We help IT Professionals succeed at work.

remote desktop not working for domain users

gopher_49
gopher_49 asked
on
I just recently deployed a win 2008 DC and a member server.  On the member server only local user accounts can remote desktop into it.  On my domain controller domain members can remote desktop into it... Now, why can't domain users remote desktop into the member server?
Comment
Watch Question

Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

Commented:
its group policy issue , go to group policy management , then default domain policy -> browse for computer configuration -> policies -> windows settings ->security settings -> user right assignement
the on right pane find Allow log on through Terminal Services double click on it , tick define these policies settings -> add users want to login if any one just choose everyone..

exit then go to cmd and type : gpedit /force

and try let user login through RDP

good luck
Top Expert 2014

Commented:
Check what groups are set in the local or group policy Security Settings | Local Policies | User Rights Assignment | Allow log on through Remote Desktop Services.  For local, by default, only Administrators are included in this setting on domain controllers.  On member servers, it should be Administrators and Remote Desktop Users.  Then just check the membership of these groups on the member server to see what you can track down.

Author

Commented:
The default domain policy's link was enabled but policy not enforced.  I defined the policy you mentioned to all domain users.  I also did a gpupdate /force.  This still didn't work.  That policy by default is disabled as I understand...

footech,

I only see a local policy.  The policy you mentinoed is set to none and it won't let me change it.  I'm thinking this is due to it being a member server of a domain?  

Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

Commented:
just silly work around try to stop firewall and let the users connect .
am afraid that windows firewall stop traffic for RDP
also for domain users if its not updated possible because its has static IP's , however am sorry for these silly works around but wallah (wallah in arabic mean's "I swear god") , i am doing my best to help you with this crazy issue

Author

Commented:
I've disabled the firewall already.  I even created a dedicate group policy and assigned domain admins, domain users, and the computer name to the policy and set the policy to be applied.  The thing is... In the past I simply would enable remote desktop and that's it.  I never had to mess with group policies for remote desktop.  But... I've created group policies that allow remote desktop.  The local security policy does not let me define these settings.. Only group policies seem to have the options I'm looking for due to this server being a domain member server... Currently only local user accounts can RDP into the server.  I do not have terminal services installed.  I simply have have the remote setting 'allow users to connect remotely to this computer' enabled.

Author

Commented:
Also,

I noticed that if I login locally via domain\Adminstrator or via machiename\Administrator I get the same profile?!  Is that normal?
Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

Commented:
ok , just for more specification , can you post screenshot of the problem on users side? its may explain more...

Author

Commented:
when domain users try to remote desktop in their passwords do not work.  When a local user of the server tries to remote desktop in the password works.  Those are the symptoms.
Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

Commented:
did you add the domain users to Remote desktop users group in domain ???
Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

Commented:
they must be members of remote desktop so they can login to server with their user names

Author

Commented:
I have domain users, a specfied user, and the administrator account in the domain based built in Remote Desktop Users group.  

Still doesn't work.  

Author

Commented:
now,

I can't find this group when trying to add group to the allows users to remote in via the remote settings.  I can only find this group via on the DC locally...

Author

Commented:
Keep in mind..  Any of my domain users can log into the DC via RDP.

Author

Commented:
I just noticed something.  When I add 'domain users' to the allowed RDP users from my member server it changes to 'none' for the listed group?!  Why is that?  My local security policy on my member server is set to 'none', however, I can't change it.  It's gray'ed out.
Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

Commented:
you are domain controller , so you need to work around it under domain group policy not local group policy , just try

Author

Commented:
I already tried that.  I also verified that the member server received the GPO...  Still doesn't work.  I disabled the firewall and also allows log on locally and termiinal server login for all domain users.  I applied the policy maually and ran a report to verify that it received the GPO.  Still doesn't work.
Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

Commented:
another step , try to enable 1 user only ..in field "Allow logon locally" rights in
Domain Controller Security Settings, you are given her the privilege to logon
in front of your domain controller , and try from PC side

Author

Commented:
I tried that and still doesn't work.  All domain users can RDP into the DC, however, they cannot RDP into the member server.
Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

Commented:
wait , what the stupid i have ..lol , i missed something , the problem not on the domain , its on the member server you mean server who is member of domain not additional domain controller , this may simplify it more , did you apply group policy from domain to this member server?

