Archived Forums
>Directory Services
Question
-
0
Sign in to vote
Hello recently i have made all my users [standard users] on theirrespective local computers
I need to enforce a domain policy on my 2008R2 DC that allows the Local standard users to remote desktop into their local PC’s from other location using their credentials.
So far on the DC I have added the users to the Remote desktop users group but I still get the
“The connection was denied because the user account is not authorized for remote login” error message, if I add the user to the local PC remote users group they are able to log in, but I cannot do this for 200 users I need a way to allow all my users to be able to RDP in without having to add them to the RDP users group on each of their PC’s
So far I have tried the following GPO’s but its still not working.
Group Policy settingto [enable or disable] Remote Desktop
- ClickStart–All programs – Administrative Tools – Group Policy Management.
- Create or Edit Group Policy Objects.
- ExpandComputer Configuration –Administrative Templates – Windows Components – Remote Desktop Services–Remote Desktop Session Host – Connections.
- Allow users to connect remotely using Remote Desktop Services [enable or disable]
Group Policy Preferencesto [enable or disable] Remote Desktop
- ClickStart–All programs – Administrative Tools – Group Policy Management.
- Create or Edit Group Policy Objects
- ExpandComputer Configuration–Preferences–Windows Settings.
- Right clickRegistry–New–Registry Item.
- General Tab.
- Action :Update
- Hive :HKEY_LOCAL_MACHINE
- Key path : SYSTEM\CurrentControlSet\Control\Terminal Server
- Value name : fDenyTSConnections
- Value type : REG_DWORD
- Value date : 00000000 enableOR00000001 disable
Please advise on a better solution.
Tuesday, May 7, 2013 7:49 AM
-
1
Sign in to vote
if you cannot reboot your Clients a gpupdate /force should update the policy. You can check to see if the policy is applied by running gpresult /v.
Thanks
- Edited by Mayur_- Tuesday, May 7, 2013 9:14 AM
Tuesday, May 7, 2013 8:45 AM
-
0
Sign in to vote
Thank you it worked :]
Tuesday, May 7, 2013 12:20 PM
20 Replies
· · ·
Habanero
OP
Aug 9, 2013 at 21:12 UTC
Check the users Active Directory Account in the Terminal Services Profile tab and make sure Deny this user permission to log on to any Terminal Server is not checked
0
· · ·
Habanero
OP
Aug 9, 2013 at 21:13 UTC
Try this...
//technet.microsoft.com/en-us/magazine/ff404238.aspx
0
· · ·
Poblano
OP
Aug 9, 2013 at 21:13 UTC
It's not checked.
0
· · ·
Serrano
OP
Aug 9, 2013 at 21:21 UTC
Have you checked your firewall to make sure it is not blocking port 3389 for RDP coming from the outside of your network.
If the users are trying to RDP from home, make sure that the firewall is forwarding the port 3389 to the users individual computer/server.
I am assuming that you have a block of public ip's from your ISP to open multiple ports to different devices.
Edited Aug 9, 2013 at 21:33 UTC0
· · ·
Habanero
OP
Aug 9, 2013 at 21:22 UTC
When they log on to their work PC from home PC, are they using domain\username for log on credentials?
0
· · ·
Ghost Chili
OP
Aug 9, 2013 at 21:23 UTC
Just to clarify ...
- A user will remote in to their work PC? [Not a server]? Using RDP?
- On that PC you have added that users domain account to the LOCAL "remote desktop users" group on the PC?
- You have some kind of natting going on to point the users to the proper PC? Custom port for each PC?
1
· · ·
Serrano
OP
Aug 9, 2013 at 21:30 UTC
RDP is port 3389 not 389. Correct me if I am wrong. Most likely a typo .
0
· · ·
Ghost Chili
OP
Aug 9, 2013 at 21:32 UTC
If he has it set up for multiple users..... it's quite likely it not even the standard 3389...... that would only work with a single PC. If he has multiple PC's he'd have to use custom ports on all but one PC, or a gateway method.
