locked
Remote Desktop Connection Denied because the user account is not authorized for remote login

    Question

  • My company have an Operations Centre that is staffed 24/7 who monitor our web servers for issues. Members of the Operations Centre require the ability to RDP on to any 1 of 500 web servers if a problem is reported on any web server. As those staff are not fully trained Windows Administrators, I don't want to give themDomain Admin rights and am looking for a way to grant them RDP access.

    I have made those users members of a group called GNOC Admins. I have added GNOC Admins to the built-in domain group Remote Desktop Users and also configured group policy so that GNOC Admins have the right to log on locally and the 'log on through terminal services' right and applied this group policy to all domain servers. However, when attempting to connect, those users receive the error message "the connection was denied because the user account is not authorised for remote login" when attempting to RDP on to a server.

    I know I can add this GNOC group to the local Remote Desktop Users group on each web server manually, but there must be a better way than manually configuring this on 500+ web servers! Can group policy be used for this? I've been scratching my head on this one for last couple of days.

    Thanks,

    Robin.

    Wednesday, November 04, 2009 9:20 PM

Answers

  • Hi Robin,

    does the solution work? Please feel free to let us know if you need any further helps.

    Thanks.

    ·         Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfd@microsoft.com

    Friday, November 13, 2009 6:59 AM
  • Hi Lionel,

    The solution does work but unfortunately isn't suitable for my environment as a number of servers (around 10%) have 1 or 2 other groups or users that are in the local administrators group on the server that need to remain as local admins, and the restricted groups group policy replaces membership of the local admins group but doesn't append.

    I need to keep existing users in the local administrators group.

    In the end I used a vbscript that read a list of computer names and added the GNOC Admins group to the local admins group on each computer.

    Thanks,

    Robin.
    Sunday, November 15, 2009 9:26 AM
  • Hi Robin

    You should be able to use Restricted Groups in the way that you need to.  Instead of specifying Remote Desktop Users when prompted to add a group, specify GNOC Admins instead.  Then select the option "This group is a member of:" and specify Remote Desktop Users .

    This way, the GNOC Admins group will become a member of Remote Desktop Users without replacing the existing group membership.

    Tony
    www.activedir.org
    blog: www.open-a-socket.com
    Sunday, November 15, 2009 6:53 PM

All replies

  • The Remote Desktop Users domain group (as opposed to the local group on server) is for allowing users to log on to Domain Controllers via RDP.  This is required because DCs don't have local groups.

    You should be able to work around your problem by using the Restricted Groups feature within Group Policy.  You can make your GNOC Admins group a member of Remote Desktop Users (in Restricted Groups) and apply that policy to your web servers.

    Google search should give the procedure to use Restricted Groups, but shout if you get stuck.

    Tony
    Wednesday, November 04, 2009 10:09 PM
  • Hello Robin,

     

    Thanks for posting in our forum.

     

    What Tony said is correct. Adding the domain users into Remote Desktop Users group of the Domain Controller just allow the users to remotely access the DC at the policy setting level, rather than the TS/RDS servers belonging to the domain. For the latter result, you need to add the GNOC groups into Remote Desktop Users group of each individual target server.

     

    To get this job done more conveniently, as Tony suggests, please use the Restricted Groups of the Group Policy settings to add the group into the Remote Desktop Users group. The steps are as below:

     

    1.     Add all the Web servers that you want the accesses to on OU, for example OU WebServer.

    2.     Create a link a group policy object to the WebServer and then edit it.

    3.     Expand Computer Configurations\Policies\Windows Settings\Security Settings\Restricted Groups, right-click the panel on the right and select Add Group…

    4.     Input the Group name: Remote Desktop Users and click OK.

    5.     In the next window, click Add… for the upper panel.

    6.     Click Browse… button and confirm that you have chosen the right group, in your case, it’s GNOC Admins. Click OK

    After the target web servers update the group policy manually (gpupdate) or automatically, the group will be added into the local Remote Desktop Users group. In that case, it has the permissions to remotely access the Web servers.

     

    Hope my steps above help. Please feel free to let us know if you need any further assistance. Thanks.

     

    ·         Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfd@microsoft.com

    Thursday, November 05, 2009 10:20 AM
  • Hello Robin,

    As the thread has been quiet for a while. Could you leave us a note and let us know the status of the issue now?

    We're glad to provide further assistances based on your needs.

    Thanks.

    ·         Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfd@microsoft.com

    Monday, November 09, 2009 8:41 AM
  • Hi Lionel,

    Thanks to yourself and tony for your help.

    I'll be testing this shortly and will let you know how it goes but I've no doubt this will work.

    Regards,

    Robin
    Tuesday, November 10, 2009 10:36 AM
  • Hi Robin,

    does the solution work? Please feel free to let us know if you need any further helps.

    Thanks.

    ·         Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfd@microsoft.com

    Friday, November 13, 2009 6:59 AM
  • Hi Lionel,

    The solution does work but unfortunately isn't suitable for my environment as a number of servers (around 10%) have 1 or 2 other groups or users that are in the local administrators group on the server that need to remain as local admins, and the restricted groups group policy replaces membership of the local admins group but doesn't append.

    I need to keep existing users in the local administrators group.

    In the end I used a vbscript that read a list of computer names and added the GNOC Admins group to the local admins group on each computer.

    Thanks,

    Robin.
    Sunday, November 15, 2009 9:26 AM
  • Hi Robin

    You should be able to use Restricted Groups in the way that you need to.  Instead of specifying Remote Desktop Users when prompted to add a group, specify GNOC Admins instead.  Then select the option "This group is a member of:" and specify Remote Desktop Users .

    This way, the GNOC Admins group will become a member of Remote Desktop Users without replacing the existing group membership.

    Tony
    www.activedir.org
    blog: www.open-a-socket.com
    Sunday, November 15, 2009 6:53 PM
  • Hello Robine,

    Thanks for letting us know the result. Does the final VBscript solution work for your environment? Does the workaround provided by Tony Murray work?

    We'd like to help you further based on your needs.

    Thanks

    Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfd@microsoft.com

    Monday, November 16, 2009 3:55 AM
  • Hi Lionel,

    The vbscript has worked for me.

    I've not tried Tony's workaround but will certainly use Terry's workaround at some point.

    Thanks again,

    Robin.
    Wednesday, November 18, 2009 9:06 PM
  • I had a similar issue where I had to add groups of users to the local policy for Remote Desktop Users and this worked perfect for me. Here is my summary of Tony's work below. Thanks Tony!

    Append local RDP policy with GPO

    To get this job done more conveniently, as Tony suggests, please use the Restricted Groups of the Group Policy settings to add the group into the Remote Desktop Users group. The steps are as below: 

    1.     Create a group policy object for the Organization Unit that contains the machines and then edit it.

    2.     Expand Computer Configurations\Policies\Windows Settings\Security Settings\Restricted Groups, right-click the panel  on the right and select Add Group…

    3.     Input the Group name: ex: "Corporate Admins" and click OK.

    4.     In the next window, select the option "This group is a member of:" and specify Remote Desktop Users

    *Hint: Click Browse… button and confirm that you have chosen the right group. Click OK

    After the target machines update the group policy manually (gpupdate) or automatically, the group will be added into the local Remote Desktop Users group. In that case, it has the permissions to remotely access the machines.

    Note: I also added an enable for RDP on this policy by doing: Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Connections\Allow users to connect remotely using Terminal Services setting.

    I already have windows firewall disabled for my clients otherwise I would have had to include an exception for RDP through windows firewall here too.

    Wednesday, February 03, 2010 1:13 PM