[gptalk] Re: Group Policy/AD delegation issueq
- From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Mon, 30 Jul 2007 12:00:22 -0700
Strange.
I would open up the local security policy on one of the affected
workstations and check the local Allow Logon through terminal services
and the Deny Logon through Terminal service settings to see which groups
and/or users are listed in the policy.
Is the user in question or the group in question a member of the domain
or local machine Guest group?
What if you try to add the user specifically to remote desktop users
instead of the group and see if that works- also you can try removing
the user from the Remote desktop users and adding him to only the local
administrators group and see if that works- just for testing of course.
Is the machine Windows XP, Vista, Server 2003?
Omar
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Francis Revere
Sent: Monday, July 30, 2007 11:41 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy/AD delegation issueq
Thanks for the information Omar. I disabled the policy and force an
update on the server. I added group1 to the Remote Desktop Users group
on the server. Still, when I attempt to login as one of the users in
the group, I receive the message that the "to login to the computer, you
must be granted the Allow to log on through Terminal Services right."
Something is not right here. I have group1 setup exactly as Domain
Admins. Full control on the computer object in AD, group1 added to the
Remote users on the remote tab in server properties. Any ideas???
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Omar Droubi
Sent: Monday, July 30, 2007 12:42 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy/AD delegation issueq
Did you check on the machine the policy applied to that the remote
desktop checkbox was indeed checked and grayed out to verify that the
policy was indeed applied?
Next I would verify that the either the firewall on the machine in
questions is either disabled or allows the remote desktop protocol- even
many new Antivirus products have firewalls built in and can restrict
this function.
So I would 1st verify that it works without the GPO then uncheck the
checkbox- apply the GPO and try again.
Omar
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Francis Revere
Sent: Monday, July 30, 2007 8:16 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Group Policy/AD delegation issueq
What I am attempting to do: Create an AD group that has Full control of
a specific server in an OU and can remote into this server only within
the OU (for software installation).
What I have done and tried: I have a group in AD called group1 with 2
members. This group has been added to the security tab of a server,
called server1 with Full control. I created a GPO called test and
defined the "Allow Login through Terminal Services" and to group1.
Within the scope, I applied the policy to the OU with server1 in it, and
added the server1 to the security filter.
This did not work for some reason. I even went as far as logging into
server1 and adding group1 to the remote users group to no avail.
What am I missing???? I know that it is probably something really
simple.
Other related posts:
