Cannot Remote Desktop to servers Even if in Remote Desktop Users Group

Discussion in 'Windows Server' started by Scott Townsend, Feb 3, 2009.

  1. So To allow my IT Staff to Remote Desktop to the Server machines without
    being a Domain Admin, I followed the how to on Creating the Restricted Group
    and then Adding that group to the Local Remote Desktop Users group.

    The IT staff can login just fine. If I as Sam User to the Remote Desktop
    Users group on the local server they are not allowed in and get the message
    about having to be added to the group.

    What gives? Did I setup the Restricted Group Wrong?

    Thanks,
    Scott<-
     
    Scott Townsend, Feb 3, 2009
    #1
    1. Advertisements

  2. Scott Townsend

    Joson Zhou Guest

    Hi Scott,

    Thank you for your post.

    If I understand correctly, you add a group IT Staff and a user account Sam
    to the Remote Desktop Users group on the servers by configuring the
    Restricted Group policy. You find that the user who is a member of the IT
    Staff group can logon the server remotely. However, you cannot logon the
    server remotely with the Sam user account and get the following message:

    "To log on this remote computer, you must be granted the Allow log on
    through Terminal Service right¡­"

    Before we go any further, I would like to collect the following information
    with you:

    1. Is the user account Sam a member of the IT Staff group or Remote Desktop
    Users group?
    2. What operating system is running on the servers?
    3. Are the servers Domain Controllers?
    4. Please run the following commands on a server:

    gpresult /v > gpresult.txt
    net user sam /domain > sam.txt
    net localgroup "remote desktop users" > group.txt

    Note: Press Enter after each command.

    Then, zip and upload the files above to the following space:

    https://sftasia.one.microsoft.com/choosetransfer.aspx?key=faac0861-4778-4e5f
    -810a-f360adbd5d5f
    Password: WwQGjr3Kz179Tt

    I look forward to your response.

    Sincerely,
    Joson Zhou
    Microsoft Online Support
    Microsoft Global Technical Support Center

    Get Secure! - www.microsoft.com/security
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Joson Zhou, Feb 4, 2009
    #2
    1. Advertisements

  3. Thank you for your Reply.

    Zip file has been uploaded
    Not quite. I Created a Group called LocalAdmins in AD, then with Restricted
    Group policy I added that group to the Server's Remote Desktop Users group.
    I've then gone to the local Server's Remote Desktop Users group to add
    additional users/groups that I would like to have the ability to remote
    desktop to that server.

    1. Is the user account Sam a member of the IT Staff group or Remote Desktop
    Users group?
    The user that is Denied is a Member of the Local Server's Remote
    Desktop Users Group and is NOT a member of the IT Staff group

    2. What operating system is running on the servers?
    Win2003 R2 SP2

    3. Are the servers Domain Controllers?
    No

    Thank you,
    Scott<-
     
    Scott Townsend, Feb 5, 2009
    #3
  4. Scott Townsend

    Joson Zhou Guest

    Hi Scott,

    Thank you for your update.

    Based on the gpresult.txt file, I found that only the LocalAdmins has the
    RemoteInteractiveLogonRight right on the server. This means that the Remote
    Desktop Users group does not have permission to logon this server remotely.
    As a result, the user cannot logon remotely, although it is a member of
    Remote Desktop Users group.

    Please edit the GPO: servers, and add the Remote Desktop Users group in the
    policy Allow log on through Terminal Services to check if the issue can be
    resolved.

    In addition, it looks as if there is something wrong with the Restricted
    Groups policy:

    Restricted Groups
    -----------------
    GPO: Servers
    Groupname: HAYDON-MILL\LocalAdmins
    Members: N/A

    That configuration means that no user/group should belong to the group
    LocalAdmins.

    For more information about restricted groups policy, please refer to the
    following article:

    Description of Group Policy Restricted Groups
    http://support.microsoft.com/kb/279301

    I look forward to your response.

    Sincerely,
    Joson Zhou
    Microsoft Online Support
    Microsoft Global Technical Support Center

    Get Secure! - www.microsoft.com/security
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Joson Zhou, Feb 6, 2009
    #4
  5. Scott Townsend

    Joson Zhou Guest

    Hi Scott,

    How's everything going?

    I'm wondering if the issue has been resolved or if you have any further
    questions. Please feel free to respond to the newsgroups if you need any
    additional help.

    Sincerely,
    Joson Zhou
    Microsoft Online Support
    Microsoft Global Technical Support Center

    Get Secure! - www.microsoft.com/security
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Joson Zhou, Feb 11, 2009
    #5
  6. I set up the Restricted group as Directed by a How-To I found. It implied
    that if you added users to the Group name that it would wipe out any users
    that were actually in the Group that is Manages in AD vs. the RG Policy.

    Yes, Adding the RDU group to the Allow log on through Terminal Services
    fixed the issue.

    Thank you,
    Scott<-
     
    Scott Townsend, Feb 11, 2009
    #6
  7. Scott Townsend

    Joson Zhou Guest

    Hi Scott,

    Thank you for your update. I am glad to hear that the issue has been
    resolved.

    Have a nice day.

    Sincerely,
    Joson Zhou
    Microsoft Online Support
    Microsoft Global Technical Support Center

    Get Secure! - www.microsoft.com/security
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Joson Zhou, Feb 12, 2009
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.