0
· · ·
Poblano
OP
Aug 9, 2013 at 21:32 UTC
I was able to get a bit further by following the link bill2718 provided by adding the username to the workstations remote settings. But now it's saying that i need to be granted the allow log on through terminal services right. Yet I have them added to the remote desktop users group. It also says that the remote desktop users group might -not- have that right and that I need to add it but I'm not exactly sure how to go about doing that. [Still learning this stuff]
Brian- Yes
Kelly- 1. Yes
2. I just did that. It got me a bit further than I was.
3. I'm not sure what that is.
0
· · ·
Serrano
OP
Aug 9, 2013 at 21:32 UTC
ericb08132 wrote:
RDP is port 3389 not 389. Correct me if I am wrong. Most likely a typo .
Yes it is 3389.
0
· · ·
Ghost Chili
OP
Aug 9, 2013 at 21:33 UTC
Kelly Armitage wrote:
Just to clarify ...
- A user will remote in to their work PC? [Not a server]? Using RDP?
- On that PC you have added that users domain account to the LOCAL "remote desktop users" group on the PC?
That's where I'd start too. The fact that it's telling the remote user that they are not authorized, would steer me away from the firewall/network being the issue.
0
· · ·
Ghost Chili
OP
Aug 9, 2013 at 21:34 UTC
Ahhhh "Nope" I had this recently trying to allow a limited user RDP access....... it's a local security policy or group policy setting.
I'll dig it up.
0
· · ·
Ghost Chili
OP
Best Answer
Aug 9, 2013 at 21:36 UTC
Have a look:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
You can check the local policy but it may be needed to change it at the group policy level depending on whether you already have that specified [it may be over written from group policy, or you may just be able to change it directly on the PC]
0
· · ·
Ghost Chili
OP
Aug 9, 2013 at 21:36 UTC
//blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx
1
· · ·
Ghost Chili
OP
Aug 9, 2013 at 21:37 UTC
Ha ha. Kelly quicker'n I was.
1
· · ·
Ghost Chili
OP
Aug 9, 2013 at 21:38 UTC
Nick42 wrote:
Ha ha. Kelly quicker'n I was.
phew! lol
I had the identical issue 2 weeks ago.... for the kid as a limited user, stumped me for a bit too.
0
· · ·
Poblano
OP
Aug 9, 2013 at 21:41 UTC
Neat, I need to mess with GPO which I have 0 experience with. lol
0
· · ·
Ghost Chili
OP
Aug 9, 2013 at 21:43 UTC
Nope........
Nope...... if you don't have a GP in place that will OVER-write it then for simplicity/testing, you can make that change on a single PC to verify. If there isn't a setting for it at the domain level, the local setting will be retained.
0
· · ·
Anaheim
OP
Aug 9, 2013 at 22:03 UTC
1st Post
Nope wrote:
It's not checked.
what setting is it on then? set it to allow.
0
· · ·
Anaheim
OP
Aug 12, 2013 at 18:49 UTC
In Active Directory User and Computers check that the user's properties under Dial-In tab>Remote Access Permission are "Allow access".
0
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.
How do I create a RDP user in Windows 10?
Click on the Groups option and Select Remote Desktop Users. Adding our newly created user to this Group will allow it to access the server via RDP. Double click on the Remote Desktop Users option and click Add. Type in the username you created earlier in the Enter the object names to select box and click Check Names.
Allow Multiple Remote Desktop Sessions - Windows 10
[AvoidErrors]
RELATED: What are the settings of RDP session timeouts?
How to add standard user in Windows 10 remote desktop?
You can try any of the methods to add the standard user and later access it by logging in to that username through Remote Desktop Connection. Hold the Windows Key and Press R to open Run. Now type “ SystemPropertiesRemote ” in the text box and click OK Click “ Ok ” for all the open windows and close the Remote Desktop
How to Use Remote Desktop Connection Windows 10
[ProgrammingKnowledge2]
What is Remote Desktop Group Policy
Almost all users who are interested in building safe connections between computers on the internet might have heard about RDP or VPN. RDP stands for the Remote Desktop Protocol. It is a network of communications protocol developed by Microsoft, to allow users to connect to another computer.
With RDP, one can connect to any computer that runs Windows. With RDP, you can connect to the remote PC, view the same display and interact as if you are working on that machine locally.
