new domain admin can't remote desktop DCs

[Guest BFH]

Just added a new administrator to the domain admins group. Unlike the rest

of us, she can't get a remote desktop on our DCs (although she can on our

member servers). When she tries to connect, she gets this error window:

 

"To log on to this remote computer, you must have Terminal Server User

Access permissions on this computer. By default, members of the Remote

Desktop Users group have these permissions. If you are not a member of the

Remote Desktop Users group or another group that has these permissions, or if

the Remote Desktop User group does not have these permissions, you must be

granted these permissions manually."

 

Huh?

This is a Win 2003/SP2 domain controller, so there is no local "Remote

Desktop Users" group. All our other domain admins -for instance, me- can log

in still. There has been no change in domain controller security policy or

default domain security policy. If I go to "Select Remote Users" on the

Remote tab and add the user directly, she can log in (but doesn't t, but I

don't want to do that on every DC- and I shouldn't have to, because being in

Domain Admins should be enough (it is for our other admins)!

 

So, what am I missing here?

[Guest Jeff Pitsch]

Re: new domain admin can't remote desktop DCs

 

mmmm, interesting. It almost sounds like the DC's where it's not

working aren't being updated correctly. Are you sure your replication

is functioning 100%? You may want to post in the windows server forums

as well.

 

Jeff Pitsch

Microsoft MVP - Terminal Services

 

BFH wrote:

> Just added a new administrator to the domain admins group. Unlike the rest

> of us, she can't get a remote desktop on our DCs (although she can on our

> member servers). When she tries to connect, she gets this error window:

>

> "To log on to this remote computer, you must have Terminal Server User

> Access permissions on this computer. By default, members of the Remote

> Desktop Users group have these permissions. If you are not a member of the

> Remote Desktop Users group or another group that has these permissions, or if

> the Remote Desktop User group does not have these permissions, you must be

> granted these permissions manually."

>

> Huh?

> This is a Win 2003/SP2 domain controller, so there is no local "Remote

> Desktop Users" group. All our other domain admins -for instance, me- can log

> in still. There has been no change in domain controller security policy or

> default domain security policy. If I go to "Select Remote Users" on the

> Remote tab and add the user directly, she can log in (but doesn't t, but I

> don't want to do that on every DC- and I shouldn't have to, because being in

> Domain Admins should be enough (it is for our other admins)!

>

> So, what am I missing here?

>

>

>

[Guest BFH]

Re: new domain admin can't remote desktop DCs

 

Good suggestion, but I don't think that's it. I just did replmon and it

showed no errors, everything up to date. Nothing of note showing up in the

event logs. I'll crosspost as you suggest and see if anyone has an idea.

 

As a workaround, I've added Domain Admins to the domain builtin Remote

Desktop Users group, which is OK as far as it goes, but it doesn't really

make sense to me (as I said below, I didn't have to do that for other admins).

 

Still looking for suggestions.

BH

 

 

 

 

"Jeff Pitsch" wrote:

> mmmm, interesting. It almost sounds like the DC's where it's not

> working aren't being updated correctly. Are you sure your replication

> is functioning 100%? You may want to post in the windows server forums

> as well.

>

> Jeff Pitsch

> Microsoft MVP - Terminal Services

>

> BFH wrote:

> > Just added a new administrator to the domain admins group. Unlike the rest

> > of us, she can't get a remote desktop on our DCs (although she can on our

> > member servers). When she tries to connect, she gets this error window:

> >

> > "To log on to this remote computer, you must have Terminal Server User

> > Access permissions on this computer. By default, members of the Remote

> > Desktop Users group have these permissions. If you are not a member of the

> > Remote Desktop Users group or another group that has these permissions, or if

> > the Remote Desktop User group does not have these permissions, you must be

> > granted these permissions manually."

> >

> > Huh?

> > This is a Win 2003/SP2 domain controller, so there is no local "Remote

> > Desktop Users" group. All our other domain admins -for instance, me- can log

> > in still. There has been no change in domain controller security policy or

> > default domain security policy. If I go to "Select Remote Users" on the

> > Remote tab and add the user directly, she can log in (but doesn't t, but I

> > don't want to do that on every DC- and I shouldn't have to, because being in

> > Domain Admins should be enough (it is for our other admins)!

> >

> > So, what am I missing here?

> >

> >

> >

>

[Guest Jeff Pitsch]

Re: new domain admin can't remote desktop DCs

 

it'd be interesting to see if it wsa that one account or if it's going

to keep happening as you add admins. Would you be able to create some

dummy accounts and see if you have the same problem?

