devon-lad
asked on
Cannot Remote Desktop to member server in SBS 2003 domain
Hi,
I have an SBS 2003 network over four sites. SBS at one site, Win2003 server at the others acting as backup domain controllers.
I need a user to be able to access an application on each of the servers, so have added them to the Remote Desktop User group.
I can RDP to the SBS machine using their account details without a problem. But I can't login to any of the branch servers. Error message tells me I need to be part of the Remote Desktop Users group.
If I check AD on each of the DCs, the user is shown as a Remote Desktop User on each. If I go to System Properties>Remote>Select Remote Users, the user is in the allowed user list.
Is there something else I need to do?
I have an SBS 2003 network over four sites. SBS at one site, Win2003 server at the others acting as backup domain controllers.
I need a user to be able to access an application on each of the servers, so have added them to the Remote Desktop User group.
I can RDP to the SBS machine using their account details without a problem. But I can't login to any of the branch servers. Error message tells me I need to be part of the Remote Desktop Users group.
If I check AD on each of the DCs, the user is shown as a Remote Desktop User on each. If I go to System Properties>Remote>Select Remote Users, the user is in the allowed user list.
Is there something else I need to do?
ASKER
Already enabled and used for remote admin.
Hi devon-lad,
Did you try this:
1. Using an admin account open a remote admin session to the server in question.
2. Click Start >Programs >Administrative Tools >Terminal Services Configuration
3. Click Connections
4. In the right hand pane RIGHT CLICK the RDP-TCP connector and select properties
5. On the permissions tab click "ADD"
6. Add your user/group in here and select user access.
another interesting link is this one:
http://www.windowsnetworking.com/articles_tutorials/Windows_2003_Terminal_Services_Part2.html
Cheers!
Did you try this:
1. Using an admin account open a remote admin session to the server in question.
2. Click Start >Programs >Administrative Tools >Terminal Services Configuration
3. Click Connections
4. In the right hand pane RIGHT CLICK the RDP-TCP connector and select properties
5. On the permissions tab click "ADD"
6. Add your user/group in here and select user access.
another interesting link is this one:
http://www.windowsnetworking.com/articles_tutorials/Windows_2003_Terminal_Services_Part2.html
Cheers!
devon-lad,
but probably you are facing this:
The default domain controller Policy only allows Administrators
(Domain Administrators) to logon to Domain Controllers.
If you want to enable logon to Domain Controllers for Domain Users, you will
have to edit Default Domain Controller Policy. Open this policy and go to Computer Configuration -> Windows Settings -> Security
Settings -> Local Policies -> User Rights Assignment. (you can use the group policy management in the advanced section of the server management console for this)
Look for policy called "Allow logon through Terminal Services". Add appropriate group to
this policy (e.g. Domain Users, or Remote Desktop Users Group, ...).
but probably you are facing this:
The default domain controller Policy only allows Administrators
(Domain Administrators) to logon to Domain Controllers.
If you want to enable logon to Domain Controllers for Domain Users, you will
have to edit Default Domain Controller Policy. Open this policy and go to Computer Configuration -> Windows Settings -> Security
Settings -> Local Policies -> User Rights Assignment. (you can use the group policy management in the advanced section of the server management console for this)
Look for policy called "Allow logon through Terminal Services". Add appropriate group to
this policy (e.g. Domain Users, or Remote Desktop Users Group, ...).
ASKER
Hi,
Firstly, Remote Desktop Users is already listed in Terminal Services Configuration.
Regarding your second suggestion - I can already log in to the primary domain controller (SBS machine) with the user's details. So if it was a group policy setting stopping logon to domain controllers, presumably I wouldn't be able to do this?
Firstly, Remote Desktop Users is already listed in Terminal Services Configuration.
Regarding your second suggestion - I can already log in to the primary domain controller (SBS machine) with the user's details. So if it was a group policy setting stopping logon to domain controllers, presumably I wouldn't be able to do this?
Are you saying that you want non-administrators to log onto your SBS's desktop? That's not permissible and is a really bad idea. SBS cannot be used as a Terminal Server in Applicatio Mode.
What are you trying to do here? What is the application?
Jeff
TechSoEasy
What are you trying to do here? What is the application?
Jeff
TechSoEasy
ASKER
Yes, that's right.
And it's not my favourite idea either - but the only one that appears to be usable.