Author

Commented:
I manually applied the GPO and verifited that the GPO was applied via the reports feature.  Attached is a snapshot of my GPO settings.  
RDP-GPo-settings.jpg
Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

Commented:
its strange , the policies are correct ...ok now try to run :

 rsop.msc
on member server and try modify login thtough terminal and login locally .. other question when user logged in to this server he can not , right? is there any message raised by windows?

Author

Commented:
I can't modift for the domain issues GPO takes priority.  See attachment.  When use tries to login they simply get a 'the login attempt failed' message as you would if you type in an incorrect PW.
RDP-GPo-settings2.jpg
Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

Commented:
then lets start over , so can you reboot member server in safe mode? do it and then delete "c:\windows\system32\groupPolicy folder...
then start normally , disconnect Cable , then go to group policy and repeat steps to add user to allow login through terminal server , then connect cable and try
Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

Commented:
note that groupPolicy folder is hidden , i have to go to sleep now , its 12:00 AM in Amman here , so cold and have work tomorrow as usual :P , so i wish to you sucessful in this , catch  you tomorrow to see if its sucess or not ..

good night

Author

Commented:
You mentioned to disconnect cable, and then go to group policy.  The group policy is done on the DC....  There is no need to change anything there for it's already set.. so, do I just re-connect the cable?
Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

Commented:
just reconnect it and then try connect client,if not connected try to modify policy

Author

Commented:
still no go...  same symptoms.  Should I just try a clean install of Windows 2008 server?  It's a VM so I can easily do that.
Top Expert 2014

Commented:
When that setting (mentioned in my previous post) is configured through Group Policy, it is grayed out in the Local Security Policy so that you can't change it, but you should be able to see what it is set to.  I wouldn't set this in the Default Domain Policy, since this will also apply to domain controllers.  Create a new GPO and apply it to an OU with computer accounts you're trying to access.  You could use Security Filtering to limit the affected computers even further if you don't want to break out these machines into their own separate OU.  You might try running the GP Results Wizard to see which policy is applying this setting, if you're not sure that it is only the Default Domain Policy which you set.  When this Group Policy setting is not defined, the defaults apply, which is Admins for DCs, and Admins and RD Users for member servers and workstations.

Make sure that the Builtin>Remote Desktop Users group is empty.  Create the new GPO which applies to your member server and set the Allow logon through RDS.  I am seeing a problem with the screen shot that you provided.

If you're trying to get Domain Users to be able to log on (or some other domain group), the group will appear as DOMAIN\UserOrGroup.  I am only seeing a Administrator, a local user on the server, and RDP (which I don't think is valid).  When adding users here, always use the browse function so that the name is verified, otherwise it will let you enter in names that don't exist.
Top Expert 2014

Commented:
When I try to log in with a user that doesn't have permissions to RDP via this setting, these are the error messages I get (1 for Win2003, 1 for Win2008).
 Win2003 error Win2008 error

Author

Commented:
these are not the error message I see when a cilent can't RDP.  Just deployed a new install of 2008.. brb
Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

Commented:
do you have terminal services installed???
try this :

http://support.citrix.com/article/CTX109925
Top Expert 2014
Commented:
Even without Terminal/Remote Desktop Services installed, the server should still be accessible with Remote Desktop for Administration, which allows 2 concurrent connections and is available by default.  But maybe you should check which licensing mode the RDS is running in.

If you want to try getting this to work on just one machine, clear out the group policies related to remote desktop, then on the server just edit the local group Remote Desktop Users, and add the domain group Domain Users (or skip this and just use an account that is a member of Domain Admins).  Then double-check the properties of your Remote Settings (under Computer > Properties), and make sure you have Remote Desktop enabled.  If you can't get it to work with a Domain Admin account, you'll never succeed with an account that is only part of Domain Users.
I got it to work by performing a clean install of Windows 2008 SP2.  I also left the windows firewall enabled.  Joined the machine to the domain.  I then went to the remote settings and saw a note telling me to allow Remote Desktop in the firewall.  I then allowed it, set the users via the remote desktop settings as you would in Windows XP or Windows 7 and that's it.  It worked perfectly fine after that.  I've read that windows 2008 is REALLY picky about it firewall being turned on.  Aside from that and a clean install I'm not sure what really caused it not to work in the past.  Anyway, it's now working.

Author

Commented:
Please read my last comment.