authorizing remote desktop


So I'm trying to authorize remote desktop connection for our users in our domain. It seems what I did was unnecessary, since I was told someone made it work without touching the general policies.

I added the users that needed to do that to the group "remote desktop users" and I also added a GPO "Allow logon through Terminal Services" for the same users.

And now when I try to log on to a server with remote desktop connection it doesn't work anymore. But it works on workstation.

So I tried adding the rights to do remote desktop connections and I lost the rights to do it on servers. Is it the fact that I am on the remote desktop users group? would it be possible to be excluded from connecting to a server because of that?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Matthew BorrussoCommented:
I am not sure what your looking to accomplish in the big picture.

If you have a group of servers or workstation acting as RDP hosts for clients to work off of, then you will need to make sure that each user has proper permissions to do so.

You could easily create a domain group that that belongs to the local remote desktop users group on the systems in question. This should allow the user the privilege to login locally to the box itself (most important on the server side).

Otherwise, the account settings only grants or denies the user the right to use remote desktop or not. You still need to have permissions on the local machine to allow remote access. On the workstation side, if you add the domain user, or the group like I mentioned to the local remote desktop users group, you should be fine as well.

If you want to do this on a grand scale automated, you may either need to script out some changes using net user or push via GPO. depends on your end result.
Matthew BorrussoCommented:
think of the setting in the user account like a clapper in front of a desk lamp.

The account setting is on or off like the clapper, but that does not mean the desk lamp is on.

The local systems access permissions is the desk lamp.
Richard DanekeTrainerCommented:
If you are using the Small Business Server, there is a wizard in the setup to configure for remote access.  

Yes, it is to permit remote logon to the workstations.  In the User account properties, one can identify which workstation a user may connect to.  This way, remote users can connect to their individual workstations when working remotely.

The Administrator is permitted to logon to the server. Two concurrent remote connections are permitted.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Hypercat (Deb)Commented:
Are you trying to allow the users to connect to a terminal server, configured with user applications installed and terminal server licensing? In that case the configuration (adding the users to the remote desktop users group) has to be done on the terminal server, not the SBS server. You can do this in two ways:

1.  Add the users to the domain Remote Desktop Users group or some other custom group you create, and then add the domain group to the Local Users and Groups/Groups/Remote Desktop Users group on the terminal server (recommended method); or

2.  Add the individual domain user accounts to the terminal server Local Users and Groups/Groups/Remote Desktop Users group.
vanroybelAuthor Commented:

First, what do I want to acomplish :
I was able to log in to my server (SBS 2003) using the domain administrator account. I cannot do that anymore. I want to be able to do it again. I think it should be able to do that by default, but it seems by defining the access this doesn't work anymore.

So I've been testing a bit this morning, and the server is not the problem, it is the administrator account (domain administrator). We usually always used the domain administrator to login to the server in remote desktop. I cannot login to the server with this account anymore, but my personal account works. Problem is I need administrator access on the server to make things work so I will still need to use the domain administrator account to work on it.

This account worked by default before. Maybe I have to add it explicitly somewhere (I added it to the list of users authorized to access the computer through remote access).

I you have any suggestions it would be welcome.

(I cannot find any wizard to configure remote access on SBS 2003)
vanroybelAuthor Commented:
So for now the administrator has been added to the GPO "allow log on through terminal services" and also on the computer properties, remote tab, I added the user.
I don't know what more to do so that the administrator has the rights to use remote desktop.

Can it sometimes take time to apply the GPO?
vanroybelAuthor Commented:
Oh and also I tried to log on the administrator with RDC and I cannot either, I still get the error "To log on to this computer, you must be granted the Allow log on through Terminal Services Right...".
vanroybelAuthor Commented:
I meant I tried to log on to a computer in the domain that is not the server with RDC and I got this message.
Hypercat (Deb)Commented:
Ok - First of all, you CANNOT use your SBS2003 server as a terminal server.  The only remote desktop connections allowed for an SBS server are the 2 administrative connections.

You need to remove or disable the GPO you created if it is being applied to the server, and reboot the server.  Then go to the SBS2003 server and REMOVE any users that may still be listed due to the fact that the GPO was being applied to the server. You can do this by logging on locally to it, or by connecting via remote desktop to the admin console.  This is done by running the following command on the Run line on your workstation:

mstsc /v:[servername] /admin

When the logon box comes up, log on with the domain administrator user name and password. When you get connected to the server, then you can go into the system settings/Remote tab and REMOVE any users that you've added to the "Select Users" list.

Now, if you want to allow users to log on remotely to their workstations, you can do this through a GPO, but you have to create the GPO in a way that it is applied ONLY to the workstations and not to the server. You do not have to add the domain admin account to the "Allow logon through terminal services..." because it is by default allowed to log on either locally or remotely to any computer that is a member of the domain.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
vanroybelAuthor Commented:
Thanks for the help, after removing users from both places I use remote desktop again with the administrator account.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.