Vera please explain this if you can

[Guest halfluke]

Hi,

I'm studying TS for the exam 70-290.

I'm practicing on a 2 pcs network, one is a DC, the other one a win xp

workstation.

I COULDN'T USE REMOTE DESKTOP TO CONNECT FROM XP TO 2003 DC

 

Yes, remote desktop users group ok etc...

Yes, Allow logon through terminal services ok etc...

 

I looked for 2 days... reading the newsgroup... realizing that Vera is the

guru :)

 

OH, The error when I tried to connect was: you need to enable Allow logon

through TS for Remote desktop users and bla bla bla...

 

NOW TELL ME, VERA OR ANYONE...

Opening Domain COntroller Security Policy in Administration tools,

everything seemed fine... the right users are allowed, nobody is denied...

When I opened secpol.msc from Run.... I FOUND THE TWO ACCOUNTS I WAS TRYING

TO CONNECT IN THE "DENY LOGON THROUGH TS" SETTING!!!

WHAT THE HELL? WHY?? AREN'T THEY EXACTLY THE SAME CONSOLE (I mean the GUI

and secpol.msc)??? HOW DID THEY GO THERE IN THE "DENY" SETTING?

Removed them from there, Remote desktop works...

 

Vera, if you know why just please dont keep the secret...

 

Luca

[Guest Vera Noest [MVP]]

Re: Vera please explain this if you can

 

There's no need to SHOUT, Luca :-)

 

You have been looking at 2, possibly 3 different policies:

Under Administrative Tools, there are links to both the Default

Domain Security Policy and the Default Domain Controller Security

Policy.

When you run secpol.msc, you open the Local Security Policy.

 

I recommend installing the Group Policy Management Console, from

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

 

Then use it to run a Resultant Set of Policies, for one of your

user accounts and the DC. You will see exactly which policies are

applied and in which order.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?aGFsZmx1a2U=?= <halfluke@discussions.microsoft.com>

wrote on 04 aug 2007 in

microsoft.public.windows.terminal_services:

> Hi,

> I'm studying TS for the exam 70-290.

> I'm practicing on a 2 pcs network, one is a DC, the other one a

> win xp workstation.

> I COULDN'T USE REMOTE DESKTOP TO CONNECT FROM XP TO 2003 DC

>

> Yes, remote desktop users group ok etc...

> Yes, Allow logon through terminal services ok etc...

>

> I looked for 2 days... reading the newsgroup... realizing that

> Vera is the guru :)

>

> OH, The error when I tried to connect was: you need to enable

> Allow logon through TS for Remote desktop users and bla bla

> bla...

>

> NOW TELL ME, VERA OR ANYONE...

> Opening Domain COntroller Security Policy in Administration

> tools, everything seemed fine... the right users are allowed,

> nobody is denied... When I opened secpol.msc from Run.... I

> FOUND THE TWO ACCOUNTS I WAS TRYING TO CONNECT IN THE "DENY

> LOGON THROUGH TS" SETTING!!! WHAT THE HELL? WHY?? AREN'T THEY

> EXACTLY THE SAME CONSOLE (I mean the GUI and secpol.msc)??? HOW

> DID THEY GO THERE IN THE "DENY" SETTING? Removed them from

> there, Remote desktop works...

>

> Vera, if you know why just please dont keep the secret...

>

> Luca

[Guest halfluke]

Re: Vera please explain this if you can

 

thanks Vera for ur reply...

 

so you are saying that the Domain Controller Security Policy in Admin tools

and secpol.msc are NOT the same thing....

 

I was sure they were... same settings at a first look...

 

could u explain better the difference between the two?

 

Regards,

Luca

 

"Vera Noest [MVP]" wrote:

> There's no need to SHOUT, Luca :-)

>

> You have been looking at 2, possibly 3 different policies:

> Under Administrative Tools, there are links to both the Default

> Domain Security Policy and the Default Domain Controller Security

> Policy.

> When you run secpol.msc, you open the Local Security Policy.

>

> I recommend installing the Group Policy Management Console, from

> http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

>

> Then use it to run a Resultant Set of Policies, for one of your

> user accounts and the DC. You will see exactly which policies are

> applied and in which order.

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?aGFsZmx1a2U=?= <halfluke@discussions.microsoft.com>

> wrote on 04 aug 2007 in

> microsoft.public.windows.terminal_services:

>

> > Hi,

> > I'm studying TS for the exam 70-290.