 

Jeff Pitsch

Microsoft MVP - Terminal Services

 

BFH wrote:

> Good suggestion, but I don't think that's it. I just did replmon and it

> showed no errors, everything up to date. Nothing of note showing up in the

> event logs. I'll crosspost as you suggest and see if anyone has an idea.

>

> As a workaround, I've added Domain Admins to the domain builtin Remote

> Desktop Users group, which is OK as far as it goes, but it doesn't really

> make sense to me (as I said below, I didn't have to do that for other admins).

>

> Still looking for suggestions.

> BH

>

>

>

>

> "Jeff Pitsch" wrote:

>

>> mmmm, interesting. It almost sounds like the DC's where it's not

>> working aren't being updated correctly. Are you sure your replication

>> is functioning 100%? You may want to post in the windows server forums

>> as well.

>>

>> Jeff Pitsch

>> Microsoft MVP - Terminal Services

>>

>> BFH wrote:

>>> Just added a new administrator to the domain admins group. Unlike the rest

>>> of us, she can't get a remote desktop on our DCs (although she can on our

>>> member servers). When she tries to connect, she gets this error window:

>>>

>>> "To log on to this remote computer, you must have Terminal Server User

>>> Access permissions on this computer. By default, members of the Remote

>>> Desktop Users group have these permissions. If you are not a member of the

>>> Remote Desktop Users group or another group that has these permissions, or if

>>> the Remote Desktop User group does not have these permissions, you must be

>>> granted these permissions manually."

>>>

>>> Huh?

>>> This is a Win 2003/SP2 domain controller, so there is no local "Remote

>>> Desktop Users" group. All our other domain admins -for instance, me- can log

>>> in still. There has been no change in domain controller security policy or

>>> default domain security policy. If I go to "Select Remote Users" on the

>>> Remote tab and add the user directly, she can log in (but doesn't t, but I

>>> don't want to do that on every DC- and I shouldn't have to, because being in

>>> Domain Admins should be enough (it is for our other admins)!

>>>

>>> So, what am I missing here?

>>>

>>>

>>>

[Guest BFH]

Re: new domain admin can't remote desktop DCs

 

Yes, I created a dummy and it had the same problem. I haven't had much time

to work on this today, so I guess I'll bang my head against the wall Monday.

Thanks for your help.

 

"Jeff Pitsch" wrote:

> it'd be interesting to see if it wsa that one account or if it's going

> to keep happening as you add admins. Would you be able to create some

> dummy accounts and see if you have the same problem?

>

> Jeff Pitsch

> Microsoft MVP - Terminal Services

>

> BFH wrote:

> > Good suggestion, but I don't think that's it. I just did replmon and it

> > showed no errors, everything up to date. Nothing of note showing up in the

> > event logs. I'll crosspost as you suggest and see if anyone has an idea.

> >

> > As a workaround, I've added Domain Admins to the domain builtin Remote

> > Desktop Users group, which is OK as far as it goes, but it doesn't really

> > make sense to me (as I said below, I didn't have to do that for other admins).

> >

> > Still looking for suggestions.

> > BH

> >

> >

> >

> >

> > "Jeff Pitsch" wrote:

> >

> >> mmmm, interesting. It almost sounds like the DC's where it's not

> >> working aren't being updated correctly. Are you sure your replication

> >> is functioning 100%? You may want to post in the windows server forums

> >> as well.

> >>

> >> Jeff Pitsch

> >> Microsoft MVP - Terminal Services

> >>

> >> BFH wrote:

> >>> Just added a new administrator to the domain admins group. Unlike the rest

> >>> of us, she can't get a remote desktop on our DCs (although she can on our

> >>> member servers). When she tries to connect, she gets this error window:

> >>>

> >>> "To log on to this remote computer, you must have Terminal Server User

> >>> Access permissions on this computer. By default, members of the Remote

> >>> Desktop Users group have these permissions. If you are not a member of the

> >>> Remote Desktop Users group or another group that has these permissions, or if

> >>> the Remote Desktop User group does not have these permissions, you must be

> >>> granted these permissions manually."

> >>>

> >>> Huh?

> >>> This is a Win 2003/SP2 domain controller, so there is no local "Remote

> >>> Desktop Users" group. All our other domain admins -for instance, me- can log

> >>> in still. There has been no change in domain controller security policy or

> >>> default domain security policy. If I go to "Select Remote Users" on the

> >>> Remote tab and add the user directly, she can log in (but doesn't t, but I

> >>> don't want to do that on every DC- and I shouldn't have to, because being in

> >>> Domain Admins should be enough (it is for our other admins)!

> >>>

> >>> So, what am I missing here?

> >>>

> >>>

> >>>

>