Archived Forums
>Windows Server 2012 General
Question
-
0
Sign in to vote
Hi,
I want to allow Remote Desktop Access for multiple users in windows server 2012 domain.
All users are member of Domain Users and Remote Desktop Users groups in Active Directory.
Remote desktop has been enabled on the all other servers in the same domain, and "Allow log on through Remote Desktop Services " is enabled for Administrator and Remote Desktop Users group.
However users are still not able to connect and they are getting the following error:
"The connection was denied because the user account is not authorized for remote login"
If I add them the local Remote Desktop Service of every machine in the domain, the access will be granted.
What I should configure to allow RDP for all users without adding them to the local Remote Desktop Users groups.
Regards,
Tarek
Thursday, October 20, 2016 6:07 PM
All replies
-
0
Sign in to vote
Hi Tarek,
Remote desktop has been enabled on the all other servers in the same domain, and "Allow log on through Remote Desktop Services " is enabled for Administrator and Remote Desktop Users group.
However users are still not able to connect and they are getting the following error:
"The connection was denied because the user account is not authorized for remote login"
If I add them the local Remote Desktop Service of every machine in the domain, the access will be granted.
What I should configure to allow RDP for all users without adding them to the local Remote Desktop Users groups.
>>>The error may occur when user is part of the Remote Desktop users group but that group is not present in the GPO for “Allow Logon through Terminal Services”.
I suggest you configure GPO with Administrator and those specific users for the setting allow logon through remote desktop services.
To allow domain users logon remotely domain member, we need delegate domain users with remote logon and logon right.
In other word, we need add the user to remote desktop users group and delegate with allow logon through remote desktop service.
For more information, please refer to the article below.
“Allow Logon through Terminal Services” group policy and “Remote Desktop Users” group
//blogs.technet.microsoft.com/askperf/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group/
Best Regards,
Jay
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact .- Proposed as answer by Jay Gu Friday, October 21, 2016 1:26 AM
- Unproposed as answer by TarekF Friday, October 21, 2016 3:57 PM
Friday, October 21, 2016 1:26 AM
-
1
Sign in to vote
Hi TarekF,
For my understanding adding a user or group to builtin Remote Desktop Users group in Active Directory will give him access to all servers in the domain without adding this group again to the local Remote Desktop Users of every server.
>>>I have tested for this. If I add user to the group, I cannot see the user in local Remote Desktop Users group.
As I mentioned the users are members of Remote Desktop Users builtin domain group, and the this group is already added to all log on thought Remote Desktop Services GPO of the remote server [this setting is by Default].
>>>As mentioned above, to allow those users could logon the computers remotely, if the computer is domain member, you just need the user to the local Remote Desktop Users group like below.
If the computer is a domain controller, you need add the user to local remote desktop users group and give the user logon through remote desktop service in GPO.
Best Regards,
Jay
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact .- Proposed as answer by Jay Gu Monday, November 7, 2016 11:37 AM
- Marked as answer by Jay Gu Thursday, November 10, 2016 1:20 AM
Tuesday, November 1, 2016 2:50 AM
-
0
Sign in to vote
No i tried cant add
Wednesday, March 28, 2018 5:09 PM
-
0
Sign in to vote
Its works for me..
Friday, July 24, 2020 5:57 PM
net localgroup "Remote Desktop Users" Alias name Remote Desktop Users Comment Members in this group are granted the right to logon remotely Members ------------------------------------------------------------------------------- rmd1 rmd2 rmd3 rmd4 rme1 rme2 rme3 rme4 test
User group also added hereAnd i'm still getting this error:
What i'm missing?
windows-active-directoryremote-desktop-servicesimage.png [120.0 KiB]
image.png [15.5 KiB]
Comment
Comment Show 0
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
DSPatrick answered • Nov 8, '21 | KatherineMMoss-0910 commented • Nov 24, '21
Read on here.