> > I'm practicing on a 2 pcs network, one is a DC, the other one a

> > win xp workstation.

> > I COULDN'T USE REMOTE DESKTOP TO CONNECT FROM XP TO 2003 DC

> >

> > Yes, remote desktop users group ok etc...

> > Yes, Allow logon through terminal services ok etc...

> >

> > I looked for 2 days... reading the newsgroup... realizing that

> > Vera is the guru :)

> >

> > OH, The error when I tried to connect was: you need to enable

> > Allow logon through TS for Remote desktop users and bla bla

> > bla...

> >

> > NOW TELL ME, VERA OR ANYONE...

> > Opening Domain COntroller Security Policy in Administration

> > tools, everything seemed fine... the right users are allowed,

> > nobody is denied... When I opened secpol.msc from Run.... I

> > FOUND THE TWO ACCOUNTS I WAS TRYING TO CONNECT IN THE "DENY

> > LOGON THROUGH TS" SETTING!!! WHAT THE HELL? WHY?? AREN'T THEY

> > EXACTLY THE SAME CONSOLE (I mean the GUI and secpol.msc)??? HOW

> > DID THEY GO THERE IN THE "DENY" SETTING? Removed them from

> > there, Remote desktop works...

> >

> > Vera, if you know why just please dont keep the secret...

> >

> > Luca

>

[Guest Vera Noest [MVP]]

Re: Vera please explain this if you can

 

This is more a question for a Group Policy newsgroup, Luca.

Try microsoft.public.windows.group_policy

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?aGFsZmx1a2U=?= <halfluke@discussions.microsoft.com>

wrote on 05 aug 2007 in

microsoft.public.windows.terminal_services:

> thanks Vera for ur reply...

>

> so you are saying that the Domain Controller Security Policy in

> Admin tools and secpol.msc are NOT the same thing....

>

> I was sure they were... same settings at a first look...

>

> could u explain better the difference between the two?

>

> Regards,

> Luca

>

> "Vera Noest [MVP]" wrote:

>

>> There's no need to SHOUT, Luca :-)

>>

>> You have been looking at 2, possibly 3 different policies:

>> Under Administrative Tools, there are links to both the Default

>> Domain Security Policy and the Default Domain Controller

>> Security Policy.

>> When you run secpol.msc, you open the Local Security Policy.

>>

>> I recommend installing the Group Policy Management Console,

>> from

>> http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

>>

>> Then use it to run a Resultant Set of Policies, for one of your

>> user accounts and the DC. You will see exactly which policies

>> are applied and in which order.

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?aGFsZmx1a2U=?= <halfluke@discussions.microsoft.com>

>> wrote on 04 aug 2007 in

>> microsoft.public.windows.terminal_services:

>>

>> > Hi,

>> > I'm studying TS for the exam 70-290.

>> > I'm practicing on a 2 pcs network, one is a DC, the other one

>> > a win xp workstation.

>> > I COULDN'T USE REMOTE DESKTOP TO CONNECT FROM XP TO 2003 DC

>> >

>> > Yes, remote desktop users group ok etc...

>> > Yes, Allow logon through terminal services ok etc...

>> >

>> > I looked for 2 days... reading the newsgroup... realizing

>> > that Vera is the guru :)

>> >

>> > OH, The error when I tried to connect was: you need to enable

>> > Allow logon through TS for Remote desktop users and bla bla

>> > bla...

>> >

>> > NOW TELL ME, VERA OR ANYONE...

>> > Opening Domain COntroller Security Policy in Administration

>> > tools, everything seemed fine... the right users are allowed,

>> > nobody is denied... When I opened secpol.msc from Run.... I

>> > FOUND THE TWO ACCOUNTS I WAS TRYING TO CONNECT IN THE "DENY

>> > LOGON THROUGH TS" SETTING!!! WHAT THE HELL? WHY?? AREN'T THEY

>> > EXACTLY THE SAME CONSOLE (I mean the GUI and secpol.msc)???

>> > HOW DID THEY GO THERE IN THE "DENY" SETTING? Removed them

>> > from there, Remote desktop works...

>> >

>> > Vera, if you know why just please dont keep the secret...

>> >

>> > Luca

[Guest halfluke]

RE: Vera please explain this if you can

 

I'm starting to understand the whole matter...

I wonder why the book I'm studying doesn't cover it at all.

 

thanks and sorry for shouting :)

 

"halfluke" wrote:

> Hi,

> I'm studying TS for the exam 70-290.

