Guest BFH Posted October 8, 2008 Posted October 8, 2008 Just added a new administrator to the domain admins group. Unlike the rest of us, she can't get a remote desktop on our DCs (although she can on our member servers). When she tries to connect, she gets this error window: "To log on to this remote computer, you must have Terminal Server User Access permissions on this computer. By default, members of the Remote Desktop Users group have these permissions. If you are not a member of the Remote Desktop Users group or another group that has these permissions, or if the Remote Desktop User group does not have these permissions, you must be granted these permissions manually." Huh? This is a Win 2003/SP2 domain controller, so there is no local "Remote Desktop Users" group. All our other domain admins -for instance, me- can log in still. There has been no change in domain controller security policy or default domain security policy. If I go to "Select Remote Users" on the Remote tab and add the user directly, she can log in (but doesn't t, but I don't want to do that on every DC- and I shouldn't have to, because being in Domain Admins should be enough (it is for our other admins)! So, what am I missing here?
Guest Jeff Pitsch Posted October 9, 2008 Posted October 9, 2008 Re: new domain admin can't remote desktop DCs mmmm, interesting. It almost sounds like the DC's where it's not working aren't being updated correctly. Are you sure your replication is functioning 100%? You may want to post in the windows server forums as well. Jeff Pitsch Microsoft MVP - Terminal Services BFH wrote: > Just added a new administrator to the domain admins group. Unlike the rest > of us, she can't get a remote desktop on our DCs (although she can on our > member servers). When she tries to connect, she gets this error window: > > "To log on to this remote computer, you must have Terminal Server User > Access permissions on this computer. By default, members of the Remote > Desktop Users group have these permissions. If you are not a member of the > Remote Desktop Users group or another group that has these permissions, or if > the Remote Desktop User group does not have these permissions, you must be > granted these permissions manually." > > Huh? > This is a Win 2003/SP2 domain controller, so there is no local "Remote > Desktop Users" group. All our other domain admins -for instance, me- can log > in still. There has been no change in domain controller security policy or > default domain security policy. If I go to "Select Remote Users" on the > Remote tab and add the user directly, she can log in (but doesn't t, but I > don't want to do that on every DC- and I shouldn't have to, because being in > Domain Admins should be enough (it is for our other admins)! > > So, what am I missing here? > > >
Guest BFH Posted October 9, 2008 Posted October 9, 2008 Re: new domain admin can't remote desktop DCs Good suggestion, but I don't think that's it. I just did replmon and it showed no errors, everything up to date. Nothing of note showing up in the event logs. I'll crosspost as you suggest and see if anyone has an idea. As a workaround, I've added Domain Admins to the domain builtin Remote Desktop Users group, which is OK as far as it goes, but it doesn't really make sense to me (as I said below, I didn't have to do that for other admins). Still looking for suggestions. BH "Jeff Pitsch" wrote: > mmmm, interesting. It almost sounds like the DC's where it's not > working aren't being updated correctly. Are you sure your replication > is functioning 100%? You may want to post in the windows server forums > as well. > > Jeff Pitsch > Microsoft MVP - Terminal Services > > BFH wrote: > > Just added a new administrator to the domain admins group. Unlike the rest > > of us, she can't get a remote desktop on our DCs (although she can on our > > member servers). When she tries to connect, she gets this error window: > > > > "To log on to this remote computer, you must have Terminal Server User > > Access permissions on this computer. By default, members of the Remote > > Desktop Users group have these permissions. If you are not a member of the > > Remote Desktop Users group or another group that has these permissions, or if > > the Remote Desktop User group does not have these permissions, you must be > > granted these permissions manually." > > > > Huh? > > This is a Win 2003/SP2 domain controller, so there is no local "Remote > > Desktop Users" group. All our other domain admins -for instance, me- can log > > in still. There has been no change in domain controller security policy or > > default domain security policy. If I go to "Select Remote Users" on the > > Remote tab and add the user directly, she can log in (but doesn't t, but I > > don't want to do that on every DC- and I shouldn't have to, because being in > > Domain Admins should be enough (it is for our other admins)! > > > > So, what am I missing here? > > > > > > >