There is a database application on each server - each with a separate local database - that needs to be accessed by one of the directors of the company while he is in a remote office (not one of the branch sites).
VPN option is too slow.
The RDP option works well (at least on the SBS machine, but none of the others at the moment)...but obviously, there is a concession to letting a non-admin login to the servers.
Having said that - they only have rights to operate the db application - they can't do anything else - so is it such a bad idea?
And it's not my favourite idea either - but the only one that appears to be usable.
There is a database application on each server - each with a separate local database - that needs to be accessed by one of the directors of the company while he is in a remote office (not one of the branch sites).
VPN option is too slow.
The RDP option works well (at least on the SBS machine, but none of the others at the moment)...but obviously, there is a concession to letting a non-admin login to the servers.
Having said that - they only have rights to operate the db application - they can't do anything else - so is it such a bad idea?
It's not only still a bad idea, it's not something you can do on an SBS. There is NO option to use Terminal Services (RDP) for any other purpose other than Administration because applications cannot be installed in a multi-user mode. You would need to add another Server to the LAN at this site in order to run TS in Application Mode (or add a virtual server on your SBS -- see http://sbsurl.com/vs).
On the other servers, if they are not set to run Terminal Services in Application Mode (instead of Administration Mode) then non-administrators will not be allowed to log on remotely. You would need to change the mode. This would also require that you get Terminal Server CALs for those machines and that they be joined to your network following the steps outlined in http://sbsurl.com/sbstss
Jeff
TechSoEasy
On the other servers, if they are not set to run Terminal Services in Application Mode (instead of Administration Mode) then non-administrators will not be allowed to log on remotely. You would need to change the mode. This would also require that you get Terminal Server CALs for those machines and that they be joined to your network following the steps outlined in http://sbsurl.com/sbstss
Jeff
TechSoEasy
ASKER
The director now tells me he has accessed the application over a VPN connection before and the speed issue is tolerable. So this is the way I'm going to do it.
HOWEVER, in the spirit of closing the question and finding out exactly why what I was trying wasn't working...or more precisely, why part of it WAS working when in fact it shouldn't...
At the moment, all servers have RDP for Administration set up.
The user account in question CAN login to the SBS machine ok...and is able to run the database application, but cannot access anything else.
But the same user account cannot login to the member servers.
So, what you're saying Jeff is that the member server behaviour I'm seeing is expected. Ok, sounds reasonable for non-admins not to be able to login even if they are part of the Remote Desktop Users group.
But why then is the same account allowed to login to the SBS server?
HOWEVER, in the spirit of closing the question and finding out exactly why what I was trying wasn't working...or more precisely, why part of it WAS working when in fact it shouldn't...
At the moment, all servers have RDP for Administration set up.
The user account in question CAN login to the SBS machine ok...and is able to run the database application, but cannot access anything else.
But the same user account cannot login to the member servers.
So, what you're saying Jeff is that the member server behaviour I'm seeing is expected. Ok, sounds reasonable for non-admins not to be able to login even if they are part of the Remote Desktop Users group.
But why then is the same account allowed to login to the SBS server?
I could only know that if I knew everything you've done to try to make this happen already...
Since they are all Domain Controllers, they SHOULD have the same security settings... however, if you modified just the SBS without modifying the Domain Controller Security Policy GPO that could explain why it's different.
To find out for yourself, run a gpresult on both the SBS and one of the other Servers for the user account in question and compare the two.
Jeff
TechSoEasy
Since they are all Domain Controllers, they SHOULD have the same security settings... however, if you modified just the SBS without modifying the Domain Controller Security Policy GPO that could explain why it's different.
To find out for yourself, run a gpresult on both the SBS and one of the other Servers for the user account in question and compare the two.
Jeff
TechSoEasy
ASKER
All I've done is add them to the Remote Desktop Users group.
Didn't make any changes to group policy.
Running gpresult on the SBS machines, I get all the details returned that I would expect.
However, running on one of the other servers I get "The user does not have RSOP data".
What's the significance of this then?
Didn't make any changes to group policy.
Running gpresult on the SBS machines, I get all the details returned that I would expect.
However, running on one of the other servers I get "The user does not have RSOP data".
What's the significance of this then?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Default the remote option is disable on windows 2003 you just might have to enable it.
Right click my computer -> remote tab -> enable remote.
Hope that helps you devon-lad
regards,
Trenes