Solved

Remote Desktop Services in SBS2011 Environment: GPO Issues

Posted on 2011-03-18
7
1,236 Views
Last Modified: 2012-05-11
Hi,
Sorry for the long post but I am trying to give as much infornmation as possible without writing a novel!

Environment
I have an SBS2011 Std server and a Win2008R2 server.  R2 is joined to the domain and is the SBSServers OU.  SBS is (obviously) in the Domain Controllers OU.  R2 is set for Remote Desktop Services with RD Session Host and Licensing roles installed and activated.  There are 29 User CAL's installed.  This is my first RDS deployment.  All previous TS deployments are still in 2003 environments.

Scenario
This is a environment that will have Staff, Students and Support Staff.  The students will be using XP as Dumb Terminals and will use RDS for all activities.  The staff will have fat terminals (XP/Vista and 7) and will also be able to use RDS from home.  The same goes for Support Staff although they will be more restricted in what they are able to do remotely.  I have set up three Security Groups as follows: Students = Students, Staff = StaffRDS, Support Staff = RDS Users. I have created three GP's in the SBSServers OU.  Common to all GP's is Group Policy processing mode is set to Replace.  All three groups are in the Remote Destop Users security group under ADUC\Builtin.  At the moment the RDS Users can log in but the Students and StaffRDS receive "The requested session access is denied".

Question
1. I know this sounds like a dumb question but can you apply three different GP's to one OU (I have always been taught YES).
2. If you can, then is there something that I am missing to enable the Students and Staff groups to be able to process their GP's?
3. Is there anything else I need to be aware of/set up?
0
Comment
Question by:jimcrint
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 4

Expert Comment

by:rjpilcher
ID: 35169639
1. Yes
2. Computer Configuration>Policies>Administrative Templates>System/Group Policy

Enable User Group Policy loopback processing mode.

Also, make sure you're applying/denying the permissions of the GPO to the right groups

If you want a sample GPO for a fairly locked down TS I can give that to you.
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 35169922
Are Sudent and Staff Groups part of the remote desktop user group. In other words did you allow access for them on the RDServer?
Hope that helps,
Olaf
0
 
LVL 1

Author Comment

by:jimcrint
ID: 35170085
rjpilcher
1. Thanks for confirming what I thought was true.
2. I have already enabled this in all three GP's to Replace.
3. In the Delegation Tab I have the Security for the respective GP set as Read.  Do I also need to Deny in each GP the groups that it does not apply to e.g. Students = Read RDSUsers and StaffRDS set to Deny in the Advanced Page for "Apply group policy" for the GP that I want to apply to th eStudents?

Re: a sample GPO.  Yes Please!

Olaf
Yes.  All three groups are a part of the Builtin "Remote Desktop Users" security group.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 4

Expert Comment

by:rjpilcher
ID: 35170135
So you have both Read and Apply set for the respective groups?

Typically in my TS deployments I create a separate OU for the TS and block inheritance, then link the GPOs to that OU.  With you only having 2 servers, it should be fine the way you are doing it.

Also, you've tested from the same machine for all 3 users?  There is a console option or 'connect as admin' option in RDP clients that can cause this error.  

 Terminal-Services-Policy.docx
0
 
LVL 1

Author Comment

by:jimcrint
ID: 35170468
Yes, I have used the one machine to test all three profiles.

I did not have the Apply permission for any of the groups so changed that but there has been no change to the results.  

I have saved the settings report of the three GP's in the attached zip file if you would be willing to look at them. EE.zip
0
 
LVL 1

Accepted Solution

by:
jimcrint earned 0 total points
ID: 35184308
OK, found that the problem was that the groups have to be added to the RDS Server local group "Remote Desktop Users".
0
 
LVL 1

Author Closing Comment

by:jimcrint
ID: 35221290
Still got some issues but have opened a new question here http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/Q_26901776.html
0

Featured Post

ScreenConnect 6.0 Free Trial

Want empowering updates? You're in the right place! Discover new features in ScreenConnect 6.0, based on partner feedback, to keep you business operating smoothly and optimally (the way it should be). Explore all of the extras and enhancements for yourself!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

At the beginning of the year, the IT world was taken hostage by the shareholders of LogMeIn. Their free product, which had been free for ten years, all of the sudden became a "pay" product. Now, I am the first person who will say that software maker…
Let’s list some of the technologies that enable smooth teleworking. 
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question