?
Solved

Remote Desktop Services in SBS2011 Environment: GPO Issues

Posted on 2011-03-18
7
Medium Priority
?
1,241 Views
Last Modified: 2012-05-11
Hi,
Sorry for the long post but I am trying to give as much infornmation as possible without writing a novel!

Environment
I have an SBS2011 Std server and a Win2008R2 server.  R2 is joined to the domain and is the SBSServers OU.  SBS is (obviously) in the Domain Controllers OU.  R2 is set for Remote Desktop Services with RD Session Host and Licensing roles installed and activated.  There are 29 User CAL's installed.  This is my first RDS deployment.  All previous TS deployments are still in 2003 environments.

Scenario
This is a environment that will have Staff, Students and Support Staff.  The students will be using XP as Dumb Terminals and will use RDS for all activities.  The staff will have fat terminals (XP/Vista and 7) and will also be able to use RDS from home.  The same goes for Support Staff although they will be more restricted in what they are able to do remotely.  I have set up three Security Groups as follows: Students = Students, Staff = StaffRDS, Support Staff = RDS Users. I have created three GP's in the SBSServers OU.  Common to all GP's is Group Policy processing mode is set to Replace.  All three groups are in the Remote Destop Users security group under ADUC\Builtin.  At the moment the RDS Users can log in but the Students and StaffRDS receive "The requested session access is denied".

Question
1. I know this sounds like a dumb question but can you apply three different GP's to one OU (I have always been taught YES).
2. If you can, then is there something that I am missing to enable the Students and Staff groups to be able to process their GP's?
3. Is there anything else I need to be aware of/set up?
0
Comment
Question by:jimcrint
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 4

Expert Comment

by:rjpilcher
ID: 35169639
1. Yes
2. Computer Configuration>Policies>Administrative Templates>System/Group Policy

Enable User Group Policy loopback processing mode.

Also, make sure you're applying/denying the permissions of the GPO to the right groups

If you want a sample GPO for a fairly locked down TS I can give that to you.
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 35169922
Are Sudent and Staff Groups part of the remote desktop user group. In other words did you allow access for them on the RDServer?
Hope that helps,
Olaf
0
 
LVL 1

Author Comment

by:jimcrint
ID: 35170085
rjpilcher
1. Thanks for confirming what I thought was true.
2. I have already enabled this in all three GP's to Replace.
3. In the Delegation Tab I have the Security for the respective GP set as Read.  Do I also need to Deny in each GP the groups that it does not apply to e.g. Students = Read RDSUsers and StaffRDS set to Deny in the Advanced Page for "Apply group policy" for the GP that I want to apply to th eStudents?

Re: a sample GPO.  Yes Please!

Olaf
Yes.  All three groups are a part of the Builtin "Remote Desktop Users" security group.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 4

Expert Comment

by:rjpilcher
ID: 35170135
So you have both Read and Apply set for the respective groups?

Typically in my TS deployments I create a separate OU for the TS and block inheritance, then link the GPOs to that OU.  With you only having 2 servers, it should be fine the way you are doing it.

Also, you've tested from the same machine for all 3 users?  There is a console option or 'connect as admin' option in RDP clients that can cause this error.  

 Terminal-Services-Policy.docx
0
 
LVL 1

Author Comment

by:jimcrint
ID: 35170468
Yes, I have used the one machine to test all three profiles.

I did not have the Apply permission for any of the groups so changed that but there has been no change to the results.  

I have saved the settings report of the three GP's in the attached zip file if you would be willing to look at them. EE.zip
0
 
LVL 1

Accepted Solution

by:
jimcrint earned 0 total points
ID: 35184308
OK, found that the problem was that the groups have to be added to the RDS Server local group "Remote Desktop Users".
0
 
LVL 1

Author Closing Comment

by:jimcrint
ID: 35221290
Still got some issues but have opened a new question here http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/Q_26901776.html
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Suggested Courses

766 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question