Solved

Remote Desktop Services in SBS2011 Environment: GPO Issues

Posted on 2011-03-18
7
1,235 Views
Last Modified: 2012-05-11
Hi,
Sorry for the long post but I am trying to give as much infornmation as possible without writing a novel!

Environment
I have an SBS2011 Std server and a Win2008R2 server.  R2 is joined to the domain and is the SBSServers OU.  SBS is (obviously) in the Domain Controllers OU.  R2 is set for Remote Desktop Services with RD Session Host and Licensing roles installed and activated.  There are 29 User CAL's installed.  This is my first RDS deployment.  All previous TS deployments are still in 2003 environments.

Scenario
This is a environment that will have Staff, Students and Support Staff.  The students will be using XP as Dumb Terminals and will use RDS for all activities.  The staff will have fat terminals (XP/Vista and 7) and will also be able to use RDS from home.  The same goes for Support Staff although they will be more restricted in what they are able to do remotely.  I have set up three Security Groups as follows: Students = Students, Staff = StaffRDS, Support Staff = RDS Users. I have created three GP's in the SBSServers OU.  Common to all GP's is Group Policy processing mode is set to Replace.  All three groups are in the Remote Destop Users security group under ADUC\Builtin.  At the moment the RDS Users can log in but the Students and StaffRDS receive "The requested session access is denied".

Question
1. I know this sounds like a dumb question but can you apply three different GP's to one OU (I have always been taught YES).
2. If you can, then is there something that I am missing to enable the Students and Staff groups to be able to process their GP's?
3. Is there anything else I need to be aware of/set up?
0
Comment
Question by:jimcrint
  • 4
  • 2
7 Comments
 
LVL 4

Expert Comment

by:rjpilcher
ID: 35169639
1. Yes
2. Computer Configuration>Policies>Administrative Templates>System/Group Policy

Enable User Group Policy loopback processing mode.

Also, make sure you're applying/denying the permissions of the GPO to the right groups

If you want a sample GPO for a fairly locked down TS I can give that to you.
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 35169922
Are Sudent and Staff Groups part of the remote desktop user group. In other words did you allow access for them on the RDServer?
Hope that helps,
Olaf
0
 
LVL 1

Author Comment

by:jimcrint
ID: 35170085
rjpilcher
1. Thanks for confirming what I thought was true.
2. I have already enabled this in all three GP's to Replace.
3. In the Delegation Tab I have the Security for the respective GP set as Read.  Do I also need to Deny in each GP the groups that it does not apply to e.g. Students = Read RDSUsers and StaffRDS set to Deny in the Advanced Page for "Apply group policy" for the GP that I want to apply to th eStudents?

Re: a sample GPO.  Yes Please!

Olaf
Yes.  All three groups are a part of the Builtin "Remote Desktop Users" security group.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 4

Expert Comment

by:rjpilcher
ID: 35170135
So you have both Read and Apply set for the respective groups?

Typically in my TS deployments I create a separate OU for the TS and block inheritance, then link the GPOs to that OU.  With you only having 2 servers, it should be fine the way you are doing it.

Also, you've tested from the same machine for all 3 users?  There is a console option or 'connect as admin' option in RDP clients that can cause this error.  

 Terminal-Services-Policy.docx
0
 
LVL 1

Author Comment

by:jimcrint
ID: 35170468
Yes, I have used the one machine to test all three profiles.

I did not have the Apply permission for any of the groups so changed that but there has been no change to the results.  

I have saved the settings report of the three GP's in the attached zip file if you would be willing to look at them. EE.zip
0
 
LVL 1

Accepted Solution

by:
jimcrint earned 0 total points
ID: 35184308
OK, found that the problem was that the groups have to be added to the RDS Server local group "Remote Desktop Users".
0
 
LVL 1

Author Closing Comment

by:jimcrint
ID: 35221290
Still got some issues but have opened a new question here http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/Q_26901776.html
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
windows 10 versions 3 63
SBS 2003 Windows 7 issues 7 33
Best adsl router for small MS network 6 41
Hyper-V won't start Server 2003 as a guest OS 7 63
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question