Login error for new user on Domain Controller TS

[Guest Marc S]

I have two Terminal Servers. Both Windows 2003 Standard. One is also a DC.

 

For a user, she can logon to the Terminal Server (non-DC) no problem.

 

For other TS that is a DC, I have tried to log her on remotely for the first

time, but when the user tries to access that server they get this

error: "you must be granted the Allow logon through terminal services right.

Members of the remote desktop users have this right." She is already a

member of a domain-wide Security Group called Remote Users.

 

1. Do I need to log her on 1x locally at the DC Terminal Serverf?

 

2. Where is the built-in Remote Desktop Users Group on a DC. It's not

listed under Computer Managament, like on the non-DC Terminal Server. On the

non-DC Terminal Server, I added the domain-wide Remote Users Security group

to the Local built-in Remoter users group.

[Guest Vera Noest [MVP]]

Re: Login error for new user on Domain Controller TS

 

It is *not* recommended to run TS on a Domain Controller, both for

performance and security reasons!

That said, you will have to enable the following setting in the

Default Domain Controller Policy:

Computer Configuration - Windows Settings - Security Settings -

Local Policies - User rights Assignment

"Allow log on through Terminal Services"

and add the Remote Desktop Users group to the list of allowed users

 

There are no machine-local groups on a DC, only domain-local.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?TWFyYyBT?= <MarcS@discussions.microsoft.com> wrote on 26

mar 2008 in microsoft.public.windows.terminal_services:

> I have two Terminal Servers. Both Windows 2003 Standard. One is

> also a DC.

>

> For a user, she can logon to the Terminal Server (non-DC) no

> problem.

>

> For other TS that is a DC, I have tried to log her on remotely

> for the first time, but when the user tries to access that

> server they get this error: "you must be granted the Allow logon

> through terminal services right. Members of the remote desktop

> users have this right." She is already a member of a domain-wide

> Security Group called Remote Users.

>

> 1. Do I need to log her on 1x locally at the DC Terminal

> Serverf?

>

> 2. Where is the built-in Remote Desktop Users Group on a DC.

> It's not listed under Computer Managament, like on the non-DC

> Terminal Server. On the non-DC Terminal Server, I added the

> domain-wide Remote Users Security group to the Local built-in

> Remoter users group.

[Guest Marc S]

Re: Login error for new user on Domain Controller TS

 

HHhmm. This Server is a Disaster Recovery Multi-purpose server, so it's for

back purposes.

 

In my AD, I appear to have two separate groups.

(1) Under Built-in is the "Remote Desktop Users" group

(2) Under another manually created group called Security Groups is "Remote

Users" group.

 

I'm not sure why there are two separate groups that have similar names??

 

How can I tell which of these two groups is the security group used for

Terminal Services?

 

"Vera Noest [MVP]" wrote:

> It is *not* recommended to run TS on a Domain Controller, both for

> performance and security reasons!

> That said, you will have to enable the following setting in the

> Default Domain Controller Policy:

> Computer Configuration - Windows Settings - Security Settings -

> Local Policies - User rights Assignment

> "Allow log on through Terminal Services"

> and add the Remote Desktop Users group to the list of allowed users

>

> There are no machine-local groups on a DC, only domain-local.

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?TWFyYyBT?= <MarcS@discussions.microsoft.com> wrote on 26

> mar 2008 in microsoft.public.windows.terminal_services:

>

> > I have two Terminal Servers. Both Windows 2003 Standard. One is

> > also a DC.

> >

> > For a user, she can logon to the Terminal Server (non-DC) no

> > problem.

> >

> > For other TS that is a DC, I have tried to log her on remotely

> > for the first time, but when the user tries to access that

> > server they get this error: "you must be granted the Allow logon

> > through terminal services right. Members of the remote desktop

> > users have this right." She is already a member of a domain-wide

> > Security Group called Remote Users.

> >

> > 1. Do I need to log her on 1x locally at the DC Terminal

> > Serverf?

> >

> > 2. Where is the built-in Remote Desktop Users Group on a DC.

