Solved

Cannot Remote Desktop to member server in SBS 2003 domain

Posted on 2006-11-09
12
394 Views
Last Modified: 2008-01-09
Hi,

I have an SBS 2003 network over four sites.  SBS at one site, Win2003 server at the others acting as backup domain controllers.

I need a user to be able to access an application on each of the servers, so have added them to the Remote Desktop User group.

I can RDP to the SBS machine using their account details without a problem.  But I can't login to any of the branch servers.  Error message tells me I need to be part of the Remote Desktop Users group.

If I check AD on each of the DCs, the user is shown as a Remote Desktop User on each.  If I go to System Properties>Remote>Select Remote Users, the user is in the allowed user list.

Is there something else I need to do?
0
Comment
Question by:devon-lad
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 9

Expert Comment

by:trenes
ID: 17905343
Hi devon-lad,
Default the remote option is disable on windows 2003 you just might have to enable it.
Right click my computer -> remote tab -> enable remote.

Hope that helps you devon-lad
regards,

Trenes
0
 
LVL 1

Author Comment

by:devon-lad
ID: 17905353
Already enabled and used for remote admin.
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 17905390
Hi devon-lad,


Did you try this:
1. Using an admin account open a remote admin session to the server in question.

2. Click Start >Programs >Administrative Tools >Terminal Services Configuration

3. Click Connections

4. In the right hand pane RIGHT CLICK the RDP-TCP connector and select properties

5. On the permissions tab click "ADD"

6. Add your user/group in here and select user access.

another interesting link is this one:
http://www.windowsnetworking.com/articles_tutorials/Windows_2003_Terminal_Services_Part2.html




Cheers!
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 17905404
devon-lad,

but probably you are facing this:

 The default domain controller Policy only allows Administrators
(Domain Administrators) to logon to Domain Controllers.

If you want to enable logon to Domain Controllers for Domain Users, you will
have to edit Default Domain Controller Policy. Open this policy and go to  Computer Configuration -> Windows Settings -> Security
Settings -> Local Policies -> User Rights Assignment. (you can use the group policy management in the advanced section of the server management console for this)
Look for policy called "Allow logon through Terminal Services". Add appropriate group to
this policy (e.g. Domain Users, or Remote Desktop Users Group, ...).

0
 
LVL 1

Author Comment

by:devon-lad
ID: 17905423
Hi,

Firstly, Remote Desktop Users is already listed in Terminal Services Configuration.

Regarding your second suggestion - I can already log in to the primary domain controller (SBS machine) with the user's details.  So if it was a group policy setting stopping logon to domain controllers, presumably I wouldn't be able to do this?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17920713
Are you saying that you want non-administrators to log onto your SBS's desktop?  That's not permissible and is a really bad idea.  SBS cannot be used as a Terminal Server in Applicatio Mode.  

What are you trying to do here?  What is the application?  

Jeff
TechSoEasy
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 
LVL 1

Author Comment

by:devon-lad
ID: 17929142
Yes, that's right.

And it's not my favourite idea either - but the only one that appears to be usable.

There is a database application on each server - each with a separate local database - that needs to be accessed by one of the directors of the company while he is in a remote office (not one of the branch sites).

VPN option is too slow.

The RDP option works well (at least on the SBS machine, but none of the others at the moment)...but obviously, there is a concession to letting a non-admin login to the servers.

Having said that - they only have rights to operate the db application - they can't do anything else - so is it such a bad idea?



0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17937169
It's not only still a bad idea, it's not something you can do on an SBS.  There is NO option to use Terminal Services (RDP) for any other purpose other than Administration because applications cannot be installed in a multi-user mode.  You would need to add another Server to the LAN at this site in order to run TS in Application Mode (or add a virtual server on your SBS -- see http://sbsurl.com/vs).

On the other servers, if they are not set to run Terminal Services in Application Mode (instead of Administration Mode) then non-administrators will not be allowed to log on remotely.  You would need to change the mode.  This would also require that you get Terminal Server CALs for those machines and that they be joined to your network following the steps outlined in http://sbsurl.com/sbstss


Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:devon-lad
ID: 17938738
The director now tells me he has accessed the application over a VPN connection before and the speed issue is tolerable.  So this is the way I'm going to do it.

HOWEVER, in the spirit of closing the question and finding out exactly why what I was trying wasn't working...or more precisely, why part of it WAS working when in fact it shouldn't...

At the moment, all servers have RDP for Administration set up.

The user account in question CAN login to the SBS machine ok...and is able to run the database application, but cannot access anything else.

But the same user account cannot login to the member servers.

So, what you're saying Jeff is that the member server behaviour I'm seeing is expected.  Ok, sounds reasonable for non-admins not to be able to login even if they are part of the Remote Desktop Users group.

But why then is the same account allowed to login to the SBS server?

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17938971
I could only know that if I knew everything you've done to try to make this happen already...

Since they are all Domain Controllers, they SHOULD have the same security settings... however, if you modified just the SBS without modifying the Domain Controller Security Policy GPO that could explain why it's different.

To find out for yourself, run a gpresult on both the SBS and one of the other Servers for the user account in question and compare the two.

Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:devon-lad
ID: 17939356
All I've done is add them to the Remote Desktop Users group.

Didn't make any changes to group policy.

Running gpresult on the SBS machines, I get all the details returned that I would expect.

However, running on one of the other servers I get "The user does not have RSOP data".

What's the significance of this then?
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 250 total points
ID: 17940192
You can run a gpresult while logged in as the administrator but use the /USER switch to specify results for a specific user.  If you run it from the SBS you can specify both /USER and /S (system) to get results for any machine.

Jeff
TechSoEasy
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A lot of problems and solutions are available on the net for the error message "Source server does not meet minimum requirements for migration" while performing a migration from Small Business Server 2003 to SBS 2008. This error pops up just before …
I've often see, or have been asked, the question about the difference between the Exchange 2010 SP1 version, available as part of Small Business Server (SBS) 2011, and the “normal” Exchange 2010 SP1 Standard. The answer to the question is relativ…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now