jcritzer
asked on
Remote Desktop Users
I'm sure this is a dumb question for most but I can't seem to make it work. Maybe I've just been staring at it for too long...
Let's say you have 10 users who need to be able to RDP into 100 domain servers. Even if you're in the Remote Desktop Users group, you still have to have local terminal services permissions applied to your account on each server. I tried adding users to both the RDU group as well as the Administrators group (which I always thought was a local admin group) to no avail. Is there an alternate way to do this so you don't have to manually add 10 people to each of your 100 servers?
And no, making them all domain admins is not an option :)
Let's say you have 10 users who need to be able to RDP into 100 domain servers. Even if you're in the Remote Desktop Users group, you still have to have local terminal services permissions applied to your account on each server. I tried adding users to both the RDU group as well as the Administrators group (which I always thought was a local admin group) to no avail. Is there an alternate way to do this so you don't have to manually add 10 people to each of your 100 servers?
And no, making them all domain admins is not an option :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That's one property - Access this computer from the network.
The other - In 2008, it's under Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / User Rights Assignment / Allow log on through Remote Desktop Services. In 2003, it's called "Allow log on through Terminal Services"
Both allow you to specify users and/or groups to add.
The other - In 2008, it's under Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / User Rights Assignment / Allow log on through Remote Desktop Services. In 2003, it's called "Allow log on through Terminal Services"
Both allow you to specify users and/or groups to add.
ASKER
So both properties need to be set to include the security group I have the 10 people in? I'd like to blame my ineptitude on 2 hours of sleep but I'm just not getting this :)
Yes. And it's ok, we've all been thru that at some point. :)
ASKER
From the GP side I have:
-Access this computer from the network
-Allow log on through Terminal Services
...each set to allow DOMAIN\GROUP1
GPO is applied to an AD OU containing all servers in question.
From the User side I have:
-User in Remote Desktop Users
-Assigned to GROUP1
-Assigned to Domain Users
I'm still receiving "you must have Terminal Server User Access permissions on this computer"
-Access this computer from the network
-Allow log on through Terminal Services
...each set to allow DOMAIN\GROUP1
GPO is applied to an AD OU containing all servers in question.
From the User side I have:
-User in Remote Desktop Users
-Assigned to GROUP1
-Assigned to Domain Users
I'm still receiving "you must have Terminal Server User Access permissions on this computer"
Has the GPO been replicated to all DCs and did you run a "gpupdate /force" (I always use the /force flag, no sense messing around) to have the policy applied to the servers?
ASKER
Yep.
Does "Allow users to connect remotely using Terminal Services" located under Computer Configuration\Admin Templates\Windows Components\Terminal Services need to be enabled? I interpret that to mean the server would be open to any and all users via RDP since there is no way to list specific users or groups. That's why I haven't enabled it as of yet.
Does "Allow users to connect remotely using Terminal Services" located under Computer Configuration\Admin Templates\Windows Components\Terminal Services need to be enabled? I interpret that to mean the server would be open to any and all users via RDP since there is no way to list specific users or groups. That's why I haven't enabled it as of yet.
One domain I manage has the following setting for DCs:
Allow log on through Terminal Services - BUILTIN\Remote Desktop Users, BUILTIN\Administrators
If you aren't in one of those two groups, you can't log on to a DC. And no other policies are in effect around remote access to a DC.
Allow log on through Terminal Services - BUILTIN\Remote Desktop Users, BUILTIN\Administrators
If you aren't in one of those two groups, you can't log on to a DC. And no other policies are in effect around remote access to a DC.
ASKER