Cannot Remote Desktop to servers Even if in Remote Desktop Users Group

Cannot Remote Desktop to servers Even if in Remote Desktop Users Group

Post by Scott Town » Thu, 05 Feb 2009 07:42:08


So To allow my IT Staff to Remote Desktop to the Server machines without
being a Domain Admin, I followed the how to on Creating the Restricted Group
and then Adding that group to the Local Remote Desktop Users group.

The IT staff can login just fine. If I as Sam User to the Remote Desktop
Users group on the local server they are not allowed in and get the message
about having to be added to the group.

What gives? Did I setup the Restricted Group Wrong?

Thanks,
Scott<-
 
 
 

Cannot Remote Desktop to servers Even if in Remote Desktop Users Group

Post by v-jos » Thu, 05 Feb 2009 18:16:12

Hi Scott,

Thank you for your post.

If I understand correctly, you add a group IT Staff and a user account Sam
to the Remote Desktop Users group on the servers by configuring the
Restricted Group policy. You find that the user who is a member of the IT
Staff group can logon the server remotely. However, you cannot logon the
server remotely with the Sam user account and get the following message:

"To log on this remote computer, you must be granted the Allow log on
through Terminal Service right"

Before we go any further, I would like to collect the following information
with you:

1. Is the user account Sam a member of the IT Staff group or Remote Desktop
Users group?
2. What operating system is running on the servers?
3. Are the servers Domain Controllers?
4. Please run the following commands on a server:

gpresult /v > gpresult.txt
net user sam /domain > sam.txt
net localgroup "remote desktop users" > group.txt

Note: Press Enter after each command.

Then, zip and upload the files above to the following space:

https://sftasia.one.microsoft.com/choosetransfer.aspx?key=faac0861-4778-4e5f
-810a-f360adbd5d5f
Password: WwQGjr3Kz179Tt

I look forward to your response.

Sincerely,
Joson Zhou
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 
 
 

Cannot Remote Desktop to servers Even if in Remote Desktop Users Group

Post by Scott Town » Sat, 07 Feb 2009 00:27:15

Thank you for your Reply.

Zip file has been uploaded


Not quite. I Created a Group called LocalAdmins in AD, then with Restricted
Group policy I added that group to the Server's Remote Desktop Users group.
I've then gone to the local Server's Remote Desktop Users group to add
additional users/groups that I would like to have the ability to remote
desktop to that server.

1. Is the user account Sam a member of the IT Staff group or Remote Desktop
Users group?
The user that is Denied is a Member of the Local Server's Remote
Desktop Users Group and is NOT a member of the IT Staff group

2. What operating system is running on the servers?
Win2003 R2 SP2

3. Are the servers Domain Controllers?
No

Thank you,
Scott<-
 
 
 

Cannot Remote Desktop to servers Even if in Remote Desktop Users Group

Post by v-jos » Sat, 07 Feb 2009 16:24:00

Hi Scott,

Thank you for your update.

Based on the gpresult.txt file, I found that only the LocalAdmins has the
RemoteInteractiveLogonRight right on the server. This means that the Remote
Desktop Users group does not have permission to logon this server remotely.
As a result, the user cannot logon remotely, although it is a member of
Remote Desktop Users group.

Please edit the GPO: servers, and add the Remote Desktop Users group in the
policy Allow log on through Terminal Services to check if the issue can be
resolved.

In addition, it looks as if there is something wrong with the Restricted
Groups policy:

Restricted Groups
-----------------
GPO: Servers
Groupname: HAYDON-MILL\LocalAdmins
Members: N/A

That configuration means that no user/group should belong to the group
LocalAdmins.

For more information about restricted groups policy, please refer to the
following article:

Description of Group Policy Restricted Groups
http://www.yqcomputer.com/

I look forward to your response.

Sincerely,
Joson Zhou
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
 
 

Cannot Remote Desktop to servers Even if in Remote Desktop Users Group

Post by v-jos » Thu, 12 Feb 2009 10:25:46

Hi Scott,

How's everything going?

I'm wondering if the issue has been resolved or if you have any further
questions. Please feel free to respond to the newsgroups if you need any
additional help.

Sincerely,
Joson Zhou
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
 
 

Cannot Remote Desktop to servers Even if in Remote Desktop Users Group

Post by Scott Town » Fri, 13 Feb 2009 06:21:12

I set up the Restricted group as Directed by a How-To I found. It implied
that if you added users to the Group name that it would wipe out any users
that were actually in the Group that is Manages in AD vs. the RG Policy.

Yes, Adding the RDU group to the Allow log on through Terminal Services
fixed the issue.

Thank you,
Scott<-