Solved

Remote Log in

Posted on 2014-03-04
49
326 Views
Last Modified: 2014-03-05
I can't seem to be able to remote into a workstation via RDP.
The user is in the right account.

Remote Desktop users account
Any idea as to why I can't log in????

I know I can go to the workstation itself and add the user to allow remote log in, but I want to be able to do it from the D/C, by adding the user to what I believe is the correct security Group / Users
0
Comment
Question by:noad
  • 27
  • 17
  • 3
  • +1
49 Comments
 
LVL 17

Expert Comment

by:lruiz52
ID: 39904141
You must also enable Remote Desktop access on the workstation you are trying to Remote Desktop too.

On the computer you are trying to remote desktop to, Right click my computer and select properties. , then click on remote settings, then click on one of the allow connection radio buttons.
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39904143
what's the error when you are trying to rdp to the box.
0
 
LVL 1

Author Comment

by:noad
ID: 39904166
lruiz

I do have it set to allow for remote on the win8Pro workstation
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 17

Expert Comment

by:lruiz52
ID: 39904177
Do you have the a third party AV/Firewall installed. could be that it is blocking port 3389
0
 
LVL 1

Author Comment

by:noad
ID: 39904203
justin

It say that I user needs to be part of the remote desktop group, if not I can add it manually.
I know I can add it manually, but why would I when I have a D/C...
0
 
LVL 1

Author Comment

by:noad
ID: 39904215
lruize

No the port is not blocked, I checked in fact I changed the RDP port from 3389 to 3391.
I can get to the log in, I can put the default password and then it ask me to change it.
I change it and it says "Your password has been changed" but when it trys to log in it kicks it back with, " you must be part of the remote desktop users group or admin group to log in remotely"...
0
 
LVL 1

Author Comment

by:noad
ID: 39904231
Here is what I get

Connection Refused
It let me change the password...
User is a member of the Remote Desktop users

No idea why I can't get in
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39904233
0
 
LVL 4

Expert Comment

by:Jason Ryberg
ID: 39904242
Ensure the local policy (and domain policy if domain joined) allows the user to connect to RDP:

Start - Run - GPEDIT.MSC

Navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\

Open the Allow log on through Terminal Services setting, and ensure that the user is listed.
0
 
LVL 1

Author Comment

by:noad
ID: 39904279
Justin...

In the link it says that if a user is part of the Remote Desktop users it has both the permissions needs to remote in.

AS I have shown in the screen shoots the users is where it should be to be allowed remote log in.
0
 
LVL 1

Author Comment

by:noad
ID: 39904283
Slyc

I don't want to have to go into the reedit and add the user to be allowed remote access, I can do that by going into the workstation under remote and adding the user manually.
0
 
LVL 4

Expert Comment

by:Jason Ryberg
ID: 39904301
GPEDIT.MSC loads the local policy for the local computer.  It does not launch the registry.

There are two validations to ensure a user has rights to RDP into a computer:
  User is a member of the Remote Desktop Users Group
  User is listed in the Allow log on through Terminal Services Policy

Both settings need to include the user in order for successful RDP.
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39904319
When user is part of the Remote Desktop users group but that group is not present in the GPO for “Allow Logon through Terminal Services”.
0
 
LVL 1

Author Comment

by:noad
ID: 39904403
sly

OK now I'm following...

where exactly do I find the the "Allow Log on through Terminal Services Policy"?

Is this the correct setting???