Guest Jeff Pitsch Posted October 9, 2008 Posted October 9, 2008 Re: new domain admin can't remote desktop DCs it'd be interesting to see if it wsa that one account or if it's going to keep happening as you add admins. Would you be able to create some dummy accounts and see if you have the same problem? Jeff Pitsch Microsoft MVP - Terminal Services BFH wrote: > Good suggestion, but I don't think that's it. I just did replmon and it > showed no errors, everything up to date. Nothing of note showing up in the > event logs. I'll crosspost as you suggest and see if anyone has an idea. > > As a workaround, I've added Domain Admins to the domain builtin Remote > Desktop Users group, which is OK as far as it goes, but it doesn't really > make sense to me (as I said below, I didn't have to do that for other admins). > > Still looking for suggestions. > BH > > > > > "Jeff Pitsch" wrote: > >> mmmm, interesting. It almost sounds like the DC's where it's not >> working aren't being updated correctly. Are you sure your replication >> is functioning 100%? You may want to post in the windows server forums >> as well. >> >> Jeff Pitsch >> Microsoft MVP - Terminal Services >> >> BFH wrote: >>> Just added a new administrator to the domain admins group. Unlike the rest >>> of us, she can't get a remote desktop on our DCs (although she can on our >>> member servers). When she tries to connect, she gets this error window: >>> >>> "To log on to this remote computer, you must have Terminal Server User >>> Access permissions on this computer. By default, members of the Remote >>> Desktop Users group have these permissions. If you are not a member of the >>> Remote Desktop Users group or another group that has these permissions, or if >>> the Remote Desktop User group does not have these permissions, you must be >>> granted these permissions manually." >>> >>> Huh? >>> This is a Win 2003/SP2 domain controller, so there is no local "Remote >>> Desktop Users" group. All our other domain admins -for instance, me- can log >>> in still. There has been no change in domain controller security policy or >>> default domain security policy. If I go to "Select Remote Users" on the >>> Remote tab and add the user directly, she can log in (but doesn't t, but I >>> don't want to do that on every DC- and I shouldn't have to, because being in >>> Domain Admins should be enough (it is for our other admins)! >>> >>> So, what am I missing here? >>> >>> >>>
Guest BFH Posted October 10, 2008 Posted October 10, 2008 Re: new domain admin can't remote desktop DCs Yes, I created a dummy and it had the same problem. I haven't had much time to work on this today, so I guess I'll bang my head against the wall Monday. Thanks for your help. "Jeff Pitsch" wrote: > it'd be interesting to see if it wsa that one account or if it's going > to keep happening as you add admins. Would you be able to create some > dummy accounts and see if you have the same problem? > > Jeff Pitsch > Microsoft MVP - Terminal Services > > BFH wrote: > > Good suggestion, but I don't think that's it. I just did replmon and it > > showed no errors, everything up to date. Nothing of note showing up in the > > event logs. I'll crosspost as you suggest and see if anyone has an idea. > > > > As a workaround, I've added Domain Admins to the domain builtin Remote > > Desktop Users group, which is OK as far as it goes, but it doesn't really > > make sense to me (as I said below, I didn't have to do that for other admins). > > > > Still looking for suggestions. > > BH > > > > > > > > > > "Jeff Pitsch" wrote: > > > >> mmmm, interesting. It almost sounds like the DC's where it's not > >> working aren't being updated correctly. Are you sure your replication > >> is functioning 100%? You may want to post in the windows server forums > >> as well. > >> > >> Jeff Pitsch > >> Microsoft MVP - Terminal Services > >> > >> BFH wrote: > >>> Just added a new administrator to the domain admins group. Unlike the rest > >>> of us, she can't get a remote desktop on our DCs (although she can on our > >>> member servers). When she tries to connect, she gets this error window: > >>> > >>> "To log on to this remote computer, you must have Terminal Server User > >>> Access permissions on this computer. By default, members of the Remote > >>> Desktop Users group have these permissions. If you are not a member of the > >>> Remote Desktop Users group or another group that has these permissions, or if > >>> the Remote Desktop User group does not have these permissions, you must be > >>> granted these permissions manually." > >>> > >>> Huh? > >>> This is a Win 2003/SP2 domain controller, so there is no local "Remote > >>> Desktop Users" group. All our other domain admins -for instance, me- can log > >>> in still. There has been no change in domain controller security policy or > >>> default domain security policy. If I go to "Select Remote Users" on the > >>> Remote tab and add the user directly, she can log in (but doesn't t, but I > >>> don't want to do that on every DC- and I shouldn't have to, because being in > >>> Domain Admins should be enough (it is for our other admins)! > >>> > >>> So, what am I missing here? > >>> > >>> > >>> >
Recommended Posts