Announcement

Collapse
No announcement yet.

Remote Desktop GPO: Allowed Users Still Denied

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Remote Desktop GPO: Allowed Users Still Denied

    I have a GPO that grants certain groups logon/remote rights to a group of servers. However, users in the group get denied logon access unless they are explicitly added to the remote desktop properties on the servers.

    For example, usrtest2 is a domain user but still gets denied access to a server in the group the GPO is attached to.

    Are there other settings I need to change for this to work?
    Attached Files

  • #2
    Re: Remote Desktop GPO: Allowed Users Still Denied

    Two things are needed:

    1. The user right to log on through Terminal Services/Remote Desktop Services.

    2. User Access and Guest Access permissions on the RDP protocol on the server.

    Adding the users/groups in question to the Remote Desktop Users group accomplishes both of these. If you're giving individual users/groups the right but not adding them to the Remote Desktop Users group then you need to manually assign them the User Access and Guest Access permissions on the RDP protocol on the server.

    Comment


    • #3
      Re: Remote Desktop GPO: Allowed Users Still Denied

      Originally posted by joeqwerty View Post
      Two things are needed:

      1. The user right to log on through Terminal Services/Remote Desktop Services.

      2. User Access and Guest Access permissions on the RDP protocol on the server.

      Adding the users/groups in question to the Remote Desktop Users group accomplishes both of these. If you're giving individual users/groups the right but not adding them to the Remote Desktop Users group then you need to manually assign them the User Access and Guest Access permissions on the RDP protocol on the server.
      That's the confusing thing, because the user I'm testing with is a member of the Remote Desktop Users group. Here is my setup:

      1. Server I'm trying to remote into (HOPPER).
      2. User I'm using (usrTest2)
      3. HOPPER is in an OU called "Multi Access"
      4. The Multi Access OU has a GPO applied which allows "Logging on locally" and "Logging on through Terminal Services" for usrTest2 (and other groups).
      5. One thing I noticed in the RDP protocol settings on HOPPER is that the Remote Desktop Users has remote permissions, but it's not the domain group (it's HOPPER\Remote Desktop Users). This shouldn't matter, but I thought I would include it in case.

      Please see the attached pictures for a better look.

      Any idea what's wrong?
      Attached Files

      Comment


      • #4
        Re: Remote Desktop GPO: Allowed Users Still Denied

        It does matter, because the domain Remote Desktop Users group in the domain Builtin container proffers the ability to log onto Domain Controllers via RDP. It has no bearing on member servers. Users need to have membership in the local Remote Desktop Users group on the specific server in question.

        When a domain is created, all the local groups on the server that is promoted to a domain controller are converted into domain groups and placed in the domain Builtin container. Most of these groups are relevant for actions and user rights related to domain controllers, not member servers.

        https://technet.microsoft.com/en-us/...(v=ws.10).aspx

        Comment


        • #5
          Re: Remote Desktop GPO: Allowed Users Still Denied

          Originally posted by joeqwerty View Post
          It does matter, because the domain Remote Desktop Users group in the domain Builtin container proffers the ability to log onto Domain Controllers via RDP. It has no bearing on member servers. Users need to have membership in the local Remote Desktop Users group on the specific server in question.

          When a domain is created, all the local groups on the server that is promoted to a domain controller are converted into domain groups and placed in the domain Builtin container. Most of these groups are relevant for actions and user rights related to domain controllers, not member servers.

          https://technet.microsoft.com/en-us/...(v=ws.10).aspx
          Is it not possible to allow users remote login rights via GPO then? They need to be given explicit remote rights on the system?

          usrTest2 is a domain user, and domain users have permissions in the GPO for both logging on locally and logging on through Terminal Services.

          If both conditions are met, why can't the user remote in and logon?
          Last edited by blashmet; 10th February 2015, 19:16.

          Comment


          • #6
            Re: Remote Desktop GPO: Allowed Users Still Denied

            You haven't met both of the conditions that I explained; rights AND permissions. The user must have the appropriate rights AND permissions. You've only met the condition that they have the appropriate rights. You haven't met the condition that they have the appropriate permissions.

            User rights and User permissions are different things. User rights grant the user the ability to do something (perform some action, like log on to a server remotely). User permissions grant them access to something (objects). You've granted them the right to log on remotely but you haven't granted them the permission on the object ( the RDP protocol on the server).

            Perhaps these two articles will explain it better then I am:

            http://blogs.technet.com/b/askperf/a...ers-group.aspx

            https://technet.microsoft.com/en-us/...(v=ws.10).aspx

            Comment


            • #7
              Re: Remote Desktop GPO: Allowed Users Still Denied

              Originally posted by joeqwerty View Post
              You haven't met both of the conditions that I explained; rights AND permissions. The user must have the appropriate rights AND permissions. You've only met the condition that they have the appropriate rights. You haven't met the condition that they have the appropriate permissions.

              User rights and User permissions are different things. User rights grant the user the ability to do something (perform some action, like log on to a server remotely). User permissions grant them access to something (objects). You've granted them the right to log on remotely but you haven't granted them the permission on the object ( the RDP protocol on the server).

              Perhaps these two articles will explain it better then I am:

              http://blogs.technet.com/b/askperf/a...ers-group.aspx

              https://technet.microsoft.com/en-us/...(v=ws.10).aspx
              Thanks. I got it working by editing our domain GPO to add Domain Users to the local Remote Desktop Users group on every system in the domain. Separate GPOs give the required rights.

              I'm wondering why adding Domain Users to the Built In Remote Desktop Users group in AD doesn't accomplish the former though. When I added Domain Users to the local Remote Desktop user group in the GPO, it was referenced as "Bultin\Remote Desktop Users".

              Is there both a domain Remote Desktop Users group and a local one on each system (that are different)?

              Comment

              Working...
              X