Remote Policy Setting
0
 
LVL 4

Expert Comment

by:Jason Ryberg
ID: 39904414
It would be the Allow log on through Remote Desktop Services, the one below the selected option in your screenshot.
0
 
LVL 1

Author Comment

by:noad
ID: 39904428
That one has the remote desktop user in it already ( i put them in ) so not it should work???
0
 
LVL 4

Expert Comment

by:Jason Ryberg
ID: 39904492
From your earlier posting, it looks like you added your domain user to your DOMAIN remote desktop users group.  Have you added the user to the LOCAL remote desktop users group?  Can you post a screenshot of your local computer's Remote Desktop Users members?  To do so:

Start - Run - lusrmgr.msc
Open Groups - Remote Desktop Users

You might need to add the DOMAIN remote desktop users group to the LOCAL computer's remote desktop users group.
0
 
LVL 1

Author Comment

by:noad
ID: 39904514
stand by I just locked my self out of being able to remote in with admin account
0
 
LVL 1

Author Comment

by:noad
ID: 39904523
See

Locked out
0
 
LVL 4

Expert Comment

by:Jason Ryberg
ID: 39904541
What steps did you take that caused you to remove your admin account from remote desktop users group?  Do you have console access to the box?
0
 
LVL 1

Author Comment

by:noad
ID: 39904549
yes have console access to the box
trying to see what I did
not sure...
0
 
LVL 1

Author Comment

by:noad
ID: 39904566
I'm in the local security policy
I see where in "Allow log on through remote desktop Services "  I only see remote desktop users" but I can't add administrators, it grayed out.

any idea how I can add the administrator account back?
0
 
LVL 1

Author Comment

by:noad
ID: 39904567
Its a Win 2012 R2 Srv
0
 
LVL 4

Expert Comment

by:Jason Ryberg
ID: 39904601
If the Add user or group button is greyed you, then you probably have a domain GPO that is preventing you from changing the policy locally.

From an elevated CMD prompt, run RSOP.MSC and navigate to the Allow log on through remote desktop services policy to see if a domain GPO is being applied.  If so, you'll need to change the settings in that GPO.
0
 
LVL 1

Author Comment

by:noad
ID: 39904621
I was able to do the change, I can now remote in with admin account...
Thanks...

I still can't login with user account, here is setting for local security policy

Local Security Policy
I changed it from nwgs\administrator to just administrators...
but no joy for user remote log in...
what I'm I doing wrong?
0
 
LVL 4

Expert Comment

by:Jason Ryberg
ID: 39904634
Two options:

Add NWGS\Remote Desktop Users to the local Remote Desktop Users group

OR

Add the NWGS\jdoe user to the local Remote Desktop Users group

To add to a local group:
Start - Run - lusrmgr.msc
Open Groups - Remote Desktop Users

That should do it as long as nothing else has changed.
0
 
LVL 1

Author Comment

by:noad
ID: 39904642
ok
I'll try that...
Thank you all for all of your help, if anything I learned what not to do...
0
 
LVL 1

Author Comment

by:noad
ID: 39904662
still can't get in with user, if you would please send a snap shoot to this dummy...
I can't figure this out...can't be that hard right?
0
 
LVL 1

Author Comment

by:noad
ID: 39904665
if I add the user via the remote setting on the workstation I can log right in, no problem
0
 
LVL 4

Expert Comment

by:Jason Ryberg
ID: 39904785
Can't really post a snapshot due to security issues (DoD network).  Let's step back and verify the following:

I want you to add the user account NWGS\jdoe to the local group Remote Desktop Users.

I also want you to add that user account to the Allow log on through Remote Desktop Services policy in the local security policy setting.  If you are unable to add the user because the Add user or group button is disabled, then you'll have to determine which domain GPO is setting that policy using RSOP.MSC as I described in my previous post.

Once you have the user account added to the RDU group and the Allow log on through Remote Desktop Services setting, that user should have permission to logon via RDP.
0
 
LVL 1

Author Comment

by:noad
ID: 39905138
Jason...

Sorry ,
I had to leave. I work Fire Rescue and do I.T. on the side.
We had a call.
I'm drained, I will revisit this in the AM when I can think straight, on 4 hr's of sleep.
Thank you for your help.
I will post the results.
0
 
LVL 4

Expert Comment

by:Jason Ryberg
ID: 39905246
Good luck!  hoping to hear good news tomorrow.
0
 
LVL 1

Author Comment

by:noad
ID: 39905458
Jason...

I have tried everything, read up on it, followed your steps and no joy.

