Members of domain admin group cant log into servers/ lacking permissions for EMC

Hi guys,

We have a new starter trainee Sys Admin and after giving him membership of the domain admins group he is still getting Allow Log In Through Terminal Services Right.

Would members of the domain admins group not have this automatically?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Have you ensured that the Domain Admins  security group is apart of the local machine administrators?
liminalAuthor Commented:
Yes :)

THats the strange thing no?

I have also moved the account to an OU so that no GPOs apply.

As long its the group is a member of Administrators it should fine no?
liminalAuthor Commented:
It shouldn't need to be a member of Remote Desktop Users as well?
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Can he log in through the console?

Also Allow Logon to terminal server. There is a check box on the Terminal Services Profile tab of their account. Use Active Directory Users and Computers to make sure the box is checked.
If you run an RSOP.MSC command and browse to Computer Configuration\Windows Settings\ Security Settings\Local Policies\User Rights Assignment. Are both Administrators and Remote Desktop Users given remote login rights? This is the default setting.
SandeshdubeySenior Server EngineerCommented:
By default, the Administrators and Remote Desktop Users groups are given remote logon rights. So, users who are a part of these groups will be authorized to logon remotely to the server.
Now, if you have a user account which is not a part of the Administrators or the Remote Desktop Users groups and you go ahead and add him to the GPO for “Allow Logon through Terminal Services”, they will still not be able to create a successful RDP connection to the server. The reason being that adding a user to this GPO only authorizes him for a Remote Logon to the server but does not give him the permissions to connect to the RDP-Listener.
Adding a user to “Remote Desktop Users” group allows them to create a successful connection to the server. Adding the user to the Remote Desktop users group gives them the “Remote Logon” Rights to machine as the Remote Desktop Users group is already a part of the GPO “Allow Logon through Terminal Services”.
Refer below link for more details:

Note.Ensure that remote desktop group is not removed from policy else you need to maually add the users.Check deny logon to terminal permission in GPO.You can run rsop to check the GPO setting.

Why are you allowing normal user to login to DCs.I would not recommend the same unless and until there is strong business requirement.Can you let us know the reason so that we can assist you in better way.
liminalAuthor Commented:
Just to add its a 2008 R2 function level.

And this user is a member of Domain admins.

I have checked the ROSP on that machine and can see nothing about remote login under where you specified.
liminalAuthor Commented:
Thanks everyone for their input. I think I have found the problem.

Please logon to your server as administrator, Start--Run--secpol.msc.  In the left pane navigate to Security Settings\Local Policies\User Rights Assignment, in the right pane double-click on Allow log on through Remote Desktop Services, click add users or groups, enter Remote Desktop Users, click OK to save.
After performing the above please test that you can connect using Remote Desktop Connection as a standard user that is a member of RDU group.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
liminalAuthor Commented:
My answer was right.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.