none
Remote Desktop on a domain controller

    Question

  • HI

    I know a lot of discussion on this issue but still sucked

    I am trying to allow remote desktop on the domain controller.

    Thanks

    Adam


    • Edited by AdsMac1 Tuesday, June 23, 2015 1:06 AM
    Tuesday, June 23, 2015 12:33 AM

Answers

  • Hi Adam,

    I had a test on my environment it works. I did the following steps:

    >> Create a new user Test01 in Domain controller ADUC

    >> On the Domain Controller, go to Computer, right click computer select properties and then choose remote settings

    >>On the pop up window go to remote tab, under remote desktop select the second option. Click Select users, on the pop up window, click add to add Test01 user account. Apply the change.

    >> Open GPMC, create a new group policy named domain controller remote log on. Edit the policy go to Computer Configration>>Policies>>Windows Settings>>security Settings>>local policy>>User rights assignment>>allow log on through Remote desktop services

    >>Edit the selected policy, choose add user or group, add the tech01 account. OK. Save the change.

    >>gpupdate

    After that I can use Tech01 to remotely connected to the domain controller.

    Please have a try and check if it works?

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 1, 2015 8:27 AM
    Moderator

All replies

  • Checked this ? 

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/c8709b32-e950-4299-b1a5-704285dee7b1/allow-normal-user-to-login-to-domain-controller?forum=winserverDS


    Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, June 23, 2015 12:39 AM
  • Checked this ? 

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/c8709b32-e950-4299-b1a5-704285dee7b1/allow-normal-user-to-login-to-domain-controller?forum=winserverDS


    Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    That policy wasn't define, is it should be? I think it shouldn't be??
    • Edited by AdsMac1 Tuesday, June 23, 2015 12:52 AM spelling
    Tuesday, June 23, 2015 12:52 AM
  • As per my understanding, it needs to be set. 

    Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, June 23, 2015 2:14 AM
  • Thanks Arnav

    I enabled that and put a group that I don't want to have access so it then did gpupdate /force 

    Still isn't working.

    I am only new active directory so it may be a part that I am missing

    Tuesday, June 23, 2015 3:37 AM
  • Hello,

    the mentioned article have all required information. If you configure it that way correct it should work.

    Which GPO have you changed and where is it linked to?

    And keep in mind that domain users shouldn't have access to a DC!!!

    What is the need for this?


    Best regards

    Meinolf Weber

    MVP, MCP, MCTS

    Microsoft MVP - Directory Services

    My Blog: http://blogs.msmvps.com/MWeber

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Twitter:  

    Tuesday, June 23, 2015 7:09 AM
  • Hi

    Doing secpol.msc, shows that the settings is applied to the server

    it is a new GPO and the default setting for delegation

    the need for this is just allow the administrator group to remote desktop into the domain controller.

    • Edited by AdsMac1 Tuesday, June 23, 2015 8:21 AM added more details
    Tuesday, June 23, 2015 7:58 AM
  • Hello,

    "the need for this is just allow the administrator group to remote desktop into the domain controller."

    This is default configuration.


    Best regards

    Meinolf Weber

    MVP, MCP, MCTS

    Microsoft MVP - Directory Services

    My Blog: http://blogs.msmvps.com/MWeber

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Twitter:  

    Tuesday, June 23, 2015 10:51 AM
  • Hi again,

    do you have any idea that I get 'Access is denied' on the remote machine via remote connection

    it even does on virtual machine connection and it closes and open all itself and then work [ if that give you more clue into what wrong].  

    or is any way can i view the error in greater details in the logs

    Thanks

    Adam

    Tuesday, June 23, 2015 11:38 AM
  • Hi,

    Would you please check if you put the Administrator group in the remote desktop users and then have a try?

    Please let us know the result.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 25, 2015 9:45 AM
    Moderator
  • Hi,

    I had no luck doing that.

    - Adam


    • Edited by AdsMac1 Monday, June 29, 2015 4:09 AM quick edit
    Monday, June 29, 2015 4:08 AM
  • Hi Adam,

    I had a test on my environment it works. I did the following steps:

    >> Create a new user Test01 in Domain controller ADUC

    >> On the Domain Controller, go to Computer, right click computer select properties and then choose remote settings

    >>On the pop up window go to remote tab, under remote desktop select the second option. Click Select users, on the pop up window, click add to add Test01 user account. Apply the change.

    >> Open GPMC, create a new group policy named domain controller remote log on. Edit the policy go to Computer Configration>>Policies>>Windows Settings>>security Settings>>local policy>>User rights assignment>>allow log on through Remote desktop services

    >>Edit the selected policy, choose add user or group, add the tech01 account. OK. Save the change.

    >>gpupdate

    After that I can use Tech01 to remotely connected to the domain controller.

    Please have a try and check if it works?

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 1, 2015 8:27 AM
    Moderator