Solved

Remote Desktop Services in SBS2011 Environment: GPO Issues

Posted on 2011-03-18
7
1,237 Views
Last Modified: 2012-05-11
Hi,
Sorry for the long post but I am trying to give as much infornmation as possible without writing a novel!

Environment
I have an SBS2011 Std server and a Win2008R2 server.  R2 is joined to the domain and is the SBSServers OU.  SBS is (obviously) in the Domain Controllers OU.  R2 is set for Remote Desktop Services with RD Session Host and Licensing roles installed and activated.  There are 29 User CAL's installed.  This is my first RDS deployment.  All previous TS deployments are still in 2003 environments.

Scenario
This is a environment that will have Staff, Students and Support Staff.  The students will be using XP as Dumb Terminals and will use RDS for all activities.  The staff will have fat terminals (XP/Vista and 7) and will also be able to use RDS from home.  The same goes for Support Staff although they will be more restricted in what they are able to do remotely.  I have set up three Security Groups as follows: Students = Students, Staff = StaffRDS, Support Staff = RDS Users. I have created three GP's in the SBSServers OU.  Common to all GP's is Group Policy processing mode is set to Replace.  All three groups are in the Remote Destop Users security group under ADUC\Builtin.  At the moment the RDS Users can log in but the Students and StaffRDS receive "The requested session access is denied".

Question
1. I know this sounds like a dumb question but can you apply three different GP's to one OU (I have always been taught YES).
2. If you can, then is there something that I am missing to enable the Students and Staff groups to be able to process their GP's?
3. Is there anything else I need to be aware of/set up?
0
Comment
Question by:jimcrint
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 4

Expert Comment

by:rjpilcher
ID: 35169639
1. Yes
2. Computer Configuration>Policies>Administrative Templates>System/Group Policy

Enable User Group Policy loopback processing mode.

Also, make sure you're applying/denying the permissions of the GPO to the right groups

If you want a sample GPO for a fairly locked down TS I can give that to you.
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 35169922
Are Sudent and Staff Groups part of the remote desktop user group. In other words did you allow access for them on the RDServer?
Hope that helps,
Olaf
0
 
LVL 1

Author Comment

by:jimcrint
ID: 35170085
rjpilcher
1. Thanks for confirming what I thought was true.
2. I have already enabled this in all three GP's to Replace.
3. In the Delegation Tab I have the Security for the respective GP set as Read.  Do I also need to Deny in each GP the groups that it does not apply to e.g. Students = Read RDSUsers and StaffRDS set to Deny in the Advanced Page for "Apply group policy" for the GP that I want to apply to th eStudents?

Re: a sample GPO.  Yes Please!

Olaf
Yes.  All three groups are a part of the Builtin "Remote Desktop Users" security group.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 4

Expert Comment

by:rjpilcher
ID: 35170135
So you have both Read and Apply set for the respective groups?

Typically in my TS deployments I create a separate OU for the TS and block inheritance, then link the GPOs to that OU.  With you only having 2 servers, it should be fine the way you are doing it.

Also, you've tested from the same machine for all 3 users?  There is a console option or 'connect as admin' option in RDP clients that can cause this error.  

 Terminal-Services-Policy.docx
0
 
LVL 1

Author Comment

by:jimcrint
ID: 35170468
Yes, I have used the one machine to test all three profiles.

I did not have the Apply permission for any of the groups so changed that but there has been no change to the results.  

I have saved the settings report of the three GP's in the attached zip file if you would be willing to look at them. EE.zip
0
 
LVL 1

Accepted Solution

by:
jimcrint earned 0 total points
ID: 35184308
OK, found that the problem was that the groups have to be added to the RDS Server local group "Remote Desktop Users".
0
 
LVL 1

Author Closing Comment

by:jimcrint
ID: 35221290
Still got some issues but have opened a new question here http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/Q_26901776.html
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question