<div>
Did you set:<br />
Computer Configuration &gt;&nbsp;Windows Settings &gt;&nbsp;Security Settings &gt;&nbsp;Restricted Groups &gt;&nbsp;Builtin\Remote Desktop Users?<br />
<br />
And apply the GPO object in scope &gt;&nbsp;security filtering to a AD security group for the Server (SG-TS01-SERVER) AND to a security group for the Users (SG-TS01USERS)<br />

</div>


<div>
Try this.<br />
<br />
Logon on first 2008 server.<br />
In server manager click on :<br />
Configuration-&gt;Local Users and Groups-&gt;Groups<br />
On Remote Desktop User and click Properties. Add user or group that you want.<br />
<br />
Now please login on the second 2008 server and do the same operations.
</div>


<div>
MinoDC: There isn't a Local Users &amp;&nbsp;Groups ... presumably because the server is a DC
</div>


<div>
RoelvanDijnen: A couple of questions for you ...<br />
1) The Restricted Groups container is currently empty in my policy object ... do I add remote desktop users into this empty container?<br />
2) I am not completly sure about your instructions for linking this policy object. Do I still link it to the Domain Controllers OU, and what filtering should I be using, is that the computer object and the user group object with access to this server?<br />
Thanks,<br />
Richard
</div>


<div>
I use the 2008 GPO editor, so it may be a litle different.<br />
But yes, I right click in de empty space, click &quot;add&quot; and browse for the Remote Desktop Users.<br />
Then I select the mebers of the group in the same way..<br />
<br />
Second: <br />
Create three security groups for the servers (DC01SERVER, TS01SERVER, TS02SERVER) AND three groups for the users (DC01USER, TS01USER, TS02USER). &nbsp;<br />
Then create three GPO objects and link them al to the DC OU, but with different Security groups filtering.<br />
Make sure there is no inherrited GPO interfering of course :)
</div>


<div>
Following the general cconsensus, I have demoted one of the servers to a member server.<br />
<br />
Now I cannot log on remotely at all! The staff at the data centre have logged on locally and confirmed that the administrator is in the remote access permissions group, but when I log on as the administrator remotely, it says the user doesn't have permissions. Any ideas?<br />
<br />
My colleague is heading over to the data centre now<br />
<br />
Richard
</div>


<div>
On server where you are having the issue, do following.<br />
See to it RDP is enabled on the server with issue,just confirm again.<br />
<br />
Take a registry backup on the desktop &amp;&nbsp; Delete the following keys &nbsp; <br />
<br />
Start Registry Editor.<br />
Locate and then click the &nbsp;following registry &nbsp;subkey:<br />
HKEY_LOCAL_MACHINE\System\<wbr />CurrentCon<wbr />trolSet\Se<wbr />rvices\Ter<wbr />mService\P<wbr />arameters<br />
Under &nbsp;this registry subkey, delete the following values: <br />
Certificate<br />
X509 &nbsp;Certificate<br />
X509 Certificate ID<br />
<br />
Quit Registry Editor, and then restart the &nbsp;server &nbsp; <br />
Try taking RDP &amp;&nbsp;if still it doesn't connect do the below.<br />
<br />
Click Start, click Run, type regedit, and then &nbsp;click OK &nbsp; Locate and click the following subkey on the &nbsp;left: &nbsp; <br />
<br />
HKLM\SYSTEM\CurrentControl<wbr />Set\Contro<wbr />l\Terminal<wbr /> &nbsp;Server\WinStations\RDP-Tcp<wbr /> &nbsp; &nbsp;<br />
<br />
On the right, &nbsp;locate and right-click on the &nbsp;value named Security,<br />
choose Rename, type Security.backup, and &nbsp;then press Enter. &nbsp; <br />
<br />
Reboot the server as i had issue once did same got it working.<br />

</div>


<div>
Also check if Remote Access has been enabled on the server. Then check if access was blocked by firewall (Windows firewall or vendor's). For your reference RDP use port 3389 so if you can't find anything relevent open this port on the server firewall.
</div>


<div>
Turned out to be an IPv6 DNS error!
</div>


<div>
<div class="content wysiwyg-content">
Hi,<br />
<br />
I have a network with three servers, as follows:<br />
<br />
1x Windows SBS 2003, primary domain controller<br />
2x Windows 2008 Servers, domian controllers and terminal services servers<br />
<br />
The SBS 2003 box should only accept terminal services sessions from administrators, whilst each of the two 2008 boxes shoud accept TS connections from a different group of users. (That is a different group of users for each 2008 box.)<br />
<br />
Initially I went into computer/properties on each 2008 box and tried to set the users who could log into terminal services from there, but I noticed that changing this on one, changed it on both.<br />
<br />
I then tried setting the remote access permissions to administrators only and created a group policy object for each 2008 box, and in each object setting the &quot;allow logon through terminal services&quot; to the appropriate group. I linked both of these policy objects to the domain controllers OU and then filtered each one to the appropriate computer. This did not appear to allow anyone but administrators in.<br />
<br />
How do I acheive what I need?
</div>
</div>


Hi,

I have a network with three servers, as follows:

1x Windows SBS 2003, primary domain controller
2x Windows 2008 Servers, domian controllers and terminal services servers

The SBS 2003 box should only accept terminal services sessions from administrators, whilst each of the two 2008 boxes shoud accept TS connections from a different group of users. (That is a different group of users for each 2008 box.)

Initially I went into computer/properties on each 2008 box and tried to set the users who could log into terminal services from there, but I noticed that changing this on one, changed it on both.

I then tried setting the remote access permissions to administrators only and created a group policy object for each 2008 box, and in each object setting the "allow logon through terminal services" to the appropriate group. I linked both of these policy objects to the domain controllers OU and then filtered each one to the appropriate computer. This did not appear to allow anyone but administrators in.

How do I acheive what I need?

Different access permissions for two terminal servers

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.

Windows Server 2008

Small Business Server (SBS) is a line of server operating systems targeted at small businesses by bundling the operating system with a number of other Microsoft products that would normally need to be purchased or licensed separately. The most notable inclusions are Exchange, SQL Server, SharePoint and ISA/TMG (Microsoft's firewall and proxy server).