Setting permissions from Active Directory to allow domain users to connect through rdp

Hello experts,

I have converted our corporate office to a virtual environment and also added a domain controller, I am now trying to connect all thin clients to the VM's. I can login with administrator but no other accounts work. I know by default only admins and Remote Desktop Users can access rdp. I added the group Remote Desktop Users to all the users under Active Directory but that still didn't work. I do see that all users can rdp into the Active Directory server now which is something I don't want. I also added this policy in my GPO:

Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow logon through Terminal Services--->I added the Domain Users group to this.

Also enabled Remote Desktop from the GPO as well.


So how can I allow all my users to connect through RDP while blocking them from logging into the servers.

I also have Windows Firewall temporally disabled until everything is up and running without issues.

Active Directory: Windows Server 2008 R2
Workstations: Windows 7 Pro
LVL 3
mlsbravesAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ayman BakrSenior ConsultantCommented:
Place you domain controllers in a separate OU. The GPO you have configured for your domain users allowing them to log on through terminal services should be linked to the other OU where your member servers reside - that is the servers you want to use for RDP.
0
chakkoCommented:
In addition to what Mutadwadi says, you may need to the check GPO for for the TS Serves OU.  In the Computer configuration..../User Rights you should check if Allow Logon Locally also includes the Domain Users group.  
0
kevinhsiehCommented:
To take what the other experts have already said, I suggest that your member servers get their own OU. Domain controllers are already in their own OU. Create a sub OU under the Servers OU for your terminal servers. Put the terminal servers into the Terminal Servers OU and apply the GPO to that OU.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.