Solved

Cannot Remote Desktop to member server in SBS 2003 domain

Posted on 2006-11-09
12
398 Views
Last Modified: 2008-01-09
Hi,

I have an SBS 2003 network over four sites.  SBS at one site, Win2003 server at the others acting as backup domain controllers.

I need a user to be able to access an application on each of the servers, so have added them to the Remote Desktop User group.

I can RDP to the SBS machine using their account details without a problem.  But I can't login to any of the branch servers.  Error message tells me I need to be part of the Remote Desktop Users group.

If I check AD on each of the DCs, the user is shown as a Remote Desktop User on each.  If I go to System Properties>Remote>Select Remote Users, the user is in the allowed user list.

Is there something else I need to do?
0
Comment
Question by:devon-lad
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 9

Expert Comment

by:trenes
ID: 17905343
Hi devon-lad,
Default the remote option is disable on windows 2003 you just might have to enable it.
Right click my computer -> remote tab -> enable remote.

Hope that helps you devon-lad
regards,

Trenes
0
 
LVL 1

Author Comment

by:devon-lad
ID: 17905353
Already enabled and used for remote admin.
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 17905390
Hi devon-lad,


Did you try this:
1. Using an admin account open a remote admin session to the server in question.

2. Click Start >Programs >Administrative Tools >Terminal Services Configuration

3. Click Connections

4. In the right hand pane RIGHT CLICK the RDP-TCP connector and select properties

5. On the permissions tab click "ADD"

6. Add your user/group in here and select user access.

another interesting link is this one:
http://www.windowsnetworking.com/articles_tutorials/Windows_2003_Terminal_Services_Part2.html




Cheers!
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 21

Expert Comment

by:suppsaws
ID: 17905404
devon-lad,

but probably you are facing this:

 The default domain controller Policy only allows Administrators
(Domain Administrators) to logon to Domain Controllers.

If you want to enable logon to Domain Controllers for Domain Users, you will
have to edit Default Domain Controller Policy. Open this policy and go to  Computer Configuration -> Windows Settings -> Security
Settings -> Local Policies -> User Rights Assignment. (you can use the group policy management in the advanced section of the server management console for this)
Look for policy called "Allow logon through Terminal Services". Add appropriate group to
this policy (e.g. Domain Users, or Remote Desktop Users Group, ...).

0
 
LVL 1

Author Comment

by:devon-lad
ID: 17905423
Hi,

Firstly, Remote Desktop Users is already listed in Terminal Services Configuration.

Regarding your second suggestion - I can already log in to the primary domain controller (SBS machine) with the user's details.  So if it was a group policy setting stopping logon to domain controllers, presumably I wouldn't be able to do this?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17920713
Are you saying that you want non-administrators to log onto your SBS's desktop?  That's not permissible and is a really bad idea.  SBS cannot be used as a Terminal Server in Applicatio Mode.  

What are you trying to do here?  What is the application?  

Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:devon-lad
ID: 17929142
Yes, that's right.

And it's not my favourite idea either - but the only one that appears to be usable.

There is a database application on each server - each with a separate local database - that needs to be accessed by one of the directors of the company while he is in a remote office (not one of the branch sites).

VPN option is too slow.

The RDP option works well (at least on the SBS machine, but none of the others at the moment)...but obviously, there is a concession to letting a non-admin login to the servers.

Having said that - they only have rights to operate the db application - they can't do anything else - so is it such a bad idea?



0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17937169
It's not only still a bad idea, it's not something you can do on an SBS.  There is NO option to use Terminal Services (RDP) for any other purpose other than Administration because applications cannot be installed in a multi-user mode.  You would need to add another Server to the LAN at this site in order to run TS in Application Mode (or add a virtual server on your SBS -- see http://sbsurl.com/vs).

On the other servers, if they are not set to run Terminal Services in Application Mode (instead of Administration Mode) then non-administrators will not be allowed to log on remotely.  You would need to change the mode.  This would also require that you get Terminal Server CALs for those machines and that they be joined to your network following the steps outlined in http://sbsurl.com/sbstss


Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:devon-lad
ID: 17938738
The director now tells me he has accessed the application over a VPN connection before and the speed issue is tolerable.  So this is the way I'm going to do it.

HOWEVER, in the spirit of closing the question and finding out exactly why what I was trying wasn't working...or more precisely, why part of it WAS working when in fact it shouldn't...

At the moment, all servers have RDP for Administration set up.

The user account in question CAN login to the SBS machine ok...and is able to run the database application, but cannot access anything else.

But the same user account cannot login to the member servers.

So, what you're saying Jeff is that the member server behaviour I'm seeing is expected.  Ok, sounds reasonable for non-admins not to be able to login even if they are part of the Remote Desktop Users group.

But why then is the same account allowed to login to the SBS server?

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17938971
I could only know that if I knew everything you've done to try to make this happen already...

Since they are all Domain Controllers, they SHOULD have the same security settings... however, if you modified just the SBS without modifying the Domain Controller Security Policy GPO that could explain why it's different.

To find out for yourself, run a gpresult on both the SBS and one of the other Servers for the user account in question and compare the two.

Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:devon-lad
ID: 17939356
All I've done is add them to the Remote Desktop Users group.

Didn't make any changes to group policy.

Running gpresult on the SBS machines, I get all the details returned that I would expect.

However, running on one of the other servers I get "The user does not have RSOP data".

What's the significance of this then?
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 250 total points
ID: 17940192
You can run a gpresult while logged in as the administrator but use the /USER switch to specify results for a specific user.  If you run it from the SBS you can specify both /USER and /S (system) to get results for any machine.

Jeff
TechSoEasy
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Written by Glen Knight (demazter) as part of a series of how-to articles. Introduction One of the biggest consumers of disk space with Small Business Server 2008(SBS) is Windows Server Update Services, more affectionately known as WSUS. For t…
The SBS 2011 release date (RTM) is supposed to be around Christmas, 2011.  This article is a compilation of my notes -- things I have learned first hand.  The items are in a rather random order, but I think this list covers most of what is new and d…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question