>> command.
>>
>> "Tom" <T...@discussions.microsoft.com> wrote in message
>>
>> news:843A1EC9-D9C0-41EE-BB7B-C1655A29026E@microsoft.com...
>>
>>
>>
>> > Hi Neo, not a dangerous asssumption, as we are talking about 2ksp4 and
>> > higher. My understanding of Restricted groups is that the GPO will
>> > totally
>> > replace the target group membership, which might be a problem with the
>> > developers and we have not examined the local group membership for
>> > ACE's
>> > that
>> > would be removed inadvertantly.
>>
>> > Is there a way to "merge" the restricted group into local group
>> > membership?
>>
>> > Thanks for your reply!
>>
>> > Tom
>>
>> > "neo [mvp outlook]" wrote:
>>
>> >> I'll make a dangerous assumption that you are working with a Windows
>> >> 2000
>> >> SP4 or better Active Directory Domain + Member servers, but have you
>> >> tried
>> >> using a Restricted Groups* GPO to populate the Remote Desktop Users
>> >> group
>> >> with your domain group?
>>
>> >> /neo
>>
>> >> * In this case, I'm thinking about the bottom half that covers Member
>> >> Of.
>> >> (e.g. you type in "(G)AllServerAdmins" and then say this should be a
>> >> member
>> >> of Remote Desktop Users)
>>
>> >> "Tom" <T...@discussions.microsoft.com> wrote in message
>> >>news:2E2091F4-3A67-43B3-ADAA-D860F51FDD56@microsoft.com...
>> >> > Hi Folks, I've got an issue here and am losing hair by the minute:)
>> >> > :
>>
>> >> > I have a scenario giving me problems. I am trying to grant a
>> >> > specific
>> >> > global group the rights to rdp to member servers(Admin mode, btw) in
>> >> > AD.
>> >> > Members of tis group are not to be Domain Admins.
>>
>> >> > The "Remote Desktop Users" (RDP) group only grants access to DC's,
>> >> > as
>> >> > tested
>> >> > by membership.
>>
>> >> > I have:
>> >> > 1. Created the GPO with the following rights to a global
>> >> > group
>> >> > named "(G)AllServerAdmins"
>>
>> >> > "Allow logon through Terminal Services:
>> >> > "Allow logon locally" (not needed, but I'm grasping at
>> >> > straws
>> >> > here:)
>>
>> >> > 2. Linked the GPO to the OU housing the member servers.
>> >> > 3. Verified the GPO machine policy is applied (gpresult) and
>> >> > that
>> >> > there
>> >> > is no "Block Inheritance" on the OU hierarchy which the Member
>> >> > servers
>> >> > reside.
>>
>> >> > A user, who is a member of the "(G)AllServerAdmins" group and
>> >> > "Remote
>> >> > Desktop Users" still cannot rdp to a member server. They can
>> >> > successfully
>> >> > rdp to a domain controller which seems backwards.
>>
>> >> > Naturally, if I manually add the "(G)AllServerAdmins" to the local
>> >> > "Administrators" group on a member server, everything works fine.
>> >> > The
>> >> > problem is that we don't want to have to touch every member box to
>> >> > do
>> >> > this,
>> >> > as it defeats the purpose of the GPO.
>>
>> >> > Am I going to have to script the addition of the global group to
>> >> > local
>> >> > Administrators group? Seems like this should have been an obvious
>> >> > GPO,
>> >> > as
>> >> > it's entirely to much work to do something so basic.
>>
>> >> > You'd think we'd be able to add group membership to local groups by
>> >> > GPO.
>>
>> >> > Thanks in advance!
>>
>> >> > Tom- Hide quoted text -
>>
>> - Show quoted text -
>
> restricted groups can be used to add a domain group to a local group
> on member servers.. it would not replace the existing local group
> memberships on the member servers if you set the restricted groups
> group policy correctly..
>
> all the best!!
>
> Ajay Sarkaria