remote desktop not working for domain users

I just recently deployed a win 2008 DC and a member server.  On the member server only local user accounts can remote desktop into it.  On my domain controller domain members can remote desktop into it... Now, why can't domain users remote desktop into the member server?
gopher_49Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
its group policy issue , go to group policy management , then default domain policy -> browse for computer configuration -> policies -> windows settings ->security settings -> user right assignement
the on right pane find Allow log on through Terminal Services double click on it , tick define these policies settings -> add users want to login if any one just choose everyone..

exit then go to cmd and type : gpedit /force

and try let user login through RDP

good luck
0
footechCommented:
Check what groups are set in the local or group policy Security Settings | Local Policies | User Rights Assignment | Allow log on through Remote Desktop Services.  For local, by default, only Administrators are included in this setting on domain controllers.  On member servers, it should be Administrators and Remote Desktop Users.  Then just check the membership of these groups on the member server to see what you can track down.
0
gopher_49Author Commented:
The default domain policy's link was enabled but policy not enforced.  I defined the policy you mentioned to all domain users.  I also did a gpupdate /force.  This still didn't work.  That policy by default is disabled as I understand...

footech,

I only see a local policy.  The policy you mentinoed is set to none and it won't let me change it.  I'm thinking this is due to it being a member server of a domain?  

0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
just silly work around try to stop firewall and let the users connect .
am afraid that windows firewall stop traffic for RDP
also for domain users if its not updated possible because its has static IP's , however am sorry for these silly works around but wallah (wallah in arabic mean's "I swear god") , i am doing my best to help you with this crazy issue
0
gopher_49Author Commented:
I've disabled the firewall already.  I even created a dedicate group policy and assigned domain admins, domain users, and the computer name to the policy and set the policy to be applied.  The thing is... In the past I simply would enable remote desktop and that's it.  I never had to mess with group policies for remote desktop.  But... I've created group policies that allow remote desktop.  The local security policy does not let me define these settings.. Only group policies seem to have the options I'm looking for due to this server being a domain member server... Currently only local user accounts can RDP into the server.  I do not have terminal services installed.  I simply have have the remote setting 'allow users to connect remotely to this computer' enabled.
0
gopher_49Author Commented:
Also,

I noticed that if I login locally via domain\Adminstrator or via machiename\Administrator I get the same profile?!  Is that normal?
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
ok , just for more specification , can you post screenshot of the problem on users side? its may explain more...
0
gopher_49Author Commented:
when domain users try to remote desktop in their passwords do not work.  When a local user of the server tries to remote desktop in the password works.  Those are the symptoms.
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
did you add the domain users to Remote desktop users group in domain ???
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
they must be members of remote desktop so they can login to server with their user names
0
gopher_49Author Commented:
I have domain users, a specfied user, and the administrator account in the domain based built in Remote Desktop Users group.  

Still doesn't work.  
0
gopher_49Author Commented:
now,

I can't find this group when trying to add group to the allows users to remote in via the remote settings.  I can only find this group via on the DC locally...
0
gopher_49Author Commented:
Keep in mind..  Any of my domain users can log into the DC via RDP.
0
gopher_49Author Commented:
I just noticed something.  When I add 'domain users' to the allowed RDP users from my member server it changes to 'none' for the listed group?!  Why is that?  My local security policy on my member server is set to 'none', however, I can't change it.  It's gray'ed out.
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
you are domain controller , so you need to work around it under domain group policy not local group policy , just try
0
gopher_49Author Commented:
I already tried that.  I also verified that the member server received the GPO...  Still doesn't work.  I disabled the firewall and also allows log on locally and termiinal server login for all domain users.  I applied the policy maually and ran a report to verify that it received the GPO.  Still doesn't work.
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
another step , try to enable 1 user only ..in field "Allow logon locally" rights in
Domain Controller Security Settings, you are given her the privilege to logon
in front of your domain controller , and try from PC side
0
gopher_49Author Commented:
I tried that and still doesn't work.  All domain users can RDP into the DC, however, they cannot RDP into the member server.
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
wait , what the stupid i have ..lol , i missed something , the problem not on the domain , its on the member server you mean server who is member of domain not additional domain controller , this may simplify it more , did you apply group policy from domain to this member server?
0
gopher_49Author Commented:
I manually applied the GPO and verifited that the GPO was applied via the reports feature.  Attached is a snapshot of my GPO settings.  
RDP-GPo-settings.jpg
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
its strange , the policies are correct ...ok now try to run :

