?
Solved

Unable to DRP

Posted on 2014-08-21
17
Medium Priority
?
130 Views
Last Modified: 2014-08-23
I created an OU named (remote users) in that out I created a user named (tsuser01) and also in that same OU I created a Security Group named (TSRemote) I added the user (tsuser01) to the security group (TSRemote) and I made the security group members of the (Remote Desktop Users) but I can't get the user to log in I continue to get this error.



Can anyone please explain to me what I'm doing wrong....

Thanks
0
Comment
Question by:noad
  • 8
  • 6
  • 3
17 Comments
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40277632
You must also add the group to the remote users section under computer properties if the server does not have the RDSH role installed. By default only local admins are. And keep in mind that if these users are not local admins, you are probably in violation of licensing. Non-admin work requires the RDSH role and RDS CALs.
0
 
LVL 1

Author Comment

by:noad
ID: 40277720
We are going to install Remote Service with a 7 user lic, but I want to make sure that the group side is setup before hand.

I added the group to the remote users on the computer under properties and it still dose not allow the user to remote in.

Any ideas as to why?
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40277745
Installng the RDSH role makes significant changes. Don't try to make it work without the RDSH role if you plan on installing it later. It'll break stuff. Install and configure the role first. You'll have an evaluation window (several months) to to test and tweak.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 1

Author Comment

by:noad
ID: 40277759
cliff

Just to make sure that I am not mistake can you break it down for me, maybe a snap shoot?


Thanks
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40277772
All I'm saying is install the RDSH role if that is your ultimate plan anyways. The changes it makes will make any screenshots I take for configuring without it almost worthless.
0
 
LVL 1

Author Comment

by:noad
ID: 40277775
ok,
I'll install it now, can you forward the screen shots?
Thanks
0
 
LVL 4

Expert Comment

by:colditzz
ID: 40277776
You get a 120 day trial for the RDSH role, so install that to be able to test the functionality prior to ordering the licenses.
In addition to adding the group to the 'Remote Desktop Users' local group, I always add the AD group (in your case 'TSRemote') to the 'Allow log on through Remote Desktop Services' role under User Rights Assignment.  Assuming you are using Group Policy, you should configure this in a GPO that sits above the RDS Server - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment - Allow log on through Remote Desktop Services.  Ensure you configure all groups that should be able to log on via RDS (Domain Admins, Remote Desktop Users, 3rd Line, etc...) though as this will overwrite the existing 'members' of this setting.
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40277784
Installing the role makes a lot of those changes automatically. Which is why I suggested installing it. In a normal environment, it'll usually "just work."
0
 
LVL 4

Expert Comment

by:colditzz
ID: 40277788
I Agree Cliff, that it does. I always like the belts & braces approach though to ensure admin users don't get locked out if something goes wrong!
0
 
LVL 1

Author Comment

by:noad
ID: 40280398
Cliff,

Let me explain step by step what I'm doing, also just to be clear I'm doing this on a WIN Srv 2012 R2

 1-I created and OU (Remote Users), in that OU I created a Security Group (TSUsers)  and (2) users (TSUSer01 & TSUSer02)

OU, Security Group
2- Went into System and under Remote Settings I added the TSUsers Security Group

Remote Settings
3- Under the Security Group Members tab I added the users ( TSUser01 & TSUser02)

Users added to Security Group
4- Should I or Should I not  under the Members of Tab in the security group add the (Remote Desktop Users)? as you can see I added them

Members of Tab
5- Log in as user (tsuser02) asked to change the password

Log in
6-Password words changed correctly

Password change
7- Unable to log in

Unable to log in
Now unless I'm completely wrong, what part in the above steps is incorrect?