> > It's not listed under Computer Managament, like on the non-DC

> > Terminal Server. On the non-DC Terminal Server, I added the

> > domain-wide Remote Users Security group to the Local built-in

> > Remoter users group.

>

[Guest Vera Noest [MVP]]

Re: Login error for new user on Domain Controller TS

 

Seems to me you have already answered your own question :-)

one group is Built-in, the other is manually created.

I've no idea why someone at your company has created a group with a

similar name as the built-in group, but it's the built-in domain

local group you need to use (assuming that no other changes have

been made to the default configuration of your DC and AD).

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?TWFyYyBT?= <MarcS@discussions.microsoft.com> wrote on 27

mar 2008 in microsoft.public.windows.terminal_services:

> HHhmm. This Server is a Disaster Recovery Multi-purpose server,

> so it's for back purposes.

>

> In my AD, I appear to have two separate groups.

> (1) Under Built-in is the "Remote Desktop Users" group

> (2) Under another manually created group called Security Groups

> is "Remote Users" group.

>

> I'm not sure why there are two separate groups that have similar

> names??

>

> How can I tell which of these two groups is the security group

> used for Terminal Services?

>

> "Vera Noest [MVP]" wrote:

>

>> It is *not* recommended to run TS on a Domain Controller, both

>> for performance and security reasons!

>> That said, you will have to enable the following setting in the

>> Default Domain Controller Policy:

>> Computer Configuration - Windows Settings - Security Settings -

>> Local Policies - User rights Assignment

>> "Allow log on through Terminal Services"

>> and add the Remote Desktop Users group to the list of allowed

>> users

>>

>> There are no machine-local groups on a DC, only domain-local.

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?TWFyYyBT?= <MarcS@discussions.microsoft.com> wrote on

>> 26 mar 2008 in microsoft.public.windows.terminal_services:

>>

>> > I have two Terminal Servers. Both Windows 2003 Standard. One

>> > is also a DC.

>> >

>> > For a user, she can logon to the Terminal Server (non-DC) no

>> > problem.

>> >

>> > For other TS that is a DC, I have tried to log her on

>> > remotely for the first time, but when the user tries to

>> > access that server they get this error: "you must be granted

>> > the Allow logon through terminal services right. Members of

>> > the remote desktop users have this right." She is already a

>> > member of a domain-wide Security Group called Remote Users.

>> >

>> > 1. Do I need to log her on 1x locally at the DC Terminal

>> > Serverf?

>> >

>> > 2. Where is the built-in Remote Desktop Users Group on a DC.

>> > It's not listed under Computer Managament, like on the non-DC

>> > Terminal Server. On the non-DC Terminal Server, I added the

>> > domain-wide Remote Users Security group to the Local built-in

>> > Remoter users group.

[Guest Marc S]

Re: Login error for new user on Domain Controller TS

 

The strange thing is if I add a user to only the manual Security Group, and

not the built-in, the user CAN still access the TS.

 

I notice that most users are in both groups.

 

My confusion is that I don't see where the manual Security Group it being

used. Is the Built-in Remote Desktop Group automatically configured so that

if a user is part of that Built-in Remote Desktop group they can access a TS.

Is there a place on the TS where either of these Security Groups is added to

allow for access. Or is it just inherited as part of being in that group

 

"Vera Noest [MVP]" wrote:

> Seems to me you have already answered your own question :-)

> one group is Built-in, the other is manually created.

> I've no idea why someone at your company has created a group with a

> similar name as the built-in group, but it's the built-in domain

> local group you need to use (assuming that no other changes have

> been made to the default configuration of your DC and AD).

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?TWFyYyBT?= <MarcS@discussions.microsoft.com> wrote on 27

> mar 2008 in microsoft.public.windows.terminal_services:

>

> > HHhmm. This Server is a Disaster Recovery Multi-purpose server,

> > so it's for back purposes.

> >

> > In my AD, I appear to have two separate groups.

