Solved

Remote Desktop does not work on the domain controller

Posted on 2007-04-02
8
1,148 Views
Last Modified: 2012-05-05
I just installed a new domain controller (the first one in the forest), and still in the phase to setup all OUs, users and GPs. The server is Windows 2003 x64 Standard edition.

Now, for some reason I cannot Terminal Service/Remote Desktop the domain controller (only this machine, the rest of the servers I can access as usual). I am using the Administrator account, and the administrator is listed in the GP that deals with Terminal Service, also the terminal service is enabled. when I try to login using the Administrator username and password it gives me the following error message:

"To log on this remote computer, you must be granted the Allow log on through Terminal Services right.  By default, members of the Remote Desktop Users group have this right.  If you are not a member of the Remote Desktop Users group or another group that has this right, or if the Remote Desktop User Group does not have this right, you must be granted this right manually."


I tried everything, I removed all the policies and reinstall them again, trying different users with different groups.... etc
But no luck... Your help is much appreciated....

Rami
0
Comment
Question by:nammari
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
8 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 18835873
I suspect that you have enabled the Termonal Services GPO in the default domain policy, not the domain controllers policy. Either configure the Domain Controllers policy for terminal services or  just check on the domain controller that remote desktop is enabled. On the DC, right click My Computer, select Properties and enable Remote Desktop in the Remote Tab.
0
 

Author Comment

by:nammari
ID: 18835931
Hi KCTS,

I already did that, the TS is enabled on that computer.. I can connect to the TS, it asks for the user name and password, but once I click Ok, then it give me that message.

I am really confused now since I changed the policy many times, and I am not sure which policy is now used (the local one or the AD one)!!!


Your help is much appreciated,
Rami
0
 

Author Comment

by:nammari
ID: 18836354
Any update guys?
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 9

Expert Comment

by:FixingStuff
ID: 18837573
On a domain controller the default setting for "Log on locally" in Local Security Settings does not include TSinternetUser group.  This is a security feature to protect the DC.
So, open Local Security Settings, Local Policies, User Rights Assignment, Log on locally, add the TSinternetUser group and/or the group to allow.
fs
0
 

Author Comment

by:nammari
ID: 18837660
I tried that but didn't help... Can you please send me the settings to configure the Remote Desktop connection on the DC?
Also, do you have a recommended Group Policy for Domain and Domain Controllers?

Thanks,
rami
0
 

Accepted Solution

by:
nammari earned 0 total points
ID: 18841778
I fixed the issue. The Administrators group should not be in the  "Allow log on through Terminal Services". This applies only to the domain controllers. You have to specify the users in that policy, and exclude the Administrators Group and Remote Desktop Group.
Please find the attached URL:
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/s3sgch05.mspx
0
 

Author Comment

by:nammari
ID: 18841991
The author has found and posted the solution to this problem, please close this question as solved by the author
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question