2

I have new 2012 servers and so far its only set to allow administrator to remote in.

In Computer Management/Remote Desktop Users, the only member is administrator.

When I try to add the built-in Remote Desktop Users group from the DC, the server does not see this group.

bentek
  • 2,205
  • 1
  • 14
  • 23
Casey
  • 21
  • 1
  • 3
  • Are the servers a member of the domain? – longneck Oct 28 '15 at 19:23
  • I'm fairly certain that you can't add a domain Builtin group to a machine local group. Additionally, the domain Remote Desktop Users group has no members so even if you could add it to a machine local group that wouldn't allow domain users to log on via RDS. You'd need to add domain users/groups to that Bultin group. Why don't you just create a domain group, add the appropriate members, and add that to the machine local group? – joeqwerty Oct 28 '15 at 20:53
  • i tried building a diffrent secuirty group and added members then added that to the built in remote desktop users but still the only thing that can RDP is domain admins – Casey Nov 27 '15 at 20:56

2 Answers2

2

The builtin group that you are referencing allows users to log in locally to domain controllers. That is not where you want to add your users. https://technet.microsoft.com/en-us/library/cc756898%28v=ws.10%29.aspx

What you want to do is create a new security group and use Group Policy to propagate that group to the Remote Desktop Users group on local servers

http://social.technet.microsoft.com/wiki/contents/articles/17671.how-to-add-domain-usersgroup-to-remote-desktop-users-group-on-servers-using-group-policy.aspx

Mass Nerder
  • 997
  • 4
  • 6
  • ok i tried this and no luck if i add users to each servers remote desktop group locally it works, but if i try to add the group i built like the way u describe it work, even if i add the group locally it still gets denied does the group i built have to be given promission to be a remote group? – Casey Nov 25 '15 at 17:48
  • Make sure the new group policy updates have propagated to the servers before you test run gpupdate and GPRESULT /H GPReport.html to verify – Mass Nerder Dec 01 '15 at 21:31
  • i tried that as well as leaving it for a day to let it propagated but still nothing same. is there more then one setting in GPO that it needs to be done this is the one i have : Restricted Groupshide Group Members Member of RIVERBANK\Remote Server Users BUILTIN\Remote Desktop Users – Casey Dec 02 '15 at 17:38
  • You should be creating a AD group called `RDP Users` in your domain controller. then add the users that you want to be able to RDP to every server. Then in your group policy under `restricted groups` you should click `add group`, browse to `RDP Users` and then under `This group is a member of` you should put `Remote Desktop Users` you should not be using `BUILTIN` for anything – Mass Nerder Dec 02 '15 at 19:05
0

Domain Local Groups:

"Can be put into other domain local groups and assigned permissions only in the same domain."

Understanding User and Group Accounts
https://technet.microsoft.com/en-us/library/bb726978.aspx

This is by design. Domain local groups are intended to be used to assign permissions to resources, and thus should be the last in the line to have members. Typically, other group types (Universal/Global) or users are added to Domain Local groups. Domain Local groups that you create may be added to other Domain Local groups.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • i tried to build a group for this and made it a securitygroup - global and added a user into it but when i add that group to the local remote desktop group it still gets denied – Casey Nov 25 '15 at 17:49