Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

GPO / Terminal Server Question

Status
Not open for further replies.

tman138

IS-IT--Management
Nov 27, 2001
128
US
I am in the process of replacing a legacy system running in DOS from WIN98 clients and need to keep the 98 clients active until the transistion. My new ERP system runs only on WIN2K or XP clients so I plan to use terminal server and RDP from the 98 clients until fully implemented. I have a WIN2K3 server running terminal server. I have setup a user OU for the ERP users (ERPUsers OU) with a GPO enabling terminal server for that group of clients. My problem is that the clients can only log when I enable Remote Desktop user connectivity, and the client is a member of the remote desktop users group. The fact that Terminal services is enabled, and that the ERPUsers group has terminal services security enabled and the GPO applied seems to have no affect. I have verified permissions to the RDP-tcp connection in Terminal Services Configuration granting User Access. I've also checked that the user right assignments in domain security settings has the ERPUsers granted permissions to Allow Log On through Terminal Services. What am I missing here?
 
My problem is that the clients can only log when I enable Remote Desktop user connectivity

Not 100% sure what you mean by "enable remote desktop user connectivity". You mean users can only log on through terminal services if you enable Remote Destkop on the server?
and the client is a member of the remote desktop users group

By client do you mean the computer the user is logged onto locally? Try running an RSOP on the 2003 server for one of the user accounts and see what results you get.

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau
 
Yes. If I uncheck 'Enable Remote Desktop on this computer' I don't even get a login screen. I get an error message 'The client could not connect to the remote computer' ...
 
gmail2 the 'Remote Desktop Users' is a built in Domain Local group that is used to grant access to "Remote Desktops" (RDP) and since Terminal Services is also an RDP service the two rights are required. Hence Terminal services is tied to Remote Desktop Support.

The short answer here is that with Win2k3 Server your users will need to be a member of the 'Remote Desktop Users' group.

What I do is this. (We have 64 Terminal Servers in our outsourcing solutions farm.)

Create a Domain Global group for your Terminal Server users, then make your new Domain Global group a member of 'Remote Desktop Users'.

Domain Global groups can be members of Domain Local groups but not the other way around.

Hope this post helps you.


Thanks

John Fuhrman
Titan Global Services
 
That's exactly how I granted access to my ERPusers group - which is a domain global security group and part of a custom oraganizational unit ERPUsersOU and the only member of the Remote Users Group. ERPUsersOU was linked to my GPO and enforced. The problem is that the group policy that I assigned is being ignored. I used Microsoft's Common Scenarios Template and employed the 'Highly Managed' template for GPO but all of its settings are being ignored. I have restricted disk access to the ERPusersOU which is working fine. The problem though is that users still have access to control panel for instance, even though it has been prohibited by the GPO.
 
OK, I'm still slightly confused !! The main issue is that you think your policy isn't being applied when the users log onto the server, right? Did you try running RSOP? I presume the users who logon to the server through TS are under the ERPusersOU? Maybe there's a conflict in the policies? Or maybe the user you are logging in as is also a member of another group who does have access to control panel?

Also, it sounds like you're restricting control panel access to the users regardless of where they log on. Do you really want to do this? Maybe if you enabled loopback processing at the server level it would be better? Just a suggestion ... but that's a whole different kettle of fish !

Hope I haven't mis-understood.
Good Luck



Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau
 
gmail, your right I want a bit off track, I was trying to explain why on a 2003 TS you have to have Terminal services running and have your users a member of the Remote Desktop Users group.

tman138, gmail2 is right, you should be looking into the results of an RSoP on your TS to see what is or is not being applied through your GPO's.



Thanks

John Fuhrman
Titan Global Services
 
Using group policy modeling in the group policy management console I was able to determine my policy was totally being ignored. I had created an organizational unit whose members had been created as members of other OUs. I'm still unsure as to why this is happening, but I was able to sucessfully apply my GPO at the parent OU level. Thanks to all who contributed.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top