We help IT Professionals succeed at work.

Can i use group policy to allow remote access?

Medium Priority
380 Views
Last Modified: 2012-06-21
I have created an OU called LabUsers under domain.local in ADUC. I have added half a dozen users into this OU. I want all the users to be able to access other PC's on the network. At the moment when a user tries to access another machine remotely there is a warning stating "To log on to this remote computer you must be granted the allow logon through terminal services right" I've been exploring two ways around this. 1st way was to create a GP on the LabUsers OU allowing remote access. The second was was to create a security group which is a member of RemoteDesktopUsersGroup and make all my users members of that group. That didnt seem to work either? Can anyone help me?
Thanks
Comment
Watch Question

Speshalyst Tech Support professional
CERTIFIED EXPERT

Commented:

Author

Commented:
Hi thanks for the quick reply, i have read both the articles. When im logged in as Administrator i can remote access Server2 fine so that proves its enabled. The first document says the users need to be members of RemoteDesktopUsersGroup which makes sense. I added them to this group but still no luck? any more ideas?

Author

Commented:
Is it possible that there might be a substantial delay between when i add the users to the group and when they can logon remotely? or should it be straight away because the machines are in the same domain?

Thanks
Speshalyst Tech Support professional
CERTIFIED EXPERT

Commented:
can you grant remote control access explicitly to one user from the LAbusers OU on a problem Pc ?  
 
CERTIFIED EXPERT
Top Expert 2013

Commented:
If you add a user to the remotedesktop users group on a server that user still can't access the PC remotely
Speshalyst Tech Support professional
CERTIFIED EXPERT

Commented:
i dont see why there should be delay ...  unless these are spread across different sites or something like that ..
 

Author

Commented:
This is not going well. Im testing this with two machines. One is going to be my Exchange server and is headless. The second is my DC. So far i've been trying to remote access the Exchange machine, now ive just logged out of the Admin account on the DC and tried to login as one of the new users and im getting another message, this time stating "The local policy on this system does not allow login interactivley"?? Is there something fundamentally wrong with my users?? all i did was create an ou and create the users in there

Thanks again for all the help
CERTIFIED EXPERT
Top Expert 2013
Commented:
Ok didn't realize it was a domain controller.
There is a user rights assignment called "Allow logon on through Terminal Services"
Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment
Allow logon on through Terminal Services
On domain controllers only Administrators have that right.
You can modify that but I'd be weary of letting non admins log into a DC.
Thanks
Mike

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Thanks for the reply. I am logging into the DC as an Administrator, i then open RemoteDesktop and try to logon to the 2nd server (not a dc) with a new user (rob) i created. I just made an OU called LabComputers and moved the 2nd server into the OU, i then created a RemoteAccess GPO linked to the LabComputers OU which added my Rob user to Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment Allow Logon through Terminal Services.

I think this is what you suggested but im still having no luck
CERTIFIED EXPERT
Top Expert 2013

Commented:
is the "rob user" a member of the remote desktop users group on the 2nd server (I'm assuming just a member server)
 
 

Author

Commented:
Yes he is, in his Member Of tab it says
Domain Users                     domain.local/Users
Remote Desktop Users      domAIN.LOCAL/BuiltIn

Thanks

Author

Commented:
Morning guys, any chance of abit more help with this? When i created the users i have only made them members of Remote Desktop Users, do they need to be members of anything else?

Thanks

Author

Commented:
I've just managed to log on remotley with my Rob user. I logged onto the remote machine with Administrator, Right clicked on My Computer, went to Properties, then Remote.
In this property pane i already had Enable Remote Desktop on this machine ticked, but i just noticed another box saying "Select Remote Users" i then added Rob and he can now remote login. Is there a better way so i dont have to go around each machine and add users / groups manually?

Thanks
CERTIFIED EXPERT
Top Expert 2013

Commented:
That list is being populated by who is in the "Remote Desktop Users" group on the machine.  To test go in and add a user to that group on the machine then look in that box, user should be there.
 
Thanks
Mike
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.