1

Earlier this morning I dcpromo'ed my second server to be DC2. Everything is working great except for the fact that users aren't able to remote into it.

The user I am trying with is "cs". "Cs" is a member of Domain Users, Remote Desktop Users, and Users.

When I try with "Administrator", it works fine.

Is there a setting in the GPO I'm missing?

EDIT: Exact error message is: "The connection was denied because the user account is not authroized for remote access."

EDIT: More details: DC2 is Server 2008. When I dcpromoed, one of the first things it said was something about TS but I don't remember what it said. Not sure if that's related. DC1 is Server 2008 R2.

Solution: Easier than expected... In addition to adding the users to the "remote users" group, I had to add them to server manager > configure remote desktop > remote tab > select users. I added each individual user there, though I'm sure I could have just added the "remote users" group.

Thank you to those who tried to help. I'd upvote but I can't yet.

Cheers

EagerToLearn
  • 98
  • 2
  • 8

2 Answers2

3

On the Domain Controller; Local Security Policy -> Local Policies -> User Rights Assignment -> Allow log on through Remote Desktop Services

Add the groups you require.

xeon
  • 3,796
  • 17
  • 18
  • I have "Allow log on through Terminal Services". I added remote desktop users and it's still not working. Does it take time? Do I need to do a gpudate command from the client? It's a thinclient running a stripped down version of Windows so I don't know if that command would even work. – EagerToLearn Jul 06 '11 at 16:25
  • I just checked DC1. DC1 *does* have "Allow log on through Remote Desktop Services". But DC2 does *not* have this option. Does something need to be installed? – EagerToLearn Jul 06 '11 at 16:28
2

The real answer you're looking for, from an administrative stand point, is to share the folder that has your power point file on. Then have the user access that file from Start > Run > \\server\sharename. That will save them time and energy from needing to login to your new Domain Controller then finding the file that they need to use. Not to mention be 1 billion times more secure.

You don't want an answer to your original question. That iwll just leave you sad and bitter in the end when you need to reimage the computer because someone was doing something on it they shouldn't have been.

Nixphoe
  • 4,524
  • 7
  • 32
  • 51
  • Lol thanks dude I know how to access a shared folder. The reason TS is needed is because they are thin clients running a stripped down version of Windows. This only comes with a PowerPoint *viewer*. The secretary needs to edit these constantly because they are announcements for each department. Each ThinClient is hooked up to a 46 inch monitor. The solution that *my boss* came up with was to have these TC connect to the server and run PPT from there. I have *ZERO* input on this matter. I would think that everyone here would have experience in dealing with incompetent bosses. – EagerToLearn Jul 06 '11 at 18:28
  • 1
    3 things. 1. It's all about how you sell the idea you have. You know this isn't the best solution. If you're going to be using this as a Domain Controller, you need to setup a different server to be your terminal server to remote into. Tact can you a long way with difficult bosses. Who's going to have to rebuild the domain controller and trouble shoot issues with the domain if things start going missing? 2. If you included this in your original question, it would have been helpful :) 3. Check this http://serverfault.com/questions/62505/domain-user-can-rdp-into-domain-controller – Nixphoe Jul 06 '11 at 18:58
  • I think you're overestimating the size of the company. Going from one server to two took four years. There is no way they are going to get another server. Even though I tried to explain to them that a $400 quadcore system could handle this simple task. – EagerToLearn Jul 06 '11 at 19:22
  • My manager makes up for his lack of I.T. talent by knowing how to play the *game*. There is nothing I can do to convince him or the head of the company to do this the *right* way. – EagerToLearn Jul 06 '11 at 19:23
  • I think I've asked the question appropriately and entered all the details. The main issue is: People could remote in to this server before I DCpromo'ed on it, and now they cannot. Domain Admins can, users cannot. They are added to the remote users group. The strange thing is, I somehow got it working with one user account but the others are not working. Same error message "The connection was denied because the user account is not authroized for remote access" – EagerToLearn Jul 06 '11 at 19:27
  • 2
    @EagerToLearn - I appreciate you're eager to learn, however "I would think that everyone here would have experience in dealing with incompetent bosses" - not really. This is a site for professional sysadmins, in which case we often *are* the bosses. This isn't a site for admin staff needing to do downright dangerous things. – Mark Henderson Jul 07 '11 at 00:17
  • I'm discouraged by your hubris and condescending attitude. This site is usually better than that. I'm also curious as to why you assume it's "dangerous", without knowing anything about our server, or the people who work for us. There is ZERO vital information on our server. We simply use it for AD. And in any case, what would you have me do? The boss is the boss. I'm only 20, with only CCNA and MCITP. And based on the majority of the questions I see on this site, I find it highly disingenuous for you to say most people here are sysadmins; and if they are, then god help those companies. – EagerToLearn Jul 07 '11 at 13:15
  • 2
    ADDS is the key to the kingdom. If you control that, you can get access to anything that relies on domain authentication. What if one of your curious interns (substitute any other one of your employees) wants to load up a key logger into the all users startup folder. Well, now they have access to your domain admin pw. Which they can now create their own accounts on your domain, now they can add key loggers to any computer on your domain and get access to your firewalls, routing device, heck your financial data. Of course this is worst case, but that is what good security practices prevent. – Nixphoe Jul 07 '11 at 14:21
  • Fair enough, but you're thinking way too deep into it. If someone wanted access to the firewall, they could read the password written on a sticky note on my bosses desk. If they wanted the financial data, they could go to the accounting girl's computer which is not password protected. For this EXACT reason, I myself do not log in through the domain, and use my phone's internet through tethering. For the 10th time now, I wish I could enact a more secure I.T. policy, but I have no such option. This guy Mark is a self-proclaimed sysadmin but couldn't answer my relatively simple question. – EagerToLearn Jul 07 '11 at 17:30
  • I'm not trying to make waves, but I feel I asked the question very respectfully, provided all necessary details, provided what changed before and after it was working/not working. I expected the usual great help from this site, but instead got criticized for things I can't control, even after I explained that I had no rule over our I.T. infrastructure. Xeon was the only person who attempted to answer the question. "This is not a discussion forum" and yet that's exactly what it turned into. – EagerToLearn Jul 07 '11 at 17:33
  • 2
    What you are asking from an administrative stand point, goes against all logic and security standards for system administrators. Which is where all the feed back is coming from. Clearly your bosses are at fault here for not caring what so ever. You should really plot about the best way to get them to understand this. This won't be the last time you meet someone that doesn't understand security, as a system administrator, you need to know how to explain this and get people to understand it, to basically sell the idea behind what you are trying to get done. – Nixphoe Jul 07 '11 at 17:54