Link to home
Start Free TrialLog in
Avatar of Jonesey007
Jonesey007

asked on

Can i use group policy to allow remote access?

I have created an OU called LabUsers under domain.local in ADUC. I have added half a dozen users into this OU. I want all the users to be able to access other PC's on the network. At the moment when a user tries to access another machine remotely there is a warning stating "To log on to this remote computer you must be granted the allow logon through terminal services right" I've been exploring two ways around this. 1st way was to create a GP on the LabUsers OU allowing remote access. The second was was to create a security group which is a member of RemoteDesktopUsersGroup and make all my users members of that group. That didnt seem to work either? Can anyone help me?
Thanks
Avatar of Speshalyst
Speshalyst
Flag of India image

Avatar of Jonesey007
Jonesey007

ASKER

Hi thanks for the quick reply, i have read both the articles. When im logged in as Administrator i can remote access Server2 fine so that proves its enabled. The first document says the users need to be members of RemoteDesktopUsersGroup which makes sense. I added them to this group but still no luck? any more ideas?
Is it possible that there might be a substantial delay between when i add the users to the group and when they can logon remotely? or should it be straight away because the machines are in the same domain?

Thanks
can you grant remote control access explicitly to one user from the LAbusers OU on a problem Pc ?  
 
If you add a user to the remotedesktop users group on a server that user still can't access the PC remotely
i dont see why there should be delay ...  unless these are spread across different sites or something like that ..
 
This is not going well. Im testing this with two machines. One is going to be my Exchange server and is headless. The second is my DC. So far i've been trying to remote access the Exchange machine, now ive just logged out of the Admin account on the DC and tried to login as one of the new users and im getting another message, this time stating "The local policy on this system does not allow login interactivley"?? Is there something fundamentally wrong with my users?? all i did was create an ou and create the users in there

Thanks again for all the help
ASKER CERTIFIED SOLUTION
Avatar of Mike Kline
Mike Kline
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for the reply. I am logging into the DC as an Administrator, i then open RemoteDesktop and try to logon to the 2nd server (not a dc) with a new user (rob) i created. I just made an OU called LabComputers and moved the 2nd server into the OU, i then created a RemoteAccess GPO linked to the LabComputers OU which added my Rob user to Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment Allow Logon through Terminal Services.

I think this is what you suggested but im still having no luck
is the "rob user" a member of the remote desktop users group on the 2nd server (I'm assuming just a member server)
 
 
Yes he is, in his Member Of tab it says
Domain Users                     domain.local/Users
Remote Desktop Users      domAIN.LOCAL/BuiltIn

Thanks
Morning guys, any chance of abit more help with this? When i created the users i have only made them members of Remote Desktop Users, do they need to be members of anything else?

Thanks
I've just managed to log on remotley with my Rob user. I logged onto the remote machine with Administrator, Right clicked on My Computer, went to Properties, then Remote.
In this property pane i already had Enable Remote Desktop on this machine ticked, but i just noticed another box saying "Select Remote Users" i then added Rob and he can now remote login. Is there a better way so i dont have to go around each machine and add users / groups manually?

Thanks
That list is being populated by who is in the "Remote Desktop Users" group on the machine.  To test go in and add a user to that group on the machine then look in that box, user should be there.
 
Thanks
Mike