Unable to DRP

I created an OU named (remote users) in that out I created a user named (tsuser01) and also in that same OU I created a Security Group named (TSRemote) I added the user (tsuser01) to the security group (TSRemote) and I made the security group members of the (Remote Desktop Users) but I can't get the user to log in I continue to get this error.



Can anyone please explain to me what I'm doing wrong....

Thanks
LVL 1
noadAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
You must also add the group to the remote users section under computer properties if the server does not have the RDSH role installed. By default only local admins are. And keep in mind that if these users are not local admins, you are probably in violation of licensing. Non-admin work requires the RDSH role and RDS CALs.
0
noadAuthor Commented:
We are going to install Remote Service with a 7 user lic, but I want to make sure that the group side is setup before hand.

I added the group to the remote users on the computer under properties and it still dose not allow the user to remote in.

Any ideas as to why?
0
Cliff GaliherCommented:
Installng the RDSH role makes significant changes. Don't try to make it work without the RDSH role if you plan on installing it later. It'll break stuff. Install and configure the role first. You'll have an evaluation window (several months) to to test and tweak.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

noadAuthor Commented:
cliff

Just to make sure that I am not mistake can you break it down for me, maybe a snap shoot?


Thanks
0
Cliff GaliherCommented:
All I'm saying is install the RDSH role if that is your ultimate plan anyways. The changes it makes will make any screenshots I take for configuring without it almost worthless.
0
noadAuthor Commented:
ok,
I'll install it now, can you forward the screen shots?
Thanks
0
colditzzCommented:
You get a 120 day trial for the RDSH role, so install that to be able to test the functionality prior to ordering the licenses.
In addition to adding the group to the 'Remote Desktop Users' local group, I always add the AD group (in your case 'TSRemote') to the 'Allow log on through Remote Desktop Services' role under User Rights Assignment.  Assuming you are using Group Policy, you should configure this in a GPO that sits above the RDS Server - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment - Allow log on through Remote Desktop Services.  Ensure you configure all groups that should be able to log on via RDS (Domain Admins, Remote Desktop Users, 3rd Line, etc...) though as this will overwrite the existing 'members' of this setting.
0
Cliff GaliherCommented:
Installing the role makes a lot of those changes automatically. Which is why I suggested installing it. In a normal environment, it'll usually "just work."
0
colditzzCommented:
I Agree Cliff, that it does. I always like the belts & braces approach though to ensure admin users don't get locked out if something goes wrong!
0
noadAuthor Commented:
Cliff,

Let me explain step by step what I'm doing, also just to be clear I'm doing this on a WIN Srv 2012 R2

 1-I created and OU (Remote Users), in that OU I created a Security Group (TSUsers)  and (2) users (TSUSer01 & TSUSer02)

OU, Security Group
2- Went into System and under Remote Settings I added the TSUsers Security Group

Remote Settings
3- Under the Security Group Members tab I added the users ( TSUser01 & TSUser02)

Users added to Security Group
4- Should I or Should I not  under the Members of Tab in the security group add the (Remote Desktop Users)? as you can see I added them

Members of Tab
5- Log in as user (tsuser02) asked to change the password

Log in
6-Password words changed correctly

Password change
7- Unable to log in

Unable to log in
Now unless I'm completely wrong, what part in the above steps is incorrect?

Thank for all of your help.
0
colditzzCommented:
Hi Noad,

As Cliff and I have already pointed out, you need to install the 'Remote Desktop Services Host (RDSH)' role for this to work (in the way you are trying to configure it).
If you don't have the RDSH role installed, you should A) install it, or B) follow my instructions from above;

"add the AD group (in your case 'TSUsers') to the 'Allow log on through Remote Desktop Services' role under User Rights Assignment.  Assuming you are using Group Policy, you should configure this in a GPO that sits above the RDS Server - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment - Allow log on through Remote Desktop Services.  Ensure you configure all groups that should be able to log on via RDS (Domain Admins, Remote Desktop Users, 3rd Line, etc...) though as this will overwrite the existing 'members' of this setting. "
0
Cliff GaliherCommented:
None of your steps are incorrect. But they *are* incomplete.

Now here is the real rub,
; even if you go the extra mile and complete those steps, it'll all get undone when you do install the RDSH role, which you say you plan on doing. And the potential sode-effect is that you'll break applications in the process.

Microsoft Office is a good example of an application where the installer specifically looks for the RDSH role and does things differently if it knows it is getting installed in that scenario.

So you could manually configure everything, include the missing security policy steps, install office, test, see everything is okay, install RDSH, go back and fix all of the stuff RDSH undid, and STILL find office doesn't work right.

Sound fun?  

I stand by my recommendation. If you plan on installing and configuring RDSH, *do it now.* I can't understand why you are putting it off.
0
noadAuthor Commented:
Cliff,

I got this working like this ( steps I showed you ) on Srv 2008 R2.... I understand and agree on what you are recommending me to do. Here is the skinny on the situation.

New client
Had 1 srv ( Srv212 Standard R2 ) 12 gig of mem and RAID 1 ( 2 500gig H.D )
I need to  for aprrox 2 to 3 months, do everything on this one Srv, going VDI with new system.
For now I need to allow (2) VM and 2 TS connections.
They have a Lic for TS for 5 users which I will install.
But, putting your recommendation aside, which I agree. Why can't I log in with a user that I have on a Security Group that has the correct settings? it should, why is it not working is my question, that is what I want to fix. It should just work, right?

Also in the Members of Tab, should the Remote Desktop User be there???
0
noadAuthor Commented:
colditzz

Can you explain in more details? Like I said I have used the above setup on WIN2008R2 and it worked no problem, so why is it not working now if I'm doing the same steps?

I'm not trying to beat a dead horse here, just want answers as to why it works on one system and not another?
Is it a WIN20012 R2 problem?

Thank you for all of your help
0
Cliff GaliherCommented:
Windows server is not set up for remote users by default. There are several places that the users must be added. So the answer to the question of "It should just work, right?" is *NO.*

If you want to fix it, install the RDSH role. That's it. It is that simple. If you want to work around it, give yourself a ton of headaches, and potentially be illegal, just to prove you "fixed" it, then reread the other answers here. The answer has been given, and I'm not inclined to repeat it because you didn't read it properly.

For the record, I am not bashing any other expert for giving the alternate advice. It was technical and accurate. I just don't believe it needs to be repeated and since you plan on installing RDSH, is not necessary.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
noadAuthor Commented:
Cliff,

No worries,
I like I said before, I agree with you.
But I was able to get it working on Srv 2008R2 and not on WIn 20012R2.
No, I don't want to create a ton of work for myself, but YES I want to understand why it's not working now.
Should I just get it up and running? Absolutely
Will it safe me tons of work? I'm sure it will
I'm going to? Absolutely NOT.
Why? Simple I'm wired that way, I want to know and understand why its' not working on Srv 2012 R2, may just be a simple answer, I just have to find it; that's all.

My true background is Fire Rescue, I do I.T. work because I enjoy the challenge and I'm used to exploring and looking for  answers; true enough sometimes answer sometimes is just right in front of my face, maybe this is the same it's just is what it is, but I will explore it more and see if there are other reasons as to why it's not working on Srv 2012R2 when it works on Server 2008 R2.

As for the repeating part....
I agree and I have to tell you I broke my own rule.

Again Thank you for all of your help
0
noadAuthor Commented:
Simple to the point solutions.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.