Remote Desktop Question

bmaurobmauro Member Posts: 307
Hey gang - playing around with my lab and I was having some problems with Remote Desktop - I think I have it figured out, but I wanted to see what everyone thought.

My problem was I was trying to remote into a Win2K3 MEMBER server from a XP box. Here are the paticulars.

The user trying to login was a Domain User
The user was in Active Directory's Remote Desktop User Group
Remote Desktop was enabled on the member server

Everytime I tried to log into the member server via RDP I recieved.

"The local policy does not permit you to logon interactively" (or something close)

Finally I got it working by removing the user from AD Remote Desktop User Group and adding the user to the LOCAL Remote Desktop User Group on the member server.

Does that sound right?


  • bighornsheepbighornsheep Member Posts: 1,506
    the only thing that Microsoft differentiate a win2k3 member server is that it's security is controlled and authenticated with a dc, making it a member of the domain.

    since the member server isnt running a domain controller, it doesnt have active directory, and does not know about the domain user.

    by adding the user account to Local remote desktop user group, you're giving it permission to logon through RDP. An alternative would have been to add the domain user account as a permitted user in Remote Desktop by going to comptuer properties, remote tab, and adding the account there.
    Jack of all trades, master of none
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Yep, the Remote Desktop Users group in Active Directory s only for Domain Controllers since they don't have a local SAM database. Otherwise, you have to add the domain users/groups to the Remote Desktop Users group in the local SAM database on the member servers.

    Easy solution would be to create a new group in Active Directory as a replacement for the Remote Desktop Users group. Now you would go into the Terminal Services Configuration on the member server, double click RDP-TCP, click on the Security tab, and add the new group that you created in Active Directory that has the same permissions as the Remote Desktop Users Group. You can now go into local group policy (Computer Configuration > Security Settings > Local Policies > User Rights Assignment) and set the Allow logon through terminal services to grant access to the group you created in Active Directory).

    This should solve your problems and you can now manage what users/groups are granted access through RDP onto that specific member server. You can also do the group policy through AD if your OU structure is configured accordingly which would allow all your member servers to grant access to the specific group in AD. You would still have to go onto those servers and grant access in the terminal services configuration.

    Hopefully this helps.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • bmaurobmauro Member Posts: 307
    Thanks guys - I think that makes sense.

    So to recap: Remote Desktop User Group in AD is good for Domain Controllers - and the local SAM is used for Member Servers.

    I'm going to play around with it some more - I'm just trying to understand the different logon error messages and what they point to for 290. Trancenders beat me up kinda good on that subject.
Sign In or Register to comment.