We help IT Professionals succeed at work.

Setting permissions from Active Directory to allow domain users to connect through rdp

Hello experts,

I have converted our corporate office to a virtual environment and also added a domain controller, I am now trying to connect all thin clients to the VM's. I can login with administrator but no other accounts work. I know by default only admins and Remote Desktop Users can access rdp. I added the group Remote Desktop Users to all the users under Active Directory but that still didn't work. I do see that all users can rdp into the Active Directory server now which is something I don't want. I also added this policy in my GPO:

Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow logon through Terminal Services--->I added the Domain Users group to this.

Also enabled Remote Desktop from the GPO as well.


So how can I allow all my users to connect through RDP while blocking them from logging into the servers.

I also have Windows Firewall temporally disabled until everything is up and running without issues.

Active Directory: Windows Server 2008 R2
Workstations: Windows 7 Pro
Comment
Watch Question

Ayman BakrSenior Consultant
Commented:
Place you domain controllers in a separate OU. The GPO you have configured for your domain users allowing them to log on through terminal services should be linked to the other OU where your member servers reside - that is the servers you want to use for RDP.
Commented:
In addition to what Mutadwadi says, you may need to the check GPO for for the TS Serves OU.  In the Computer configuration..../User Rights you should check if Allow Logon Locally also includes the Domain Users group.  
Network Engineer
Commented:
To take what the other experts have already said, I suggest that your member servers get their own OU. Domain controllers are already in their own OU. Create a sub OU under the Servers OU for your terminal servers. Put the terminal servers into the Terminal Servers OU and apply the GPO to that OU.