Remote Desktop in a Domain. Why doesn't putting a user in the domain group Remote allow remoting in

Discussion in 'Server Security' started by Rog, Feb 7, 2009.

  1. Rog

    Rog Guest

    We have a Windows 2003 Domain. The XP workstations all are domain members,
    and all login credentials used on the clients are domain ones. We have
    remote desktop enabled on the client computer with no local remote users
    added other than the default admins.

    We created a user in Active Directory Users and Groups, and placed that user
    into the Remote Desktop Built-In Group on the Domain. When we try to
    remotely log into a client computer using that new domain user's
    credentials, and remote desktop, we get an error that a Group Policy
    prevents login. If we log into the client as an Administrator, and add the
    user's domain credentials to the local Remote Login list, then we can remote
    fine.

    Do we have to do something to tell the client computer to use the Domain
    Remote Desktop group instead of the local one?

    Thanks
     
    Rog, Feb 7, 2009
    #1
    1. Advertisements

  2. Rog

    Al Dunbar Guest

    On all client computers? It really needs to be enabled only on those
    computers you want to logon to remotely through an RDP session.
    You need not add the local administrators group to the local remote users
    group, as local administrators have remote logon rights by default.
    Yes, but you do that by adding the Domain Remote Desktop group as a member
    of the local Remote Desktop Users group.

    By default, Domain Admins have local administrative privileges on member
    workstations. But this is not because they are domain admins, but because
    the "domain admins" group is a member of the local administrators group. The
    same applies to the Domain Remote Desktop group, the only difference being
    that the local remote users group is not automatically populated with Domain
    Remote Users.

    /Al
     
    Al Dunbar, Feb 7, 2009
    #2
    1. Advertisements

  3. Rog

    Rog Guest

    I just tried to do this, but despite the fact that the local computer can
    see groups from the Domain, like Domain Admins, Domain Users, etc, it does
    not see the Remote Users Group in the Domain Built-ins folder. As a result,
    I can't add this domain security group to the local remote group. Do I need
    to make my own Domain Group to add to the local remote group?

    What am I missing ?

    Thanks,

    Rog
     
    Rog, Mar 10, 2009
    #3
  4. Rog

    Al Dunbar Guest

    I don't know. I have seen the Domain Remote Users group in AD, but we do not
    use that for anything. Domain admins can remote to any domain computer, and
    anyone with admin access to a server can do the same there. When it comes to
    workstations enabled for RDP access, we have basically created our own "OU
    remote users group", as there is no need for anyone outside our site-based
    OU to have remote access to workstations. As noted above, the domain admins
    could RDP in, but they are typically more concerned with managing servers.

    /Al
     
    Al Dunbar, Mar 10, 2009
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.