We help IT Professionals succeed at work.

Remote desktop users cannot login by RDP

I have made a user a member of the "Remote Desktop Users" group but the user cannot use RDP to log in to a server on the domain.

Any Ideas to make this user be able to log in with out making the user a member of the domain admins group?

RDP access is enabled on the server(s) in question to be logged into.
Remote desktop users group is in the GPO for - allow log on locally and allow log on through Remote desktop services.
Comment
Watch Question

Commented:
What version of server OS do you have? 2008?

You can take a look at this website: http://www.techotopia.com/index.php/Configuring_Windows_Server_2008_Remote_Desktop_Administration

If you can't get it to work, what error does the user get?

Then I'll look for a solution when I'm back home.
Nagendra Pratap SinghDesktop Applications Specialist
BRONZE EXPERT

Commented:
Can admins login it?

it could be a firewall or other issue.

Commented:
We need the error message please.

Author

Commented:
Thank You for your response.

The domain is on a 2008 R2.

The servers are a mixture of 2008R2 and 2003R2.

Yes I can RDP to all of these servers using an administrator account or someone that is in the domain admins group.

Error Message:

To log on to this remote computer, you must have Terminal Server User Access Permissions on the computer. By Default, members of the Remote Desktop Users group have these permissions.  If you are mot a member of the Remote Desktop Users group  or another group that has these permissions, or if the Remote Desktop Users group  does not have these permissions, you must be granted these permissions manually.
Commented:
Have you taking a look at the website I provided? Everything is described there for win serv 2008 (also r2).

Author

Commented:
I have reviewed the site and I cannot find anything on it i have not already done or checked.
Commented:
Have you also checked this?

RDP setting

Author

Commented:
Version 7.1 is being used but the selection "Run initial program specified by user profile and Remote Desktop Connection or client" is selected.
Commented:
You got citrix installed or anything similar? Because in my experience that may cause some problems with RDP, but can be resolved.

Author

Commented:
Nothing else in the way of remote connections is installed.

I created a new group and assigned it to the GPO, refreshed the policy on the connection server and it still fails. The new group, as well as the remote Desktop group, is in the local GPO policy for "Allow log on locally" and Allow log on through Terminal Services.
Kini pradeepDevelopment Manager
BRONZE EXPERT

Commented:
Is this server a member server, there is a remote desktop users group. is this user added to the local group?

Author

Commented:
Is this server a member server,    yes

there is a remote desktop users group.     yes

is this user added to the local group?        yes
Commented:
In your RD Session Host Configuration -- properties of the connection -- security tab -- what permissions does the remote desktop users group have?

Where are you linking this GPO exactly? You state the group is in the GPO, but is the GPO linked to an appropriate OU?

Author

Commented:
Configured GPO is the default domain GPO.

Remote desktop users are power users. log on locally, log on through terminal services rights.
Commented:
Maybe try creating a separate GPO for these policies, and then link it to the OU this problem server is in.

Also have you tried the GPO resultant set policy wizard, to see what gets applied?

Author

Commented:
Tried a separate GPO - no change

GPO resultant policy shows the policy is working.

The security group i created is in the local Power Users group and hte Remote desktop users group. However, the users in the security group cannot RDP into the server and the security group is not in the users list in the remote access users lisl.  If I go to the server and add the security group I created to the remote access users list on the local server they then get RDP access. This would be fine except I have many servers and cannot go to each one and add the security group in a timely fashion.
Commented:
Just curious, what if you add a user directly to the remote desktop users group. Does it work then without modifying the remote access user list?

Author

Commented:
Adding the user directly to the local remote desktop users group does add them to the remote access user list and they are able to RDP in.
Commented:
Hmmm,, but if you add your security group to the remote desktop group, but then only add the remote desktop users group to the remote users list, they do not get in?

That's either a bug, or somewhere this security group has a permissions conflict, that is taking precedence over the remote desktop users group being a member of the remote access users list.

Is the security group in a default container, or did you create a new container?

Author

Commented:
Security group is in a default container. From what I can find on the internet, this is a bug.

I am trying some command line scripts to see if I can get around the problem.

Commented:
Yeah sounds like a bug. Let me know how it turns out.
Created the security group "RemotePowerUsers" and put the users in that security group. The Group Policy and running the following from a command prompt on the DC for each server fixed the problem. A pain but it is working.

C:\pstools\psexec \\<server name> net localgroup "Remote Desktop Users" systrends\RemotePowerUsers /ADD

Thanks to everyone for trying to help.

Commented:
Hey nice! good to know there is a fix.

Author

Commented:
Found the solution on the internet combining several sites.