 rsop.msc
on member server and try modify login thtough terminal and login locally .. other question when user logged in to this server he can not , right? is there any message raised by windows?
0
gopher_49Author Commented:
I can't modift for the domain issues GPO takes priority.  See attachment.  When use tries to login they simply get a 'the login attempt failed' message as you would if you type in an incorrect PW.
RDP-GPo-settings2.jpg
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
then lets start over , so can you reboot member server in safe mode? do it and then delete "c:\windows\system32\groupPolicy folder...
then start normally , disconnect Cable , then go to group policy and repeat steps to add user to allow login through terminal server , then connect cable and try
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
note that groupPolicy folder is hidden , i have to go to sleep now , its 12:00 AM in Amman here , so cold and have work tomorrow as usual :P , so i wish to you sucessful in this , catch  you tomorrow to see if its sucess or not ..

good night
0
gopher_49Author Commented:
You mentioned to disconnect cable, and then go to group policy.  The group policy is done on the DC....  There is no need to change anything there for it's already set.. so, do I just re-connect the cable?
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
just reconnect it and then try connect client,if not connected try to modify policy
0
gopher_49Author Commented:
still no go...  same symptoms.  Should I just try a clean install of Windows 2008 server?  It's a VM so I can easily do that.
0
footechCommented:
When that setting (mentioned in my previous post) is configured through Group Policy, it is grayed out in the Local Security Policy so that you can't change it, but you should be able to see what it is set to.  I wouldn't set this in the Default Domain Policy, since this will also apply to domain controllers.  Create a new GPO and apply it to an OU with computer accounts you're trying to access.  You could use Security Filtering to limit the affected computers even further if you don't want to break out these machines into their own separate OU.  You might try running the GP Results Wizard to see which policy is applying this setting, if you're not sure that it is only the Default Domain Policy which you set.  When this Group Policy setting is not defined, the defaults apply, which is Admins for DCs, and Admins and RD Users for member servers and workstations.

Make sure that the Builtin>Remote Desktop Users group is empty.  Create the new GPO which applies to your member server and set the Allow logon through RDS.  I am seeing a problem with the screen shot that you provided.

If you're trying to get Domain Users to be able to log on (or some other domain group), the group will appear as DOMAIN\UserOrGroup.  I am only seeing a Administrator, a local user on the server, and RDP (which I don't think is valid).  When adding users here, always use the browse function so that the name is verified, otherwise it will let you enter in names that don't exist.
0
footechCommented:
When I try to log in with a user that doesn't have permissions to RDP via this setting, these are the error messages I get (1 for Win2003, 1 for Win2008).
 Win2003 error Win2008 error
0
gopher_49Author Commented:
these are not the error message I see when a cilent can't RDP.  Just deployed a new install of 2008.. brb
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
do you have terminal services installed???
try this :

http://support.citrix.com/article/CTX109925
0
footechCommented:
Even without Terminal/Remote Desktop Services installed, the server should still be accessible with Remote Desktop for Administration, which allows 2 concurrent connections and is available by default.  But maybe you should check which licensing mode the RDS is running in.

If you want to try getting this to work on just one machine, clear out the group policies related to remote desktop, then on the server just edit the local group Remote Desktop Users, and add the domain group Domain Users (or skip this and just use an account that is a member of Domain Admins).  Then double-check the properties of your Remote Settings (under Computer > Properties), and make sure you have Remote Desktop enabled.  If you can't get it to work with a Domain Admin account, you'll never succeed with an account that is only part of Domain Users.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gopher_49Author Commented:
I got it to work by performing a clean install of Windows 2008 SP2.  I also left the windows firewall enabled.  Joined the machine to the domain.  I then went to the remote settings and saw a note telling me to allow Remote Desktop in the firewall.  I then allowed it, set the users via the remote desktop settings as you would in Windows XP or Windows 7 and that's it.  It worked perfectly fine after that.  I've read that windows 2008 is REALLY picky about it firewall being turned on.  Aside from that and a clean install I'm not sure what really caused it not to work in the past.  Anyway, it's now working.
0
gopher_49Author Commented:
Please read my last comment.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.