I can't seem to be able to remote into a workstation via RDP.
The user is in the right account.
Any idea as to why I can't log in????
I know I can go to the workstation itself and add the user to allow remote log in, but I want to be able to do it from the D/C, by adding the user to what I believe is the correct security Group / Users
You must also enable Remote Desktop access on the workstation you are trying to Remote Desktop too.
On the computer you are trying to remote desktop to, Right click my computer and select properties. , then click on remote settings, then click on one of the allow connection radio buttons.
It say that I user needs to be part of the remote desktop group, if not I can add it manually.
I know I can add it manually, but why would I when I have a D/C...
No the port is not blocked, I checked in fact I changed the RDP port from 3389 to 3391.
I can get to the log in, I can put the default password and then it ask me to change it.
I change it and it says "Your password has been changed" but when it trys to log in it kicks it back with, " you must be part of the remote desktop users group or admin group to log in remotely"...
I don't want to have to go into the reedit and add the user to be allowed remote access, I can do that by going into the workstation under remote and adding the user manually.
GPEDIT.MSC loads the local policy for the local computer. It does not launch the registry.
There are two validations to ensure a user has rights to RDP into a computer:
User is a member of the Remote Desktop Users Group
User is listed in the Allow log on through Terminal Services Policy
Both settings need to include the user in order for successful RDP.
From your earlier posting, it looks like you added your domain user to your DOMAIN remote desktop users group. Have you added the user to the LOCAL remote desktop users group? Can you post a screenshot of your local computer's Remote Desktop Users members? To do so:
Start - Run - lusrmgr.msc
Open Groups - Remote Desktop Users
You might need to add the DOMAIN remote desktop users group to the LOCAL computer's remote desktop users group.
I'm in the local security policy
I see where in "Allow log on through remote desktop Services " I only see remote desktop users" but I can't add administrators, it grayed out.
any idea how I can add the administrator account back?
If the Add user or group button is greyed you, then you probably have a domain GPO that is preventing you from changing the policy locally.
From an elevated CMD prompt, run RSOP.MSC and navigate to the Allow log on through remote desktop services policy to see if a domain GPO is being applied. If so, you'll need to change the settings in that GPO.
Can't really post a snapshot due to security issues (DoD network). Let's step back and verify the following:
I want you to add the user account NWGS\jdoe to the local group Remote Desktop Users.
I also want you to add that user account to the Allow log on through Remote Desktop Services policy in the local security policy setting. If you are unable to add the user because the Add user or group button is disabled, then you'll have to determine which domain GPO is setting that policy using RSOP.MSC as I described in my previous post.
Once you have the user account added to the RDU group and the Allow log on through Remote Desktop Services setting, that user should have permission to logon via RDP.
Sorry ,
I had to leave. I work Fire Rescue and do I.T. on the side.
We had a call.
I'm drained, I will revisit this in the AM when I can think straight, on 4 hr's of sleep.
Thank you for your help.
I will post the results.
Can you clear something up for me? You're trying to login to a Windows 2012 box? Or are you trying to login to a Windows 7/8 box from Windows 2012? I think you might be changing the settings on the wrong box.
Did you add that domain user to the local computer's remote desktop users group (as in go to the Windows 8 box, run lusrmgr.msc and add NWGS\jdoe to the Remote Desktop Users group on the Windows 8 box, NOT in the domain Remote Desktop Users group)?
So the user can login now, but you would rather have a group added instead? There is nothing preventing you from adding a group to Remote Desktop Users by default. If you can't add a group, then there must be a domain GPO preventing it.
After all the changes we made, I'm not sure I remember how it started, but as long as that user is in the local machine's Remote Desktop Users group (either directly or through group membership) then the user can connect, assuming the user is in the Allow log on through Remote Desktop Services policy as well.
I think initially, you had the user in the domain/builtin Remote Desktop Users group, which is a group used for either RRAS or remoting to your DCs.
On the computer you are trying to remote desktop to, Right click my computer and select properties. , then click on remote settings, then click on one of the allow connection radio buttons.