Solved

Cannot add Domain Group to local Remote Desktop Users group

Posted on 2011-03-18
2
1,947 Views
Last Modified: 2012-05-11
We have an issue where we cannot add any domain groups to the local Remote Desktop Users group on our Server 2008 R2 Enterprise remote desktop server.

I had created a new group in AD called RemoteConnect and put the Domain Admins group in this security group.

I then tried adding this group to the Remote Desktop Users and an error comes up saying "RemoteConnect already a part of the Remote Desktop Users group."

When I try to add the domain users or domain admins group directly into the Remote Desktop Users group it comes up with the same thing: "Domain Admins group already a part of the Remote Desktop Users group."

It is not - the only group in the Remote Desktop Users group is the local administrator.

From my experience it seems as though the groups are not being truly recognized by the Terminal Server machine as when the group is added to the RSU group it is followed by a group of numbers, I.E. [domain]\Domain Users (S-1-5-21-3964760088-388....).

I am saying this because recently we changed the NetBIOS name of our domain from hairylemon0 to hairylemon, although this was done BEFORE this new terminal server was connected to the domain.

I have also tried adding the group directly into TS_CAP_01, when I try to add the RemoteConnect group or the Domain admins group it doesn't even show up in the list, when I try to add the domain users group it comes up in the list as "[servername]\None"

I have added the RemoteConnect group to the "Local Policies -> User Rights Assignments -> Allow Logon through remote desktop services" policy - this has not allowed the Domain Admins to log on.

Any help would be appreciated.
0
Comment
Question by:lemonville
2 Comments
 
LVL 4

Accepted Solution

by:
rjpilcher earned 500 total points
Comment Utility
Domain Admins are granted this right by default.

Have a look at this:

How to add a domain group to the Remote Desktop Users group by using Group Policy
Open the Group Policy Management Console (GPMC). To do this, click Start, click Run, type GPMC.msc, and then press ENTER.
Create and link a GPO that is named Restricted Groups to the terminal server organizational unit (OU).
Right-click the Restricted Groups GPO that is linked to the terminal server OU, and then click Edit.
Configure the Restricted Groups setting in the following location in Group Policy Object Editor:
Computer Configuration\Windows Settings\Security Settings\Restricted Groups\
Right-click Restricted Groups, and then click Add Group.
Click Browse, click Locations, select the locations that you want to browse, and then click OK.
Type Remote Desktop Users in the Enter the object names to select box, and then click Check Names. Or, click Advanced, and then click Find Now to list all available groups.
Click the Remote Desktop Users group, and then click OK.
In the Add Groups dialog box, click OK to close it.

The Remote Desktop Users Properties dialog box opens.
In the Members of this group section, click Add.
Click Browse.
In the Select Users or Groups dialog box, type the name of the domain group.
Click Check Names, and then click OK to close the dialog box.
Click OK to close the dialog box and to finish adding the domain group to the Remote Desktop Users group.
0
 
LVL 1

Author Comment

by:lemonville
Comment Utility
Thanks rjpilcher I think thats done the trick.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
At the beginning of the year, the IT world was taken hostage by the shareholders of LogMeIn. Their free product, which had been free for ten years, all of the sudden became a "pay" product. Now, I am the first person who will say that software maker…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now