> > (1) Under Built-in is the "Remote Desktop Users" group

> > (2) Under another manually created group called Security Groups

> > is "Remote Users" group.

> >

> > I'm not sure why there are two separate groups that have similar

> > names??

> >

> > How can I tell which of these two groups is the security group

> > used for Terminal Services?

> >

> > "Vera Noest [MVP]" wrote:

> >

> >> It is *not* recommended to run TS on a Domain Controller, both

> >> for performance and security reasons!

> >> That said, you will have to enable the following setting in the

> >> Default Domain Controller Policy:

> >> Computer Configuration - Windows Settings - Security Settings -

> >> Local Policies - User rights Assignment

> >> "Allow log on through Terminal Services"

> >> and add the Remote Desktop Users group to the list of allowed

> >> users

> >>

> >> There are no machine-local groups on a DC, only domain-local.

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

> >>

> >> =?Utf-8?B?TWFyYyBT?= <MarcS@discussions.microsoft.com> wrote on

> >> 26 mar 2008 in microsoft.public.windows.terminal_services:

> >>

> >> > I have two Terminal Servers. Both Windows 2003 Standard. One

> >> > is also a DC.

> >> >

> >> > For a user, she can logon to the Terminal Server (non-DC) no

> >> > problem.

> >> >

> >> > For other TS that is a DC, I have tried to log her on

> >> > remotely for the first time, but when the user tries to

> >> > access that server they get this error: "you must be granted

> >> > the Allow logon through terminal services right. Members of

> >> > the remote desktop users have this right." She is already a

> >> > member of a domain-wide Security Group called Remote Users.

> >> >

> >> > 1. Do I need to log her on 1x locally at the DC Terminal

> >> > Serverf?

> >> >

> >> > 2. Where is the built-in Remote Desktop Users Group on a DC.

> >> > It's not listed under Computer Managament, like on the non-DC

> >> > Terminal Server. On the non-DC Terminal Server, I added the

> >> > domain-wide Remote Users Security group to the Local built-in

> >> > Remoter users group.

>

[Guest Vera Noest [MVP]]

Re: Login error for new user on Domain Controller TS

 

Since you seem to have a non-default installation, it is difficult

for me to say what will work for you now.

 

But the default setup is like this:

On a Terminal Server which is *not* a DC, you have to make sure

that the users are members of the local built-in group Remote

Desktop Users, on the server itself. That can be achieved either by

putting the individual user accounts into this group, or by putting

one or more user groups which contain the user accounts in the

local Remote Desktop User group. As an example (but not necessarily

a good configuration): if you put the built-in domain user group

"Domain Users" (of which all users are a member) into the local

built-in Remote Desktop Users group on a member server, then all

domain users can connect to the server by rdp.

 

The above assumes that you have not modified the security settings

of the rdp-tcp connection, i.e. that the Remote Desktop Users group

is still on the permissions list. Check this in Terminal Services

Configuration - rdp-tcp connection - properties - security

 

Since one of your Terminal Servers is a DC (again, this is *not*

recommended!), the requirements are different. A DC does not have a

local built-in Remote Desktop group, so instead you have to make

sure that users are members of the domain local built-in group

Remote Desktop Users.

And since by default only Administrators have the right to logon to

a DC, you also have to change the Default Domain Controller Policy:

 

Go to Computer Configuration - Windows Settings - Security Settings

- Local Policies - User rights Assignment

"Allow log on through Terminal Services"

 

and add the domain local built-in Remote Desktop Users group to the

list of allowed users.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?TWFyYyBT?= <MarcS@discussions.microsoft.com> wrote on 27

mar 2008 in microsoft.public.windows.terminal_services:

> The strange thing is if I add a user to only the manual Security

> Group, and not the built-in, the user CAN still access the TS.

>

> I notice that most users are in both groups.

>

> My confusion is that I don't see where the manual Security Group

> it being used. Is the Built-in Remote Desktop Group

> automatically configured so that if a user is part of that

> Built-in Remote Desktop group they can access a TS.

