Domain authentication issues ...

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have an SBS server as my Domain Controller using Active Directory.
I have 2 W2003R2 servers running as Terminal Servers.
I have a group of local domain users on my LAN that access my Terminal
Servers via RDP. They are added to the DC's Remote Desktop Users security
group.

When a user logs onto my first Terminal Server (TS1) via RDP, they are
granted access with no adjustments to TS1. If I've forgotten to add the user
to the DC's Remote Desktop Users security group, they cannot gain access, but
can as soon as I do.

When the same user tries to log onto TS2, they receive the error message:
"To log onto this remote computer, you must be granted the Allow log on
through Terminal Services right ...." and suggests the Remote Desktop Users
group. If I add that user to the Remote Desktop Users group on TS2, they can
gain access.

Why would TS1 get the security from the DC but TS2 does not? Can someone
point me in a direction ?

Thanks

Steve
 
This clearly seems to be a Group Policy Issue...
Make Sure the 2 TS Servers are in the same OU
Make sure the Local RDP group is not a member of the Domain RDP Group...

--
Binu Kumar (MCSE NT/2000/2003)
SBS 2000/2003
Microsoft ( PSS )

===============================
 
Hi Steve
Users must be added to the Remote Desktop Users security group on the TS
servers and not on the DC, actually the SBS doesn't run Terminal Services,
however can act like a TS Licensing Server.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
 
Correct. My SBS machine is the DC and the W2003R2 servers are Terminal
Servers.

That's what Microsoft tells me, yet my TS1 doesn't require that for users to
log on. It requires that my user is in the Remote Desktop Users group on the
DC.
My TS2, however requires what you're saying.

Why, then, if the TS does require the users to be in the local group, does
TS1 allow users to log on via RDP?

Steve
 
Thanks for the reply. Please excuse my ignorance, but how do I determine if
the 2 TS Servers are in the same OU?
 
Unless something has been change, Members of Local Administrators and Remote
Desktop Users can logon through TS on the member servers, you can check this
on the Local GPO each of these Member servers,
type from cmd: gpedit.msc
and navigate to:
computer configuration->windows settings->security settings->Local
policies->User rights Assign->Allow logon through TS


--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
 
in that case you may have users that are members of some group that denies
logon through terminal services.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
 
The same user that logs onto TS1 without issue, simply by being a member of
the Remote Desktop Users group on the DC cannot log onto TS2.
 
What can I say....
The Users must be members of Remote Desktop Users on BOTH Servers.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
 
Back
Top