Solved

Purpose of Remote Desktop GPO if machines needs to be configured locally

Posted on 2014-09-06
7
268 Views
Last Modified: 2014-09-11
Hi,

I created A GPO in my Windows server 2012 domain to allow users to connect to workstations remotely through Remote Desktop.

Following procedure had been applied: http://www.dannyeckes.com/server-2012-enable-remote-desktop-rdp-group-policy-gpo/

GPO have been updated (gpudate / force) and workstation even rebooted.

Users that have no administrator privilege cannot remotely login and get the following messages: "The connection was denied because the user account is not authorized for remote login"

I have read on different posts that the remote desktop permissions should be given locally by adding the necessary groups / users. Didn't try but that will work for sure.

I'm wondering what is then the purpose of the GPO if permissions are to be given locally !
And also, what do you do if you have 200 machines to configure !

Regards,


David
0
Comment
Question by:Urbantrax
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40307583
You usually wouldn't ever give remote access to 200 machines. Not just because of the policy issue, but because of the network traffic l, management, information security....remote desktop was never designed to be used in that way.

You'd instead set up RDSH or RDVH, and in that setup, you don't configure or touch a bunch of individual machines. Your desktops are centralized on fewer large servers. RDSH makes the necessary changes by default, and RDVH is based off an image that has been purpose-built for the task and also has the necessary changes. So touching local installs becomes a non-issue.

So basically if you are trying to allow access to 200 workstations ,chances are you are doing something wrong. And are probably breaking the software EULA in the process.
0
 

Author Comment

by:Urbantrax
ID: 40307716
200 workstations is of course only an example. The goal is here to allow some users to access physical machines remotely if needed. I'm trying to understand why the GPO doesn't work or, in other words, to understand what is the purpose of such a GPO while it seems mandatory (correct me if I'm wrong) to still manually add a selection of users/domain groups on each machine.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40307722
As I said, the purpose of the GPO is meant to control RDSH/RDVH servers. In those environments the GPO is an effective tool. It is NOT meant to be used how you are trying to use it, and so it is proving to be less than ideal. You are trying to use a screwdriver to pound in a nail.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Accepted Solution

by:
Urbantrax earned 0 total points
ID: 40307843
Don't agree with your vision. Remote Desktop GPO already existed before RDSH/RDVH servers and it is a valid way to connect remotely to Windows workstations. I succeeded to solve the issue: It was apparently a security filtering issue (to be confirmed) or a gpupdate issue.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40307886
RDSH used to be called TS, and has been built into windows just as long as group policies have, since windows 2000. So you at closjg a question when you haven't prove  your own theory (which you admit to with your "to be confirmed" comment AND your "facts" are blatantly wrong. But good luck to you. I'll remember you and won't help further since you clearly know the answer before you ever ask the question.
0
 

Author Comment

by:Urbantrax
ID: 40308293
Excuse me Cliff but you simply didn't answer the original question (how can I allow some users to connect to workstations through RDP using GPOs and without having to add local security manually) and I didn't know the answer before posting. I just kept on reading and trying.

I can know confirm that the default "Authenticated Users" group in the "Security Filtering" section of the GPO needs to be replaced by the group "Remote Desktop Users" (in my case) and do a gpupdate. This wasn't described in the procedure I used as you can verify.

Before virtualization existed, it was already possible to connect to workstations through RDP using GPOs. That is all I wanted to do. So please, be a good player !
0
 

Author Closing Comment

by:Urbantrax
ID: 40316497
No solution provided by member. Solved myself.
0

Featured Post

SendBlaster Pro 4 - Bulk Email Sending Software

SendBlaster 4 Pro - Best Bulk Emailing Sending Software
Automatic Subscribe / Unsubscribe Processing
Great for Newsletters & Mass Mailings
Optional HTML & Text Composition
Integration with Google Features
Built in Spam Score Checking
Free Professional Templates - Feature Packed!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question