> Is there a place on the TS where either of these Security

> Groups is added to

> allow for access. Or is it just inherited as part of being in

> that group

>

> "Vera Noest [MVP]" wrote:

>

>> Seems to me you have already answered your own question :-)

>> one group is Built-in, the other is manually created.

>> I've no idea why someone at your company has created a group

>> with a similar name as the built-in group, but it's the

>> built-in domain local group you need to use (assuming that no

>> other changes have been made to the default configuration of

>> your DC and AD).

>> _________________________________________________________ Vera

>> Noest MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?TWFyYyBT?= <MarcS@discussions.microsoft.com> wrote on

>> 27 mar 2008 in microsoft.public.windows.terminal_services:

>>

>> > HHhmm. This Server is a Disaster Recovery Multi-purpose

>> > server, so it's for back purposes.

>> >

>> > In my AD, I appear to have two separate groups.

>> > (1) Under Built-in is the "Remote Desktop Users" group

>> > (2) Under another manually created group called Security

>> > Groups is "Remote Users" group.

>> >

>> > I'm not sure why there are two separate groups that have

>> > similar names??

>> >

>> > How can I tell which of these two groups is the security

>> > group used for Terminal Services?

>> >

>> > "Vera Noest [MVP]" wrote:

>> >

>> >> It is *not* recommended to run TS on a Domain Controller,

>> >> both for performance and security reasons!

>> >> That said, you will have to enable the following setting in

>> >> the Default Domain Controller Policy:

>> >> Computer Configuration - Windows Settings - Security

>> >> Settings - Local Policies - User rights Assignment

>> >> "Allow log on through Terminal Services"

>> >> and add the Remote Desktop Users group to the list of

>> >> allowed users

>> >>

>> >> There are no machine-local groups on a DC, only

>> >> domain-local.

>> >> _________________________________________________________

>> >> Vera Noest

>> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> TS troubleshooting: http://ts.veranoest.net

>> >> ___ please respond in newsgroup, NOT by private email ___

>> >>

>> >> =?Utf-8?B?TWFyYyBT?= <MarcS@discussions.microsoft.com> wrote

>> >> on 26 mar 2008 in

>> >> microsoft.public.windows.terminal_services:

>> >>

>> >> > I have two Terminal Servers. Both Windows 2003 Standard.

>> >> > One is also a DC.

>> >> >

>> >> > For a user, she can logon to the Terminal Server (non-DC)

>> >> > no problem.

>> >> >

>> >> > For other TS that is a DC, I have tried to log her on

>> >> > remotely for the first time, but when the user tries to

>> >> > access that server they get this error: "you must be

>> >> > granted the Allow logon through terminal services right.

>> >> > Members of the remote desktop users have this right." She

>> >> > is already a member of a domain-wide Security Group called

>> >> > Remote Users.

>> >> >

>> >> > 1. Do I need to log her on 1x locally at the DC Terminal

>> >> > Serverf?

>> >> >

>> >> > 2. Where is the built-in Remote Desktop Users Group on a

>> >> > DC. It's not listed under Computer Managament, like on the

>> >> > non-DC Terminal Server. On the non-DC Terminal Server, I

>> >> > added the domain-wide Remote Users Security group to the

>> >> > Local built-in Remoter users group.

[Guest Marc S]

Re: Login error for new user on Domain Controller TS

 

2 things.

1. I think I figured out why there is a 2nd manual "Remote Users" Security

group. On the TS *non-DC* in the Local Remote Desktop Users is added the

other Security Group. The consultants must have added users to that in AD,

and this Security group was added to the Remote Desktop Users.

 

2. For the RDP-Tcp permissions, Remote Desktop Users is there with User

Access and Guess Acess only checked. Only Administrators and System have

Full Control. Is that ok?

 

"Vera Noest [MVP]" wrote:

> Since you seem to have a non-default installation, it is difficult

> for me to say what will work for you now.

