Link to home
Start Free TrialLog in
Avatar of jcritzer
jcritzerFlag for United States of America

asked on

Remote Desktop Users

I'm sure this is a dumb question for most but I can't seem to make it work.  Maybe I've just been staring at it for too long...

Let's say you have 10 users who need to be able to RDP into 100 domain servers.  Even if you're in the Remote Desktop Users group, you still have to have local terminal services permissions applied to your account on each server.  I tried adding users to both the RDU group as well as the Administrators group (which I always thought was a local admin group) to no avail.  Is there an alternate way to do this so you don't have to manually add 10 people to each of your 100 servers?

And no, making them all domain admins is not an option :)
ASKER CERTIFIED SOLUTION
Avatar of dave_it
dave_it
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jcritzer

ASKER

So I can apply the policy to all of the servers but where do you add the 10 IDs to the "Allowed to connect to this server remotely" property?  I only see an option to enable or disable it under GP.  Not to specify users.
That's one property - Access this computer from the network.  

The other - In 2008, it's under Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / User Rights Assignment / Allow log on through Remote Desktop Services.  In 2003, it's called "Allow log on through Terminal Services"

Both allow you to specify users and/or groups to add.
So both properties need to be set to include the security group I have the 10 people in?  I'd like to blame my ineptitude on 2 hours of sleep but I'm just not getting this :)
Yes.  And it's ok, we've all been thru that at some point. :)
From the GP side I have:
-Access this computer from the network
-Allow log on through Terminal Services

...each set to allow DOMAIN\GROUP1

GPO is applied to an AD OU containing all servers in question.


From the User side I have:
-User in Remote Desktop Users
-Assigned to GROUP1
-Assigned to Domain Users

I'm still receiving "you must have Terminal Server User Access permissions on this computer"
Has the GPO been replicated to all DCs and did you run a "gpupdate /force" (I always use the /force flag, no sense messing around) to have the policy applied to the servers?
Yep.

Does "Allow users to connect remotely using Terminal Services" located under Computer Configuration\Admin Templates\Windows Components\Terminal Services need to be enabled?  I interpret that to mean the server would be open to any and all users via RDP since there is no way to list specific users or groups.  That's why I haven't enabled it as of yet.
One domain I manage has the following setting for DCs:

Allow log on through Terminal Services  - BUILTIN\Remote Desktop Users, BUILTIN\Administrators

If you aren't in one of those two groups, you can't log on to a DC.  And no other policies are in effect around remote access to a DC.