Thank for all of your help.
0
 
LVL 4

Expert Comment

by:colditzz
ID: 40280428
Hi Noad,

As Cliff and I have already pointed out, you need to install the 'Remote Desktop Services Host (RDSH)' role for this to work (in the way you are trying to configure it).
If you don't have the RDSH role installed, you should A) install it, or B) follow my instructions from above;

"add the AD group (in your case 'TSUsers') to the 'Allow log on through Remote Desktop Services' role under User Rights Assignment.  Assuming you are using Group Policy, you should configure this in a GPO that sits above the RDS Server - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment - Allow log on through Remote Desktop Services.  Ensure you configure all groups that should be able to log on via RDS (Domain Admins, Remote Desktop Users, 3rd Line, etc...) though as this will overwrite the existing 'members' of this setting. "
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40280451
None of your steps are incorrect. But they *are* incomplete.

Now here is the real rub,
; even if you go the extra mile and complete those steps, it'll all get undone when you do install the RDSH role, which you say you plan on doing. And the potential sode-effect is that you'll break applications in the process.

Microsoft Office is a good example of an application where the installer specifically looks for the RDSH role and does things differently if it knows it is getting installed in that scenario.

So you could manually configure everything, include the missing security policy steps, install office, test, see everything is okay, install RDSH, go back and fix all of the stuff RDSH undid, and STILL find office doesn't work right.

Sound fun?  

I stand by my recommendation. If you plan on installing and configuring RDSH, *do it now.* I can't understand why you are putting it off.
0
 
LVL 1

Author Comment

by:noad
ID: 40280465
Cliff,

I got this working like this ( steps I showed you ) on Srv 2008 R2.... I understand and agree on what you are recommending me to do. Here is the skinny on the situation.

New client
Had 1 srv ( Srv212 Standard R2 ) 12 gig of mem and RAID 1 ( 2 500gig H.D )
I need to  for aprrox 2 to 3 months, do everything on this one Srv, going VDI with new system.
For now I need to allow (2) VM and 2 TS connections.
They have a Lic for TS for 5 users which I will install.
But, putting your recommendation aside, which I agree. Why can't I log in with a user that I have on a Security Group that has the correct settings? it should, why is it not working is my question, that is what I want to fix. It should just work, right?

Also in the Members of Tab, should the Remote Desktop User be there???
0
 
LVL 1

Author Comment

by:noad
ID: 40280467
colditzz

Can you explain in more details? Like I said I have used the above setup on WIN2008R2 and it worked no problem, so why is it not working now if I'm doing the same steps?

I'm not trying to beat a dead horse here, just want answers as to why it works on one system and not another?
Is it a WIN20012 R2 problem?

Thank you for all of your help
0
 
LVL 60

Accepted Solution

by:
Cliff Galiher earned 2000 total points
ID: 40280470
Windows server is not set up for remote users by default. There are several places that the users must be added. So the answer to the question of "It should just work, right?" is *NO.*

If you want to fix it, install the RDSH role. That's it. It is that simple. If you want to work around it, give yourself a ton of headaches, and potentially be illegal, just to prove you "fixed" it, then reread the other answers here. The answer has been given, and I'm not inclined to repeat it because you didn't read it properly.

For the record, I am not bashing any other expert for giving the alternate advice. It was technical and accurate. I just don't believe it needs to be repeated and since you plan on installing RDSH, is not necessary.
0
 
LVL 1

Author Comment

by:noad
ID: 40280541
Cliff,

No worries,
I like I said before, I agree with you.
But I was able to get it working on Srv 2008R2 and not on WIn 20012R2.
No, I don't want to create a ton of work for myself, but YES I want to understand why it's not working now.
Should I just get it up and running? Absolutely
Will it safe me tons of work? I'm sure it will
I'm going to? Absolutely NOT.
Why? Simple I'm wired that way, I want to know and understand why its' not working on Srv 2012 R2, may just be a simple answer, I just have to find it; that's all.

My true background is Fire Rescue, I do I.T. work because I enjoy the challenge and I'm used to exploring and looking for  answers; true enough sometimes answer sometimes is just right in front of my face, maybe this is the same it's just is what it is, but I will explore it more and see if there are other reasons as to why it's not working on Srv 2012R2 when it works on Server 2008 R2.

As for the repeating part....
I agree and I have to tell you I broke my own rule.

Again Thank you for all of your help
0
 
LVL 1

Author Closing Comment

by:noad
ID: 40280542
Simple to the point solutions.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question