agruber85
asked on
Access Remote Desktop through Cisco VPN
Here is the deal. In our network, we are using a Cisco 2610-DC border router, which is then routed through a Cisco PIX 515E firewall which then goes on to the rest of our network. Before I began working here, the firewall and such was set up so that it allowed access via the Cisco VPN client.VPN has worked fine since then but, an issue has been raised currently that users need to be able to access remote desktop once they are connected via VPN. But, when trying to do so, users are receiving the message that they do not have Allow Log in through Terminal Services right. I went into AD and went to the user in question and went to their properties and under the Terminal Services Profile tab, and the only checkbox was to "Deny this user permissions to log on to any Terminal Server" which was not checked. I have added the users to the Remote Users group within Active Directory, but still no dice...I was not sure if this was a setting that needed to be adjusted with the firewall, or if it was a setting within Active Directory that needed to be fixed, so that is why this question is under both groups. I am still learning about VPN, so please be pretty conscious of that in your explanation but, any help would be greatly appreciated!!!
Neale Williams
You probably need to give the Remote Users Group permissions to log on to the computer they are trying to access remotely. This issue is to do with permissions, i dont think it is related to the VPN.
ASKER
How would I go about doing this? Would I have to make the server a 'member' of the remote desktop user group?
ASKER
Also, after going into AD, under Computers, and going to a certain computer's properties, under the Dial-In tab, there is an option for Remote Access Permission. Currently it is selected to comply with the Remote Access Policy.
First, where can I edit this policy? and second, if i just change this setting to Allow Access, would that fix my problem?
First, where can I edit this policy? and second, if i just change this setting to Allow Access, would that fix my problem?
The policies and group to which you are referring are designed for use with either RAS (VPN directly to a windows server) or IAS (Microsoft's Radius implementation for authentication).
You need to go to the PCs in question (or create a policy) and add either each user or a group of which those users are members to the "Remote Desktop Users" group on the local machine (that's why it's easier to do it with a policy.
We have ours set so that in Computer Config, Windows Settings, Restricted Groups you add a group called "Remote Desktop Users", then add members to it such as either each user or a group you have created for this purpose. Then apply the policy to the OU that you need the PCs to be in.
Otherwise there is a built in group called "Remote Desktop Users" on the domain but adding people to that makes them RDP users for the ENTIRE domain unless you then restrict them. It's much quicker and easier than a policy but much broader as well. Either will work though.
You need to go to the PCs in question (or create a policy) and add either each user or a group of which those users are members to the "Remote Desktop Users" group on the local machine (that's why it's easier to do it with a policy.
We have ours set so that in Computer Config, Windows Settings, Restricted Groups you add a group called "Remote Desktop Users", then add members to it such as either each user or a group you have created for this purpose. Then apply the policy to the OU that you need the PCs to be in.
Otherwise there is a built in group called "Remote Desktop Users" on the domain but adding people to that makes them RDP users for the ENTIRE domain unless you then restrict them. It's much quicker and easier than a policy but much broader as well. Either will work though.
ASKER
Well, I had actually already added the users to the builtin Remote Desktop Users group and when they again tried to use remote desktop while connecting via VPN, it again failed with the same message. Is there some other setting that needs to be changed to allow VPN users to access these computers through remote desktop?
What operating system are you trying to connect to?
You probably also need to go to the system properties \ remote and allow remote connections.
You probably also need to go to the system properties \ remote and allow remote connections.
ASKER
Server 2003 and Server 2008. Both of the servers are configured to allow remote users in general already. I just went to each computer and found the tabs that allow an admin to add specific users to the list of people that are allowed remote access. Since the users in question are not administrators, all that I have to do is to add them to this list, and they should be able to connect right? hehe, it seems like that was a pretty easy fix and it was exactly what btassure was telling me to do...?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.