0

I have a AD Server (DC) and a Member Server set up on one computer as a test lab. I have an administrator account and an account called KDM. I have KDM as member of Remote Desktop Users and each server is set up in the same folder with a GPO attached to "allow log on through remote desktop services" with Administrators and Remote Desktop Users attached.

I can RDP to the domain controller with Admin and KDM but unfortunately i can't RDP with KDM on the Member server (but I can as an Administrator)

Am I missing a setting here that I need to do? My understanding is that the GPO should take care of the RDP Logon Services and I know RDP is enabled so i'm not exactly sure what I am missing.

I know I could just make this user a Domain Admin but I at this point what to know what the issue is.

Any help in the right direction would be appreciated. If you ask for any information please note DC2 (my domain computer/2nd server) is installed as server core and I am a little newer to powershell, although learning! DC1 is a full installation.

EDIT: I also do want to note, when connecting to DC2 with my kdm credentials I do get the certificate and hit yes, and then it just goes blank on mremoteNG, on Windows RDP it says the user is not authorized.

kmalik
  • 1

1 Answers1

0

There are two components to allowing RDP access:

  1. User rights, which you've granted via your GPO

  2. Permissions, which need to be granted on the RDP server itself by way of membership in the local Remote Desktop Users group or by way of granting permissions directly on the RDP listener. If you grant permissions directly on the RDP listener you need to grant your user the User Access and the Guest Access permissions.

From Microsoft:

To use RDS to successfully log on to a remote computer, the user or group must be a member of the Remote Desktop Users or Administrators group and be granted the Allow log on through Remote Desktop Services right.

Additionally, only members in the domain Administrators group can log onto a Domain Controller via RDP.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • So whichever server you want to RDP on has to be added to a local RDP group, not a global AD Group like i thought? – kmalik Sep 10 '15 at 13:02
  • Right. Membership in the domain group doesn't confer the permissions that the user needs unless the domain group has those permissions on the RDP listener on the server. This article describes it fairly concisely - http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx – joeqwerty Sep 10 '15 at 15:03