Some instances where you may need to use RDP include;
- When traveling or when on vacation and you need to access your work computer
- When you can’t go to your office due to certain reasons and you still need to fulfill your daily tasks
- When you are a system admin and you need to perform administrative duties on your PC such as computer troubleshooting, tune-up, ID protection setting, printer set-up, software installation, email setup, virus and spyware removal, among others.
- When you need to give a demo and you need to access data from a private device
- When you want to personalize your remote desktop on experiences such as resolution, connection setting, screen setting, toolbar, start menu, icons among others.
How to Enable Remote Desktop Remotely on Windows 10
The easiest way to enable Remote Desktop on the Windows operating system family is to use a Graphical User Interface [GUI]. To do this, you need to;
Open the “System” control panel, go to “Remote Setting” and enable the “Allow remote connection to this computer” option in the Remote Desktop section.
However, performing the above process will need local access to the computer on which you want to enable the RD.
By default, remote desktop is disabled in both desktop versions of Windows and in Windows Server.
How to Enable Remote Desktop Remotely Using PowerShell
Suppose you want to remotely enable RDP on Windows Server 2012 R2/2016/2019. Here is the procedure to achieve the same;
- On your computer, open the PowerShell console and run the following commands to connect to your remote server.Enter-PSSession -ComputerName server.domain.local -Credential domain\administrator.
- You will have established a remote session with a computer and now you can execute PowerShell commands on it. To enable Remote Desktop, you need to change registry parameter fDenyTSConnections from 1 to 0 on the remote machine. Run the command;Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
- When RDP is enabled this way [as opposed to GUI method] the rule that allows remote RDP connections is not enabled in the Windows Firewall rules.
- To allow incoming RDP connections in Windows Firewall, run the command;Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
- If for some reason the firewall rule is deleted, you can create it manually using the following commands.netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
- In case you need to allow secure RDP authentication [NLA – Network Level Authentication] run the command;Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1
- Now from your computer, you can check the TCP 3389 port on the remote host to see if it has become available. To do so, run the command below’Test-NetConnection 192.168.1.11 -CommonTCPPort RDP.
- If successful, you should get results similar to what is shown below’
The above results mean RDP on the remote host is enables and you can establish a remote desktop connection using mstsc client.
How to Enable/Disable Remote Desktop Using Group Policy
You can enable or disable remote desktop using group policy. To do so, perform the following steps
- Search gpedit.msc in the Start menu. In the program list, click gpedit.msc as shown below;
- After Local Group Policy Editor opens, expand Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Connections.
- On the right-side panel. Double-click on Allow users to connect remotely using Remote Desktop Services. See below;
- Select Enabled and click Apply if you want to enable Remote Desktop. Select Disabled and click Apply if you need to disable it.
Now you will have enabled or disabled remote desktop using group policy
Network Level Authentication NLA on the remote RDP server
Network Level Authentication is a method used to enhance RD Session Host server security by requiring that a user be authenticated to RD session Host Server before a session can be created.
If you want to restrict who can access your PC, you can choose to allow access only with Network Level Authentication [NLA]. NLA is an authentication tool used in RDP Server. When a user tries to establish a connection to a device that is NLA enabled, NLA will delegate the user’s credentials from the client-side Security Support Provider to the server for authentication, before creating a session.
The advantages of Network Level Authentication is;
- It requires fewer remote computer resources initially.
- It can provide better security by reducing the risk of denial of service attacks.
To configure Network Level Authentication for a connection, follow the steps below.
- On the RD Session Host Server, open Remote Desktop Session Host Configuration. To do so, click Start>>Adminstrative Tools1>>Remote Desktop Services>> Remote Desktop Session Host Configuration.
- Under Connections, right-click the name of the connection and then click Properties.
- On the General tab, select Allow the connection only from computers running Remote Desktop with Network Level Authentication checkbox
- Click OK
Note, under step 3, if the “Allow connections only from computers running a remote desktop with network-level authentication” checkbox is not enabled, the “Require user authentication for remote connections by using network-level authentication” Group Policy setting has to be enabled, and has been applied to the RD Session Host Server.
groovyPost
- SUBSCRIBE
- Best Of
- How To
- News
- Reviews
- YouTube
- Search
How-ToVideo liên quan