>

> But the default setup is like this:

> On a Terminal Server which is *not* a DC, you have to make sure

> that the users are members of the local built-in group Remote

> Desktop Users, on the server itself. That can be achieved either by

> putting the individual user accounts into this group, or by putting

> one or more user groups which contain the user accounts in the

> local Remote Desktop User group. As an example (but not necessarily

> a good configuration): if you put the built-in domain user group

> "Domain Users" (of which all users are a member) into the local

> built-in Remote Desktop Users group on a member server, then all

> domain users can connect to the server by rdp.

>

> The above assumes that you have not modified the security settings

> of the rdp-tcp connection, i.e. that the Remote Desktop Users group

> is still on the permissions list. Check this in Terminal Services

> Configuration - rdp-tcp connection - properties - security

>

> Since one of your Terminal Servers is a DC (again, this is *not*

> recommended!), the requirements are different. A DC does not have a

> local built-in Remote Desktop group, so instead you have to make

> sure that users are members of the domain local built-in group

> Remote Desktop Users.

> And since by default only Administrators have the right to logon to

> a DC, you also have to change the Default Domain Controller Policy:

>

> Go to Computer Configuration - Windows Settings - Security Settings

> - Local Policies - User rights Assignment

> "Allow log on through Terminal Services"

>

> and add the domain local built-in Remote Desktop Users group to the

> list of allowed users.

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?TWFyYyBT?= <MarcS@discussions.microsoft.com> wrote on 27

> mar 2008 in microsoft.public.windows.terminal_services:

>

> > The strange thing is if I add a user to only the manual Security

> > Group, and not the built-in, the user CAN still access the TS.

> >

> > I notice that most users are in both groups.

> >

> > My confusion is that I don't see where the manual Security Group

> > it being used. Is the Built-in Remote Desktop Group

> > automatically configured so that if a user is part of that

> > Built-in Remote Desktop group they can access a TS.

> > Is there a place on the TS where either of these Security

> > Groups is added to

> > allow for access. Or is it just inherited as part of being in

> > that group

> >

> > "Vera Noest [MVP]" wrote:

> >

> >> Seems to me you have already answered your own question :-)

> >> one group is Built-in, the other is manually created.

> >> I've no idea why someone at your company has created a group

> >> with a similar name as the built-in group, but it's the

> >> built-in domain local group you need to use (assuming that no

> >> other changes have been made to the default configuration of

> >> your DC and AD).

> >> _________________________________________________________ Vera

> >> Noest MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

> >>

> >> =?Utf-8?B?TWFyYyBT?= <MarcS@discussions.microsoft.com> wrote on

> >> 27 mar 2008 in microsoft.public.windows.terminal_services:

> >>

> >> > HHhmm. This Server is a Disaster Recovery Multi-purpose

> >> > server, so it's for back purposes.

> >> >

> >> > In my AD, I appear to have two separate groups.

> >> > (1) Under Built-in is the "Remote Desktop Users" group

> >> > (2) Under another manually created group called Security

> >> > Groups is "Remote Users" group.

> >> >

> >> > I'm not sure why there are two separate groups that have

> >> > similar names??

> >> >

> >> > How can I tell which of these two groups is the security

> >> > group used for Terminal Services?

> >> >

> >> > "Vera Noest [MVP]" wrote:

> >> >

> >> >> It is *not* recommended to run TS on a Domain Controller,

> >> >> both for performance and security reasons!

> >> >> That said, you will have to enable the following setting in

> >> >> the Default Domain Controller Policy:

> >> >> Computer Configuration - Windows Settings - Security

> >> >> Settings - Local Policies - User rights Assignment

> >> >> "Allow log on through Terminal Services"

> >> >> and add the Remote Desktop Users group to the list of

> >> >> allowed users

> >> >>

> >> >> There are no machine-local groups on a DC, only

> >> >> domain-local.

> >> >> _________________________________________________________

> >> >> Vera Noest

> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> ___ please respond in newsgroup, NOT by private email ___

> >> >>

> >> >> =?Utf-8?B?TWFyYyBT?= <MarcS@discussions.microsoft.com> wrote

> >> >> on 26 mar 2008 in

> >> >> microsoft.public.windows.terminal_services:

> >> >>

> >> >> > I have two Terminal Servers. Both Windows 2003 Standard.