I went into the local security policy and added the remote desktop users.

Local Policy
I went into the Win8 workstation and removed the user

remove user
I then tried to remote in and got this

Unable to remote in
I must still be missing something, I did a gpupdate on both the Srv and workstation, rebooted both just to be on the safe side, but no joy....

One other thing, on the workstation I can't add the remote desktop user group, is that normal? it lets me add users.
0
 
LVL 4

Expert Comment

by:Jason Ryberg
ID: 39906484
Can you clear something up for me?  You're trying to login to a Windows 2012 box? Or are you trying to login to a Windows 7/8 box from Windows 2012?  I think you might be changing the settings on the wrong box.
0
 
LVL 1

Author Comment

by:noad
ID: 39906552
I have a Win8 workstation that is joined to the Domain, I want the user when he/she is out of the office to be able to remote into the workstation.
0
 
LVL 4

Expert Comment

by:Jason Ryberg
ID: 39906568
Did you add that domain user to the local computer's remote desktop users group (as in go to the Windows 8 box, run lusrmgr.msc and add NWGS\jdoe to the Remote Desktop Users group on the Windows 8 box, NOT in the domain Remote Desktop Users group)?
0
 
LVL 1

Author Comment

by:noad
ID: 39906603
Yes,
I added the user to the Win8 box and I can remote in without any problems. See attached file.

Win8 box.

I can add users, but not groups as in if the users are in the Remote Desktop Users group I like to add the group instead of each user.
0
 
LVL 4

Expert Comment

by:Jason Ryberg
ID: 39906633
So the user can login now, but you would rather have a group added instead?  There is nothing preventing you from adding a group to Remote Desktop Users by default.  If you can't add a group, then there must be a domain GPO preventing it.
0
 
LVL 1

Author Comment

by:noad
ID: 39906656
so the way I added the user is the correct way all alone?
0
 
LVL 4

Expert Comment

by:Jason Ryberg
ID: 39906664
After all the changes we made, I'm not sure I remember how it started, but as long as that user is in the local machine's Remote Desktop Users group (either directly or through group membership) then the user can connect, assuming the user is in the Allow log on through Remote Desktop Services policy as well.

I think initially, you had the user in the domain/builtin Remote Desktop Users group, which is a group used for either RRAS or remoting to your DCs.
0
 
LVL 1

Author Comment

by:noad
ID: 39906678
See no remote desktop user group

No Remote Desktop Users Group
0
 
LVL 4

Expert Comment

by:Jason Ryberg
ID: 39906685
I was referring to your first screenshot where the jdoe user is a member of the nwgs.local\builtin Remote Desktop Users group.
0
 
LVL 4

Expert Comment

by:Jason Ryberg
ID: 39906689
If you look in this list, you'll see that group is only used to allow RDP to DCs:

technet.microsoft.com/en-us/library/cc756898(v=ws.10).aspx
0
 
LVL 1

Author Comment

by:noad
ID: 39906696
So are you saying I should create a new security group, add users to it and then add the group to the allow remote area on the Win8 box?
0
 
LVL 4

Accepted Solution

by:
Jason Ryberg earned 500 total points
ID: 39906703
Correct.  If you want to get fancy, you can use a domain GPO to add that Remote Users group to all the workstation's Remote Desktop Users group.  ;)
0
 
LVL 1

Author Comment

by:noad
ID: 39906717
So i have just been wasting your time or this crazy go round???
Sorry bother, my bad.
I did learn something.

Thanks for all of your help.
Have a great day.
0
 
LVL 1

Author Closing Comment

by:noad
ID: 39906722
Stuck with me to the end!
Very professional!
0
 
LVL 4

Expert Comment

by:Jason Ryberg
ID: 39906734
Fortunately for you I've been spending the past two days watching patches install on servers, so it's been a nice distraction!
0
 
LVL 1

Author Comment

by:noad
ID: 39906740
Dam.. Sorry to hear that.
Hope it ends soon...
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
An article on effective troubleshooting
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question