Solved

Cannot Remote Desktop to member server in SBS 2003 domain

Posted on 2006-11-09
12
393 Views
Last Modified: 2008-01-09
Hi,

I have an SBS 2003 network over four sites.  SBS at one site, Win2003 server at the others acting as backup domain controllers.

I need a user to be able to access an application on each of the servers, so have added them to the Remote Desktop User group.

I can RDP to the SBS machine using their account details without a problem.  But I can't login to any of the branch servers.  Error message tells me I need to be part of the Remote Desktop Users group.

If I check AD on each of the DCs, the user is shown as a Remote Desktop User on each.  If I go to System Properties>Remote>Select Remote Users, the user is in the allowed user list.

Is there something else I need to do?
0
Comment
Question by:devon-lad
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 9

Expert Comment

by:trenes
ID: 17905343
Hi devon-lad,
Default the remote option is disable on windows 2003 you just might have to enable it.
Right click my computer -> remote tab -> enable remote.

Hope that helps you devon-lad
regards,

Trenes
0
 
LVL 1

Author Comment

by:devon-lad
ID: 17905353
Already enabled and used for remote admin.
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 17905390
Hi devon-lad,


Did you try this:
1. Using an admin account open a remote admin session to the server in question.

2. Click Start >Programs >Administrative Tools >Terminal Services Configuration

3. Click Connections

4. In the right hand pane RIGHT CLICK the RDP-TCP connector and select properties

5. On the permissions tab click "ADD"

6. Add your user/group in here and select user access.

another interesting link is this one:
http://www.windowsnetworking.com/articles_tutorials/Windows_2003_Terminal_Services_Part2.html




Cheers!
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 17905404
devon-lad,

but probably you are facing this:

 The default domain controller Policy only allows Administrators
(Domain Administrators) to logon to Domain Controllers.

If you want to enable logon to Domain Controllers for Domain Users, you will
have to edit Default Domain Controller Policy. Open this policy and go to  Computer Configuration -> Windows Settings -> Security
Settings -> Local Policies -> User Rights Assignment. (you can use the group policy management in the advanced section of the server management console for this)
Look for policy called "Allow logon through Terminal Services". Add appropriate group to
this policy (e.g. Domain Users, or Remote Desktop Users Group, ...).

0
 
LVL 1

Author Comment

by:devon-lad
ID: 17905423
Hi,

Firstly, Remote Desktop Users is already listed in Terminal Services Configuration.

Regarding your second suggestion - I can already log in to the primary domain controller (SBS machine) with the user's details.  So if it was a group policy setting stopping logon to domain controllers, presumably I wouldn't be able to do this?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17920713
Are you saying that you want non-administrators to log onto your SBS's desktop?  That's not permissible and is a really bad idea.  SBS cannot be used as a Terminal Server in Applicatio Mode.  

What are you trying to do here?  What is the application?  

Jeff
TechSoEasy
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:devon-lad
ID: 17929142
Yes, that's right.

And it's not my favourite idea either - but the only one that appears to be usable.

There is a database application on each server - each with a separate local database - that needs to be accessed by one of the directors of the company while he is in a remote office (not one of the branch sites).

VPN option is too slow.

The RDP option works well (at least on the SBS machine, but none of the others at the moment)...but obviously, there is a concession to letting a non-admin login to the servers.

Having said that - they only have rights to operate the db application - they can't do anything else - so is it such a bad idea?



0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17937169
It's not only still a bad idea, it's not something you can do on an SBS.  There is NO option to use Terminal Services (RDP) for any other purpose other than Administration because applications cannot be installed in a multi-user mode.  You would need to add another Server to the LAN at this site in order to run TS in Application Mode (or add a virtual server on your SBS -- see http://sbsurl.com/vs).

On the other servers, if they are not set to run Terminal Services in Application Mode (instead of Administration Mode) then non-administrators will not be allowed to log on remotely.  You would need to change the mode.  This would also require that you get Terminal Server CALs for those machines and that they be joined to your network following the steps outlined in http://sbsurl.com/sbstss


Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:devon-lad
ID: 17938738
The director now tells me he has accessed the application over a VPN connection before and the speed issue is tolerable.  So this is the way I'm going to do it.

HOWEVER, in the spirit of closing the question and finding out exactly why what I was trying wasn't working...or more precisely, why part of it WAS working when in fact it shouldn't...

At the moment, all servers have RDP for Administration set up.

The user account in question CAN login to the SBS machine ok...and is able to run the database application, but cannot access anything else.

But the same user account cannot login to the member servers.

So, what you're saying Jeff is that the member server behaviour I'm seeing is expected.  Ok, sounds reasonable for non-admins not to be able to login even if they are part of the Remote Desktop Users group.

But why then is the same account allowed to login to the SBS server?

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17938971
I could only know that if I knew everything you've done to try to make this happen already...

Since they are all Domain Controllers, they SHOULD have the same security settings... however, if you modified just the SBS without modifying the Domain Controller Security Policy GPO that could explain why it's different.

To find out for yourself, run a gpresult on both the SBS and one of the other Servers for the user account in question and compare the two.

Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:devon-lad
ID: 17939356
All I've done is add them to the Remote Desktop Users group.

Didn't make any changes to group policy.

Running gpresult on the SBS machines, I get all the details returned that I would expect.

However, running on one of the other servers I get "The user does not have RSOP data".

What's the significance of this then?
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 250 total points
ID: 17940192
You can run a gpresult while logged in as the administrator but use the /USER switch to specify results for a specific user.  If you run it from the SBS you can specify both /USER and /S (system) to get results for any machine.

Jeff
TechSoEasy
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now