Unable to DRP
I created an OU named (remote users) in that out I created a user named (tsuser01) and also in that same OU I created a Security Group named (TSRemote) I added the user (tsuser01) to the security group (TSRemote) and I made the security group members of the (Remote Desktop Users) but I can't get the user to log in I continue to get this error.
Can anyone please explain to me what I'm doing wrong....
Thanks
Can anyone please explain to me what I'm doing wrong....
Thanks
Cliff Galiher
You must also add the group to the remote users section under computer properties if the server does not have the RDSH role installed. By default only local admins are. And keep in mind that if these users are not local admins, you are probably in violation of licensing. Non-admin work requires the RDSH role and RDS CALs.
ASKER
We are going to install Remote Service with a 7 user lic, but I want to make sure that the group side is setup before hand.
I added the group to the remote users on the computer under properties and it still dose not allow the user to remote in.
Any ideas as to why?
I added the group to the remote users on the computer under properties and it still dose not allow the user to remote in.
Any ideas as to why?
Installng the RDSH role makes significant changes. Don't try to make it work without the RDSH role if you plan on installing it later. It'll break stuff. Install and configure the role first. You'll have an evaluation window (several months) to to test and tweak.
ASKER
cliff
Just to make sure that I am not mistake can you break it down for me, maybe a snap shoot?
Thanks
Just to make sure that I am not mistake can you break it down for me, maybe a snap shoot?
Thanks
All I'm saying is install the RDSH role if that is your ultimate plan anyways. The changes it makes will make any screenshots I take for configuring without it almost worthless.
ASKER
ok,
I'll install it now, can you forward the screen shots?
Thanks
I'll install it now, can you forward the screen shots?
Thanks
You get a 120 day trial for the RDSH role, so install that to be able to test the functionality prior to ordering the licenses.
In addition to adding the group to the 'Remote Desktop Users' local group, I always add the AD group (in your case 'TSRemote') to the 'Allow log on through Remote Desktop Services' role under User Rights Assignment. Assuming you are using Group Policy, you should configure this in a GPO that sits above the RDS Server - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment - Allow log on through Remote Desktop Services. Ensure you configure all groups that should be able to log on via RDS (Domain Admins, Remote Desktop Users, 3rd Line, etc...) though as this will overwrite the existing 'members' of this setting.
In addition to adding the group to the 'Remote Desktop Users' local group, I always add the AD group (in your case 'TSRemote') to the 'Allow log on through Remote Desktop Services' role under User Rights Assignment. Assuming you are using Group Policy, you should configure this in a GPO that sits above the RDS Server - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment - Allow log on through Remote Desktop Services. Ensure you configure all groups that should be able to log on via RDS (Domain Admins, Remote Desktop Users, 3rd Line, etc...) though as this will overwrite the existing 'members' of this setting.
Installing the role makes a lot of those changes automatically. Which is why I suggested installing it. In a normal environment, it'll usually "just work."
I Agree Cliff, that it does. I always like the belts & braces approach though to ensure admin users don't get locked out if something goes wrong!
ASKER
Cliff,
Let me explain step by step what I'm doing, also just to be clear I'm doing this on a WIN Srv 2012 R2
1-I created and OU (Remote Users), in that OU I created a Security Group (TSUsers) and (2) users (TSUSer01 & TSUSer02)
2- Went into System and under Remote Settings I added the TSUsers Security Group
3- Under the Security Group Members tab I added the users ( TSUser01 & TSUser02)
4- Should I or Should I not under the Members of Tab in the security group add the (Remote Desktop Users)? as you can see I added them
5- Log in as user (tsuser02) asked to change the password
6-Password words changed correctly
7- Unable to log in
Now unless I'm completely wrong, what part in the above steps is incorrect?
Thank for all of your help.
Let me explain step by step what I'm doing, also just to be clear I'm doing this on a WIN Srv 2012 R2
1-I created and OU (Remote Users), in that OU I created a Security Group (TSUsers) and (2) users (TSUSer01 & TSUSer02)
2- Went into System and under Remote Settings I added the TSUsers Security Group
3- Under the Security Group Members tab I added the users ( TSUser01 & TSUser02)
4- Should I or Should I not under the Members of Tab in the security group add the (Remote Desktop Users)? as you can see I added them
5- Log in as user (tsuser02) asked to change the password
6-Password words changed correctly
7- Unable to log in
Now unless I'm completely wrong, what part in the above steps is incorrect?
Thank for all of your help.
Hi Noad,
As Cliff and I have already pointed out, you need to install the 'Remote Desktop Services Host (RDSH)' role for this to work (in the way you are trying to configure it).
If you don't have the RDSH role installed, you should A) install it, or B) follow my instructions from above;
"add the AD group (in your case 'TSUsers') to the 'Allow log on through Remote Desktop Services' role under User Rights Assignment. Assuming you are using Group Policy, you should configure this in a GPO that sits above the RDS Server - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment - Allow log on through Remote Desktop Services. Ensure you configure all groups that should be able to log on via RDS (Domain Admins, Remote Desktop Users, 3rd Line, etc...) though as this will overwrite the existing 'members' of this setting. "
As Cliff and I have already pointed out, you need to install the 'Remote Desktop Services Host (RDSH)' role for this to work (in the way you are trying to configure it).