> >> >> > One is also a DC.

> >> >> >

> >> >> > For a user, she can logon to the Terminal Server (non-DC)

> >> >> > no problem.

> >> >> >

> >> >> > For other TS that is a DC, I have tried to log her on

> >> >> > remotely for the first time, but when the user tries to

> >> >> > access that server they get this error: "you must be

> >> >> > granted the Allow logon through terminal services right.

> >> >> > Members of the remote desktop users have this right." She

> >> >> > is already a member of a domain-wide Security Group called

> >> >> > Remote Users.

> >> >> >

> >> >> > 1. Do I need to log her on 1x locally at the DC Terminal

> >> >> > Serverf?

> >> >> >

> >> >> > 2. Where is the built-in Remote Desktop Users Group on a

> >> >> > DC. It's not listed under Computer Managament, like on the

> >> >> > non-DC Terminal Server. On the non-DC Terminal Server, I

> >> >> > added the domain-wide Remote Users Security group to the

> >> >> > Local built-in Remoter users group.

>

[Guest Vera Noest [MVP]]

Re: Login error for new user on Domain Controller TS

 

1. OK, that seems a likely scenario, and should work.

 

2. Yes, that's OK.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

*----------- Please reply in newsgroup -------------*

 

=?Utf-8?B?TWFyYyBT?= <MarcS@discussions.microsoft.com> wrote on 27

mar 2008:

> 2 things.

> 1. I think I figured out why there is a 2nd manual "Remote

> Users" Security group. On the TS *non-DC* in the Local Remote

> Desktop Users is added the other Security Group. The consultants

> must have added users to that in AD, and this Security group was

> added to the Remote Desktop Users.

>

> 2. For the RDP-Tcp permissions, Remote Desktop Users is there

> with User Access and Guess Acess only checked. Only

> Administrators and System have Full Control. Is that ok?

>

> "Vera Noest [MVP]" wrote:

>

>> Since you seem to have a non-default installation, it is

>> difficult for me to say what will work for you now.

>>

>> But the default setup is like this:

>> On a Terminal Server which is *not* a DC, you have to make sure

>> that the users are members of the local built-in group Remote

>> Desktop Users, on the server itself. That can be achieved

>> either by putting the individual user accounts into this group,

>> or by putting one or more user groups which contain the user

>> accounts in the local Remote Desktop User group. As an example

>> (but not necessarily a good configuration): if you put the

>> built-in domain user group "Domain Users" (of which all users

>> are a member) into the local built-in Remote Desktop Users

>> group on a member server, then all domain users can connect to

>> the server by rdp.

>>

>> The above assumes that you have not modified the security

>> settings of the rdp-tcp connection, i.e. that the Remote

>> Desktop Users group is still on the permissions list. Check

>> this in Terminal Services Configuration - rdp-tcp connection -

>> properties - security

>>

>> Since one of your Terminal Servers is a DC (again, this is

>> *not* recommended!), the requirements are different. A DC does

>> not have a local built-in Remote Desktop group, so instead you

>> have to make sure that users are members of the domain local

>> built-in group Remote Desktop Users.

>> And since by default only Administrators have the right to

>> logon to a DC, you also have to change the Default Domain

>> Controller Policy:

>>

>> Go to Computer Configuration - Windows Settings - Security

>> Settings - Local Policies - User rights Assignment

>> "Allow log on through Terminal Services"

>>

>> and add the domain local built-in Remote Desktop Users group to

>> the list of allowed users.

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?TWFyYyBT?= <MarcS@discussions.microsoft.com> wrote on

>> 27 mar 2008 in microsoft.public.windows.terminal_services:

>>

>> > The strange thing is if I add a user to only the manual

>> > Security Group, and not the built-in, the user CAN still

>> > access the TS.

>> >

>> > I notice that most users are in both groups.