> I'm practicing on a 2 pcs network, one is a DC, the other one a win xp

> workstation.

> I COULDN'T USE REMOTE DESKTOP TO CONNECT FROM XP TO 2003 DC

>

> Yes, remote desktop users group ok etc...

> Yes, Allow logon through terminal services ok etc...

>

> I looked for 2 days... reading the newsgroup... realizing that Vera is the

> guru :)

>

> OH, The error when I tried to connect was: you need to enable Allow logon

> through TS for Remote desktop users and bla bla bla...

>

> NOW TELL ME, VERA OR ANYONE...

> Opening Domain COntroller Security Policy in Administration tools,

> everything seemed fine... the right users are allowed, nobody is denied...

> When I opened secpol.msc from Run.... I FOUND THE TWO ACCOUNTS I WAS TRYING

> TO CONNECT IN THE "DENY LOGON THROUGH TS" SETTING!!!

> WHAT THE HELL? WHY?? AREN'T THEY EXACTLY THE SAME CONSOLE (I mean the GUI

> and secpol.msc)??? HOW DID THEY GO THERE IN THE "DENY" SETTING?

> Removed them from there, Remote desktop works...

>

> Vera, if you know why just please dont keep the secret...

>

> Luca

[Guest halfluke]

Re: Vera please explain this if you can

 

GPOs... now I'm starting to figure out the whole matter...

 

I wonder why the subject is not covered in my book to prepare the 70-290

exam...

 

Group Policy Management Console is quite an useful tool ;-)

 

Thanks and sorry for shouting: I get crazy when I can't understand

something, I'm a natural born stubborn troubleshooter :-)

 

Regards,

Luca

 

 

"Vera Noest [MVP]" wrote:

> This is more a question for a Group Policy newsgroup, Luca.

> Try microsoft.public.windows.group_policy

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?aGFsZmx1a2U=?= <halfluke@discussions.microsoft.com>

> wrote on 05 aug 2007 in

> microsoft.public.windows.terminal_services:

>

> > thanks Vera for ur reply...

> >

> > so you are saying that the Domain Controller Security Policy in

> > Admin tools and secpol.msc are NOT the same thing....

> >

> > I was sure they were... same settings at a first look...

> >

> > could u explain better the difference between the two?

> >

> > Regards,

> > Luca

> >

> > "Vera Noest [MVP]" wrote:

> >

> >> There's no need to SHOUT, Luca :-)

> >>

> >> You have been looking at 2, possibly 3 different policies:

> >> Under Administrative Tools, there are links to both the Default

> >> Domain Security Policy and the Default Domain Controller

> >> Security Policy.

> >> When you run secpol.msc, you open the Local Security Policy.

> >>

> >> I recommend installing the Group Policy Management Console,

> >> from

> >> http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

> >>

> >> Then use it to run a Resultant Set of Policies, for one of your

> >> user accounts and the DC. You will see exactly which policies

> >> are applied and in which order.

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

> >>

> >> =?Utf-8?B?aGFsZmx1a2U=?= <halfluke@discussions.microsoft.com>

> >> wrote on 04 aug 2007 in

> >> microsoft.public.windows.terminal_services:

> >>

> >> > Hi,

> >> > I'm studying TS for the exam 70-290.

> >> > I'm practicing on a 2 pcs network, one is a DC, the other one

> >> > a win xp workstation.

> >> > I COULDN'T USE REMOTE DESKTOP TO CONNECT FROM XP TO 2003 DC

> >> >

> >> > Yes, remote desktop users group ok etc...

> >> > Yes, Allow logon through terminal services ok etc...

> >> >

> >> > I looked for 2 days... reading the newsgroup... realizing

> >> > that Vera is the guru :)

> >> >

> >> > OH, The error when I tried to connect was: you need to enable

> >> > Allow logon through TS for Remote desktop users and bla bla

> >> > bla...

> >> >

> >> > NOW TELL ME, VERA OR ANYONE...

> >> > Opening Domain COntroller Security Policy in Administration

> >> > tools, everything seemed fine... the right users are allowed,

> >> > nobody is denied... When I opened secpol.msc from Run.... I

> >> > FOUND THE TWO ACCOUNTS I WAS TRYING TO CONNECT IN THE "DENY

> >> > LOGON THROUGH TS" SETTING!!! WHAT THE HELL? WHY?? AREN'T THEY

> >> > EXACTLY THE SAME CONSOLE (I mean the GUI and secpol.msc)???

