Solved

Remote Desktop Services in SBS2011 Environment: GPO Issues

Posted on 2011-03-18
7
1,231 Views
Last Modified: 2012-05-11
Hi,
Sorry for the long post but I am trying to give as much infornmation as possible without writing a novel!

Environment
I have an SBS2011 Std server and a Win2008R2 server.  R2 is joined to the domain and is the SBSServers OU.  SBS is (obviously) in the Domain Controllers OU.  R2 is set for Remote Desktop Services with RD Session Host and Licensing roles installed and activated.  There are 29 User CAL's installed.  This is my first RDS deployment.  All previous TS deployments are still in 2003 environments.

Scenario
This is a environment that will have Staff, Students and Support Staff.  The students will be using XP as Dumb Terminals and will use RDS for all activities.  The staff will have fat terminals (XP/Vista and 7) and will also be able to use RDS from home.  The same goes for Support Staff although they will be more restricted in what they are able to do remotely.  I have set up three Security Groups as follows: Students = Students, Staff = StaffRDS, Support Staff = RDS Users. I have created three GP's in the SBSServers OU.  Common to all GP's is Group Policy processing mode is set to Replace.  All three groups are in the Remote Destop Users security group under ADUC\Builtin.  At the moment the RDS Users can log in but the Students and StaffRDS receive "The requested session access is denied".

Question
1. I know this sounds like a dumb question but can you apply three different GP's to one OU (I have always been taught YES).
2. If you can, then is there something that I am missing to enable the Students and Staff groups to be able to process their GP's?
3. Is there anything else I need to be aware of/set up?
0
Comment
Question by:jimcrint
  • 4
  • 2
7 Comments
 
LVL 4

Expert Comment

by:rjpilcher
ID: 35169639
1. Yes
2. Computer Configuration>Policies>Administrative Templates>System/Group Policy

Enable User Group Policy loopback processing mode.

Also, make sure you're applying/denying the permissions of the GPO to the right groups

If you want a sample GPO for a fairly locked down TS I can give that to you.
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 35169922
Are Sudent and Staff Groups part of the remote desktop user group. In other words did you allow access for them on the RDServer?
Hope that helps,
Olaf
0
 
LVL 1

Author Comment

by:jimcrint
ID: 35170085
rjpilcher
1. Thanks for confirming what I thought was true.
2. I have already enabled this in all three GP's to Replace.
3. In the Delegation Tab I have the Security for the respective GP set as Read.  Do I also need to Deny in each GP the groups that it does not apply to e.g. Students = Read RDSUsers and StaffRDS set to Deny in the Advanced Page for "Apply group policy" for the GP that I want to apply to th eStudents?

Re: a sample GPO.  Yes Please!

Olaf
Yes.  All three groups are a part of the Builtin "Remote Desktop Users" security group.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 4

Expert Comment

by:rjpilcher
ID: 35170135
So you have both Read and Apply set for the respective groups?

Typically in my TS deployments I create a separate OU for the TS and block inheritance, then link the GPOs to that OU.  With you only having 2 servers, it should be fine the way you are doing it.

Also, you've tested from the same machine for all 3 users?  There is a console option or 'connect as admin' option in RDP clients that can cause this error.  

 Terminal-Services-Policy.docx
0
 
LVL 1

Author Comment

by:jimcrint
ID: 35170468
Yes, I have used the one machine to test all three profiles.

I did not have the Apply permission for any of the groups so changed that but there has been no change to the results.  

I have saved the settings report of the three GP's in the attached zip file if you would be willing to look at them. EE.zip
0
 
LVL 1

Accepted Solution

by:
jimcrint earned 0 total points
ID: 35184308
OK, found that the problem was that the groups have to be added to the RDS Server local group "Remote Desktop Users".
0
 
LVL 1

Author Closing Comment

by:jimcrint
ID: 35221290
Still got some issues but have opened a new question here http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/Q_26901776.html
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
Local Printing Using Remote Desktop Windows 7 sometimes has issues with printing to a local printer using a Remote Desktop Connection (RDC). The 1st step is to verify that printers are checked on the Local Resources tab of the Remote Desktop C…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now