If you don't have the RDSH role installed, you should A) install it, or B) follow my instructions from above;
"add the AD group (in your case 'TSUsers') to the 'Allow log on through Remote Desktop Services' role under User Rights Assignment. Assuming you are using Group Policy, you should configure this in a GPO that sits above the RDS Server - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment - Allow log on through Remote Desktop Services. Ensure you configure all groups that should be able to log on via RDS (Domain Admins, Remote Desktop Users, 3rd Line, etc...) though as this will overwrite the existing 'members' of this setting. "
None of your steps are incorrect. But they *are* incomplete.
Now here is the real rub,
; even if you go the extra mile and complete those steps, it'll all get undone when you do install the RDSH role, which you say you plan on doing. And the potential sode-effect is that you'll break applications in the process.
Microsoft Office is a good example of an application where the installer specifically looks for the RDSH role and does things differently if it knows it is getting installed in that scenario.
So you could manually configure everything, include the missing security policy steps, install office, test, see everything is okay, install RDSH, go back and fix all of the stuff RDSH undid, and STILL find office doesn't work right.
Sound fun?
I stand by my recommendation. If you plan on installing and configuring RDSH, *do it now.* I can't understand why you are putting it off.
Now here is the real rub,
; even if you go the extra mile and complete those steps, it'll all get undone when you do install the RDSH role, which you say you plan on doing. And the potential sode-effect is that you'll break applications in the process.
Microsoft Office is a good example of an application where the installer specifically looks for the RDSH role and does things differently if it knows it is getting installed in that scenario.
So you could manually configure everything, include the missing security policy steps, install office, test, see everything is okay, install RDSH, go back and fix all of the stuff RDSH undid, and STILL find office doesn't work right.
Sound fun?
I stand by my recommendation. If you plan on installing and configuring RDSH, *do it now.* I can't understand why you are putting it off.
ASKER
Cliff,
I got this working like this ( steps I showed you ) on Srv 2008 R2.... I understand and agree on what you are recommending me to do. Here is the skinny on the situation.
New client
Had 1 srv ( Srv212 Standard R2 ) 12 gig of mem and RAID 1 ( 2 500gig H.D )
I need to for aprrox 2 to 3 months, do everything on this one Srv, going VDI with new system.
For now I need to allow (2) VM and 2 TS connections.
They have a Lic for TS for 5 users which I will install.
But, putting your recommendation aside, which I agree. Why can't I log in with a user that I have on a Security Group that has the correct settings? it should, why is it not working is my question, that is what I want to fix. It should just work, right?
Also in the Members of Tab, should the Remote Desktop User be there???
I got this working like this ( steps I showed you ) on Srv 2008 R2.... I understand and agree on what you are recommending me to do. Here is the skinny on the situation.
New client
Had 1 srv ( Srv212 Standard R2 ) 12 gig of mem and RAID 1 ( 2 500gig H.D )
I need to for aprrox 2 to 3 months, do everything on this one Srv, going VDI with new system.
For now I need to allow (2) VM and 2 TS connections.
They have a Lic for TS for 5 users which I will install.
But, putting your recommendation aside, which I agree. Why can't I log in with a user that I have on a Security Group that has the correct settings? it should, why is it not working is my question, that is what I want to fix. It should just work, right?
Also in the Members of Tab, should the Remote Desktop User be there???
ASKER
colditzz
Can you explain in more details? Like I said I have used the above setup on WIN2008R2 and it worked no problem, so why is it not working now if I'm doing the same steps?
I'm not trying to beat a dead horse here, just want answers as to why it works on one system and not another?
Is it a WIN20012 R2 problem?
Thank you for all of your help
Can you explain in more details? Like I said I have used the above setup on WIN2008R2 and it worked no problem, so why is it not working now if I'm doing the same steps?
I'm not trying to beat a dead horse here, just want answers as to why it works on one system and not another?
Is it a WIN20012 R2 problem?
Thank you for all of your help
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Cliff,
No worries,
I like I said before, I agree with you.
But I was able to get it working on Srv 2008R2 and not on WIn 20012R2.
No, I don't want to create a ton of work for myself, but YES I want to understand why it's not working now.
Should I just get it up and running? Absolutely
Will it safe me tons of work? I'm sure it will
I'm going to? Absolutely NOT.
Why? Simple I'm wired that way, I want to know and understand why its' not working on Srv 2012 R2, may just be a simple answer, I just have to find it; that's all.
My true background is Fire Rescue, I do I.T. work because I enjoy the challenge and I'm used to exploring and looking for answers; true enough sometimes answer sometimes is just right in front of my face, maybe this is the same it's just is what it is, but I will explore it more and see if there are other reasons as to why it's not working on Srv 2012R2 when it works on Server 2008 R2.
As for the repeating part....
I agree and I have to tell you I broke my own rule.
Again Thank you for all of your help
No worries,
I like I said before, I agree with you.
But I was able to get it working on Srv 2008R2 and not on WIn 20012R2.
No, I don't want to create a ton of work for myself, but YES I want to understand why it's not working now.
Should I just get it up and running? Absolutely
Will it safe me tons of work? I'm sure it will
I'm going to? Absolutely NOT.
Why? Simple I'm wired that way, I want to know and understand why its' not working on Srv 2012 R2, may just be a simple answer, I just have to find it; that's all.
My true background is Fire Rescue, I do I.T. work because I enjoy the challenge and I'm used to exploring and looking for answers; true enough sometimes answer sometimes is just right in front of my face, maybe this is the same it's just is what it is, but I will explore it more and see if there are other reasons as to why it's not working on Srv 2012R2 when it works on Server 2008 R2.
As for the repeating part....
I agree and I have to tell you I broke my own rule.
Again Thank you for all of your help
ASKER
Simple to the point solutions.