> >> > HOW DID THEY GO THERE IN THE "DENY" SETTING? Removed them

> >> > from there, Remote desktop works...

> >> >

> >> > Vera, if you know why just please dont keep the secret...

> >> >

> >> > Luca

>

[Guest Vera Noest [MVP]]

Re: Vera please explain this if you can

 

OK, Luca, no problem.

Group Policies is not part of 70-290, it's part of 70-294.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

*----------- Please reply in newsgroup -------------*

 

=?Utf-8?B?aGFsZmx1a2U=?= <halfluke@discussions.microsoft.com>

wrote on 06 aug 2007:

> GPOs... now I'm starting to figure out the whole matter...

>

> I wonder why the subject is not covered in my book to prepare

> the 70-290 exam...

>

> Group Policy Management Console is quite an useful tool ;-)

>

> Thanks and sorry for shouting: I get crazy when I can't

> understand something, I'm a natural born stubborn troubleshooter

> :-)

>

> Regards,

> Luca

>

>

> "Vera Noest [MVP]" wrote:

>

>> This is more a question for a Group Policy newsgroup, Luca.

>> Try microsoft.public.windows.group_policy

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?aGFsZmx1a2U=?= <halfluke@discussions.microsoft.com>

>> wrote on 05 aug 2007 in

>> microsoft.public.windows.terminal_services:

>>

>> > thanks Vera for ur reply...

>> >

>> > so you are saying that the Domain Controller Security Policy

>> > in Admin tools and secpol.msc are NOT the same thing....

>> >

>> > I was sure they were... same settings at a first look...

>> >

>> > could u explain better the difference between the two?

>> >

>> > Regards,

>> > Luca

>> >

>> > "Vera Noest [MVP]" wrote:

>> >

>> >> There's no need to SHOUT, Luca :-)

>> >>

>> >> You have been looking at 2, possibly 3 different policies:

>> >> Under Administrative Tools, there are links to both the

>> >> Default Domain Security Policy and the Default Domain

>> >> Controller Security Policy.

>> >> When you run secpol.msc, you open the Local Security Policy.

>> >>

>> >> I recommend installing the Group Policy Management Console,

>> >> from

>> >> http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

>> >>

>> >> Then use it to run a Resultant Set of Policies, for one of

>> >> your user accounts and the DC. You will see exactly which

>> >> policies are applied and in which order.

>> >> _________________________________________________________

>> >> Vera Noest

>> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> TS troubleshooting: http://ts.veranoest.net

>> >> ___ please respond in newsgroup, NOT by private email ___

>> >>

>> >> =?Utf-8?B?aGFsZmx1a2U=?=

>> >> <halfluke@discussions.microsoft.com> wrote on 04 aug 2007 in

>> >> microsoft.public.windows.terminal_services:

>> >>

>> >> > Hi,

>> >> > I'm studying TS for the exam 70-290.

>> >> > I'm practicing on a 2 pcs network, one is a DC, the other

>> >> > one a win xp workstation.

>> >> > I COULDN'T USE REMOTE DESKTOP TO CONNECT FROM XP TO 2003

>> >> > DC

>> >> >

>> >> > Yes, remote desktop users group ok etc...

>> >> > Yes, Allow logon through terminal services ok etc...

>> >> >

>> >> > I looked for 2 days... reading the newsgroup... realizing

>> >> > that Vera is the guru :)

>> >> >

>> >> > OH, The error when I tried to connect was: you need to

>> >> > enable Allow logon through TS for Remote desktop users and

>> >> > bla bla bla...

>> >> >

>> >> > NOW TELL ME, VERA OR ANYONE...

>> >> > Opening Domain COntroller Security Policy in

>> >> > Administration tools, everything seemed fine... the right

>> >> > users are allowed, nobody is denied... When I opened

>> >> > secpol.msc from Run.... I FOUND THE TWO ACCOUNTS I WAS

>> >> > TRYING TO CONNECT IN THE "DENY LOGON THROUGH TS"

>> >> > SETTING!!! WHAT THE HELL? WHY?? AREN'T THEY EXACTLY THE

>> >> > SAME CONSOLE (I mean the GUI and secpol.msc)??? HOW DID

>> >> > THEY GO THERE IN THE "DENY" SETTING? Removed them

>> >> > from there, Remote desktop works...

>> >> >

>> >> > Vera, if you know why just please dont keep the secret...

>> >> >

>> >> > Luca