>> >

>> > My confusion is that I don't see where the manual Security

>> > Group it being used. Is the Built-in Remote Desktop Group

>> > automatically configured so that if a user is part of that

>> > Built-in Remote Desktop group they can access a TS.

>> > Is there a place on the TS where either of these Security

>> > Groups is added to

>> > allow for access. Or is it just inherited as part of being in

>> > that group

>> >

>> > "Vera Noest [MVP]" wrote:

>> >

>> >> Seems to me you have already answered your own question :-)

>> >> one group is Built-in, the other is manually created.

>> >> I've no idea why someone at your company has created a group

>> >> with a similar name as the built-in group, but it's the

>> >> built-in domain local group you need to use (assuming that

>> >> no other changes have been made to the default configuration

>> >> of your DC and AD).

>> >> _________________________________________________________

>> >> Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> TS troubleshooting: http://ts.veranoest.net

>> >> ___ please respond in newsgroup, NOT by private email ___

>> >>

>> >> =?Utf-8?B?TWFyYyBT?= <MarcS@discussions.microsoft.com> wrote

>> >> on 27 mar 2008 in

>> >> microsoft.public.windows.terminal_services:

>> >>

>> >> > HHhmm. This Server is a Disaster Recovery Multi-purpose

>> >> > server, so it's for back purposes.

>> >> >

>> >> > In my AD, I appear to have two separate groups.

>> >> > (1) Under Built-in is the "Remote Desktop Users" group

>> >> > (2) Under another manually created group called Security

>> >> > Groups is "Remote Users" group.

>> >> >

>> >> > I'm not sure why there are two separate groups that have

>> >> > similar names??

>> >> >

>> >> > How can I tell which of these two groups is the security

>> >> > group used for Terminal Services?

>> >> >

>> >> > "Vera Noest [MVP]" wrote:

>> >> >

>> >> >> It is *not* recommended to run TS on a Domain Controller,

>> >> >> both for performance and security reasons!

>> >> >> That said, you will have to enable the following setting

>> >> >> in the Default Domain Controller Policy:

>> >> >> Computer Configuration - Windows Settings - Security

>> >> >> Settings - Local Policies - User rights Assignment

>> >> >> "Allow log on through Terminal Services"

>> >> >> and add the Remote Desktop Users group to the list of

>> >> >> allowed users

>> >> >>

>> >> >> There are no machine-local groups on a DC, only

>> >> >> domain-local.

>> >> >> _________________________________________________________

>> >> >> Vera Noest

>> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> >> TS troubleshooting: http://ts.veranoest.net

>> >> >> ___ please respond in newsgroup, NOT by private email ___

>> >> >>

>> >> >> =?Utf-8?B?TWFyYyBT?= <MarcS@discussions.microsoft.com>

>> >> >> wrote on 26 mar 2008 in

>> >> >> microsoft.public.windows.terminal_services:

>> >> >>

>> >> >> > I have two Terminal Servers. Both Windows 2003

>> >> >> > Standard. One is also a DC.

>> >> >> >

>> >> >> > For a user, she can logon to the Terminal Server

>> >> >> > (non-DC) no problem.

>> >> >> >

>> >> >> > For other TS that is a DC, I have tried to log her on

>> >> >> > remotely for the first time, but when the user tries to

>> >> >> > access that server they get this error: "you must be

>> >> >> > granted the Allow logon through terminal services

>> >> >> > right. Members of the remote desktop users have this

>> >> >> > right." She is already a member of a domain-wide

>> >> >> > Security Group called Remote Users.

>> >> >> >

>> >> >> > 1. Do I need to log her on 1x locally at the DC

>> >> >> > Terminal Serverf?

>> >> >> >

>> >> >> > 2. Where is the built-in Remote Desktop Users Group on

>> >> >> > a DC. It's not listed under Computer Managament, like

>> >> >> > on the non-DC Terminal Server. On the non-DC Terminal

>> >> >> > Server, I added the domain-wide Remote Users Security

>> >> >> > group to the Local built-in Remoter users group.