We help IT Professionals succeed at work.

terminal services and active directory

SBryden
SBryden asked
on
Medium Priority
247 Views
Last Modified: 2013-11-21
i have a terminal server on a domain.  I created the user and put them in the remote desktop users group.  The terminal server is part of the domain.  Yet users cant connect to the terminal server unless they are in the domain admin group.  
Comment
Watch Question

Commented:
Hello, It seems like your terminal server is in administration mode. Go in the Terminal service installion and choose the other mode.

Author

Commented:
i have a domain environment is there a certain setting i have to do for the domain users to be able to log in to the server

Commented:
In administration mode, only the administrators have access to the Remote Desktop. In application mode, the access is given to the users from the local Remote Desktop Users group. To put the terminal service in application mode follow the instruction here : http://support.microsoft.com/kb/306626/

Being in a Domain only makes it so you can use users from the domain, and not just local users. As a Best practice, i'd suggest putting them in a global group (name after the application you want them to use) and add that group to the server local Remote Desktop group.

Also, verifie that each user have the permission to use Remote Desktop by looking the Remote Desktop tab in the user properties.

Author

Commented:
Im getting very frustrated....i have 2 seperate remote desktop users group one on the domain controller and one on the terminal server.  I cant put a domain group into the remote desktop group of the terminal server.   If that is whats being said.  

Commented:
Is your domain group a local group or a global group. Only global group can be put into a Local group(The default Remote Desktop Users group on the terminal server is a local group). Also, be sure that your group is not a distribution group. So you have to put a Global group from your domain (one you created for this) in the local Remote Desktop Users group from the Terminal Server. But that is only a "Best practice". If you're not confortable working like that, it's your choice.

Did you verify that the server is in application mode?

Author

Commented:
yes i pulled up server role management and told it to become a terminal server

Author

Commented:
i have a global group called termserv. but i cant see this group from the terminal server.  I tried to view a different location but only got the terminal server

Author

Commented:
i tried to install active directory on the terminal server earlier but it wanted me to make the terminal server a domain controller so i didnt could that be the problem i have experience with terminal server just not with active directory

Commented:
<quote>yes i pulled up server role management and told it to become a terminal server</quote>

To tell the server to be a terminal, is not the same as telling it to be in application mode or administration mode. Which mode you take is defined when you install the Terminal Service. I suggest going to see this page : http://support.microsoft.com/kb/306626/

Another question coming to mind, since you're in ADS, do you have a Terminal Licensing service on any server of your domain?

Author

Commented:
btw that applies to windows 2000 server not 2003 but i uninstalled and reinstalled terminal services to make sure it was applications

Commented:
In your Admin tools, go in the Terminal Services Configuration (I'm not sure 100% about the names since i use a french version of Windows). In the Server Settings, You can change the acces compatibilities to the medium security. With that you won't have to worry about the Remote Desktop Users group. But on the minus side, anyone will be able to connect to the server.

If it still doesn't work, what exactly is the error message your users get when they try to connect to that server using Remote Desktop?

Author

Commented:
exact error is  
"to log on to this remote computer, you must be granted the allow to log on through terminal services right.  By default, members of the Remote desktop users grouop have this right.  If you are not a member
of the remote desktop users group or another group has this right, or if the remote desktop user group does not have this right, u must grant this right manually." I know its a permission thing i have the appropriate users in the  domain local remote desktop users group.  But i cant see the domain groups to put them into the terminal servers remote desktop grouip.  The terminal server is joined to the domain.

Commented:
Open the Local Strategy Settings admin tool, in the Local strategy, there's the Users Rights. In the Strategy named something like "right to open a terminal service session", it should be set to "Administrators" and "Remote Desktop Users".

Author

Commented:
i opened the local security settings and then into user rights.  Found allow lon on throught terminal services both administrators and remote desktop users are there.  But if i cant get the domain users in that group i dont think it will matter

Commented:
When you're trying to add users in the group, there's a part which ask you which domain, right? above that, you have also another button to ask you what you're searching (a group, a computer, a user) : Don't forget to select group or you won't find your groups...

Author

Commented:
i think i got the first issue fixed now i have another issue i can log in but now its not going to the internet the domain controller is going but the TSServer isnt
Commented:
Found a solution by adding the termserv grouping i created on the domain controller to the local remote desktop group. But the policy i put on those users on the domain controller.  those users dont seem to be pickint them up

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.