Answered by:
Remote Desktop Users cannot log in to workstation with remote desktop
Question
-
I added my old desktop running Windows 7 Professional 64-bit to my server's domain to see whether I wanted to convert my network to a domain. I have run into an issue with remote desktop. A domain administrator account can log in just fine, but trying to log in with an account in the domain (not local) Remote Desktop Users group results in being denied saying the user is not authorized for remote access. The account can log in to the server just fine. The account is not a Domain Admin or any other sort of Admin. I tried to add Remote Desktop Users to the locally allowed remote users, but I can't see or add any domain/builtin accounts. domain/users accounts show up just fine. I tried modifying the default domain policy to explicity add domain/builtin/Remote Desktop Users, and after a restart I still can't log in with the user in question. I cannot add the domain/builtin/Remote Desktop Users group to the local group policy. I can add the LOCAL Remote Desktop Users group to the allowed logon groups, but not the domain equivalent. This user account has never logged in to this workstation before. The server is running Server 2008 R2.
Has anyone had a similar issue or have any ideas how to solve it? It doesn't seem like it should be this difficult...
Answers
-
Hi,
Thanks for your posting.
> I cannot add the domain/builtin/Remote Desktop Users group to the local group policy.
Remote Desktop Users group is a build-in group, it only available for local computer. So you can’t add a domain controller Remote Desktop Users group to a local computer.
Group Policy “Allow users to connect remotely using Terminal Services”, if you enable the policy, you enabled remote desktop feature on the target computer, but not grant user permission to remote to target computer.
So add you specified user accounts to a security group, and then manually add the group to Remote Desktop Users group on target computer. Or use Group Policy Preference Local Users and Groups feature to add the security group to target computers.
For more information please refer to following MS articles:
Add users to the Remote Desktop Users group http://technet.microsoft.com/en-us/library/cc758036(v=WS.10).aspx Allow users to connect remotely using Terminal Services http://technet.microsoft.com/en-us/library/cc736745(WS.10).aspx Group Policy Preference: Configure a Local Group Item http://technet.microsoft.com/en-us/library/cc732525.aspxLawrence
TechNet Community Support
- Proposed as answer by Ace Fekay [MCT] Monday, April 9, 2012 2:51 PM
- Marked as answer by Lawrence,Moderator Friday, April 13, 2012 1:23 AM
All replies
-
If you can't add any domain accounts to the WIndows 7's local Remote Desktop Users group, then there may possibly be an issue with domain communications.
I assume you are only using the domain controller's IP address for DNS on the Windows 7 client, and no other DNS address (such as an ISP's or the router as a DNS address)? If so, that will definitely cause this. Also, if the DC is multihomed and using some other DNS address other than only itself, will definitely cause this too.
Let's see an unedited ipconfig /all from a sample Windows 7 machine that you are testing this on, and one from your domain controller. We can evaluate the settings and let you know if anything's amiss.
.
See if this helps, too:
Configure Remote Desktop Access on Windows 7 Systems
http://technet.microsoft.com/en-us/magazine/ff404238.aspx.
Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis posting is provided AS-IS with no warranties or guarantees and confers no rights.
-
I can add domain accounts just fine, I only can't add builtin groups (like Remote Desktop Users). But, my understanding of the "Remote Desktop users" group is that they should just be able to log in without having to be added at a local level in the first place. Which is not happening.
I have my router set as a secondary DNS server, yes. I will try to remove it and see if that helps.
-
If I understand you correctly, you won't be able to add any of the Built-in accounts or groups to a member server or domain workstation local group. You can only add Domain Global or Universal groups. That's because of the group nesting rules. That group is only for that specific server itself, and can't be added elsewhere. If in AD, it's for the DCs.
Here are the group nesting rules in the following link. I may also add this thread to the blog for Built-in group illustration:
Using Group Nesting Strategy - AD Best Practices for Group Strategy
http://msmvps.com/blogs/acefekay/archive/2012/01/06/using-group-nesting-strategy-ad-best-practices-for-group-strategy.aspx.
To illustrate further with an example, here's an example of my trying to add the Built-In Remote Desktop Users group. (I posted the links to the pics, too, if you need a closeup):
The first pic shows AD's Remote Desktop Users group in ADUC:
https://public.blu.livefilestore.com/y1p7bs433AoDmku3l-vd9me5PkIfPoxeJ0cVGWQIRqwTLkl8fPALfzMveBn9f8RcOz4-CvE-P1RdeYXNskohmpJDQ/Groups%20-%20ADUC%20showing%20the%20Built-In%20Remote%20Desktop%20Users%20Group%20that%20cannot%20be%20added%20to%20a%20member%20server's%20local%20group..jpg?psid=1
.
.
This shows me trying to add a domain group into the local Remote Desktop Users group on a member server. Notice that you can't see AD's Built-in accounts?
https://public.blu.livefilestore.com/y1pdaK-nr7Rwb66fgVQZHHerj5bbGdLGAfGvy6_ZNAX_c7KqW0IhxyQGFoNtsGDqrJUPGAmLSQekGXu7Q6CNNjPGA/Groups%20-%20Showing%20that%20Trying%20to%20add%20Domain%20Built-In%20Remote%20Desktop%20Users%20Group%20is%20unsuccessful.jpg?psid=1
.
.
And another screenshot from above after I scrolled down to the list of objects that start with the letter "R" looking for Remote Desktop Users.
https://public.blu.livefilestore.com/y1p7bs433AoDmmXcaVJCUsHMzWr5Pc9wAYBzGVT_vd5Gg75c2uh8C7K2HFLS6vrySqQir-86hBq8jGSYa-Dr6o7HQ/Groups%20-%20Showing%20available%20Domain%20Groups%20that%20can%20be%20added%20to%20the%20local%20machine%20group%20on%20a%20member%20server.jpg?psid=1
.
.
My suggestion is to create a Domain Global or Universal group for this purpose.
A further suggestion and recommendation, is to use a GPO with Restricted Groups. Here's more info on this feature:
Good discussion about Restricted Groups with a complete step by step:
Technet thread: "AD Question, Group as Administrator?" 3/13/2012 -
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/880ad98a-f6bd-4132-ac8b-441d721e2762/Using Restricted Groups
http://www.windowsecurity.com/articles/Using-Restricted-Groups.htmlRestricted groups are made for that:
http://www.frickelsoft.net/blog/?p=13.
Router's IP for DNS?
And I'm glad to hear you are removing the router's IP as a DNS server. I'm not sure why that was used in there to begin with. Just in case you are not aware of AD's reliance on DNS, please read the following for specifics:
Active Directory's Reliance on DNS, and why you should never use an ISP's DNS address or your router as a DNS address, or any other DNS server that does not host the AD zone name
http://msmvps.com/blogs/acefekay/archive/2009/08/17/ad-and-its-reliance-on-dns.aspx.
Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis posting is provided AS-IS with no warranties or guarantees and confers no rights.
-
Hi,
By default, remote desktop access is only granted to Administrators and only if Remote Desktop is enabled on the target machine. If you want to grant access to specific AD user/group, add it into the Remote Desktop User group and configure it to allow logon through terminal/remote desktop services rights.
Refer below links:
http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx
http://support.microsoft.com/kb/278433Best Regards,
Abhijit Waikar.
MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
I did end up just adding my own user group for that purpose. If Remote Desktop Users isn't actually applied to all workstations in a domain and must be added manually anyway, then what's the point of having that group?
The Router's IP is only there for DNS as a "just in case". As long as the DC is functioning it shouldn't make a difference anyway as Windows only uses the first responsive DNS server, unless I'm mistaken.
- Edited by msgerbs Friday, April 6, 2012 5:02 AM
-
I did end up just adding my own user group for that purpose. If Remote Desktop Users isn't actually applied to all workstations in a domain and must be added manually anyway, then what's the point of having that group?
That is by design.
The Router's IP is only there for DNS as a "just in case". As long as the DC is functioning it shouldn't make a difference anyway as Windows only uses the first responsive DNS server, unless I'm mistaken.
Do you have single DC in domain?
On Domain Controller, its not recommended that why its recommended to have at least two DC / DNS / GC servers per domain for high-availability of AD / DNS services .
Best Regards,
Abhijit Waikar.
MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.- Edited by Abhijit Waikar Friday, April 6, 2012 5:15 AM
-
By default, the Administrators and Remote Desktop Users groups are given remote logon rights. So, users who are a part of these groups will be authorized to logon remotely to the server.
Now, if you have a user account which is not a part of the Administrators or the Remote Desktop Users groups and you go ahead and add him to the GPO for “Allow Logon through Terminal Services”, they will still not be able to create a successful RDP connection to the server. The reason being that adding a user to this GPO only authorizes him for a Remote Logon to the server but does not give him the permissions to connect to the RDP-Listener.
Adding a user to “Remote Desktop Users” group allows them to create a successful connection to the server. Adding the user to the Remote Desktop users group gives them the “Remote Logon” Rights to machine as the Remote Desktop Users group is already a part of the GPO “Allow Logon through Terminal Services”.
Refre below link for more details:
http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx
http://support.microsoft.com/kb/289289
http://social.technet.microsoft.com/Forums/en/winserverTS/thread/37d6698b-7ad5-4cf3-a952-f1ad8f109dd7Hope this helps
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Hi,
Thanks for your posting.
> I cannot add the domain/builtin/Remote Desktop Users group to the local group policy.
Remote Desktop Users group is a build-in group, it only available for local computer. So you can’t add a domain controller Remote Desktop Users group to a local computer.
Group Policy “Allow users to connect remotely using Terminal Services”, if you enable the policy, you enabled remote desktop feature on the target computer, but not grant user permission to remote to target computer.
So add you specified user accounts to a security group, and then manually add the group to Remote Desktop Users group on target computer. Or use Group Policy Preference Local Users and Groups feature to add the security group to target computers.
For more information please refer to following MS articles:
Add users to the Remote Desktop Users group http://technet.microsoft.com/en-us/library/cc758036(v=WS.10).aspx Allow users to connect remotely using Terminal Services http://technet.microsoft.com/en-us/library/cc736745(WS.10).aspx Group Policy Preference: Configure a Local Group Item http://technet.microsoft.com/en-us/library/cc732525.aspxLawrence
TechNet Community Support
- Proposed as answer by Ace Fekay [MCT] Monday, April 9, 2012 2:51 PM
- Marked as answer by Lawrence,Moderator Friday, April 13, 2012 1:23 AM