//techcommunity.microsoft.com/t5/ask-the-performance-team/8220-allow-logon-through-terminal-services-8221-group-policy-and/ba-p/374961--please don't forget to upvote and Accept as answer if the reply is helpful--
Comment
Comment · Show 9
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
DangerD-9009 · Nov 08, 2021 at 09:21 PM
Didn't helped...Permissions for the RDP-TCP listener can be set using the Tsconfig.msc - that's not available in Windows 2019
Users are in Remote Desktop Users group.
![147487-image.png][1]
Added here group also, but it still doesn't work...
What else should i do?
[1]: /answers/storage/attachments/147487-image.png0 Votes 0 ·
image.png [52.5 KiB]
DSPatrick DangerD-9009 · Nov 08, 2021 at 10:46 PM
Also check they're not in Deny log on through Remote Desktop Services or Deny access to this computer from the network
0 Votes 0 ·
DangerD-9009 DSPatrick · Nov 08, 2021 at 11:17 PM
it's empty, it's a new windows installation
0 Votes 0 ·
Show more commentsKatherineMMoss-0910 DangerD-9009 · Nov 24, 2021 at 06:28 PM
I would recommend creating a specific group that has the user right of remote logon assigned and then adding your users to that group; it's better practice to create your own groups for AD rather than using the built in ones.
0 Votes 0 ·
DSPatrick answered • Nov 9, '21 | DangerD-9009 commented • Nov 10, '21
Maybe it's a AD dns issue, all pcs connected to one router which is using google dns 8.8.8.8
Please run;
Dcdiag /v /c /d /e /s:%computername% >C:\dcdiag.log
repadmin /showrepl >C:\repl.txt
ipconfig /all > C:\dc1.txt
ipconfig /all > C:\dc2.txt
ipconfig /all > C:\problemworkstation.txtthen put unzipped text files up on OneDrive and share a link.
Comment
Comment · Show 1
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
DangerD-9009 · Nov 10, 2021 at 11:50 AM
Done:
//1drv.ms/u/s!AlsIiKKz7uaTjXlp2IrWlI5-DVFz?e=hzWySl1 Vote 1 ·
DSPatrick answered • Nov 10, '21 | DangerD-9009 commented • Nov 18, '21
srv3 is multi-homed, do not install the domain controller on hypervisor. Multi-homing a domain controller will always cause no end to grief for active directory DNS
There may be an IPv6 DHCP server on network. IPv6 if not configured correctly will be problematic so I'd suggest turning off the router IPv6 DHCP server
Domain controller and all members should have static ip address of DC listed for DNS and no others such as or public DNS [router?]
I did not look further because these are all show stoppers.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Comment
Comment · Show 2
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
DSPatrick · Nov 15, 2021 at 01:24 PM
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
0 Votes 0 ·
DangerD-9009 · Nov 18, 2021 at 10:57 AM
I'm a bit confused i'm a bit new to windows administrating, what should i change?srv3 is multi-homed, do not install the domain controller on hypervisor.
T
There's no way to disable IPv6 DHCP on it, so i've disabled it manually on all pcs and set static ip address.here may be an IPv6 DHCP server on network.
Just realized that i have to specify domain in user while connecting from rdp... "domain\user" this way it works, is there any way to not specify domain?0 Votes 0 ·
DSPatrick answered • Nov 18, '21 | DSPatrick commented • Nov 24, '21
Please put up a new set of files to look at.
Dcdiag /v /c /d /e /s:%computername% >C:\dcdiag.log
repadmin /showrepl >C:\repl.txt
ipconfig /all > C:\dc1.txt
ipconfig /all > C:\dc2.txt
ipconfig /all > C:\problemworkstation.txtthen put unzipped text files up on OneDrive and share a link.
Comment
Comment · Show 4
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
DSPatrick · Nov 19, 2021 at 10:07 AM
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
0 Votes 0 ·
DangerD-9009 DSPatrick · Nov 22, 2021 at 12:12 PM
I can't post link here...
//1drv.ms/u/s!AlsIiKKz7uaTjgTnbhjuFSHKDWO8?e=bYJbEjafter posting some text i'm able to add link, that's a bug...
0 Votes 0 ·
DSPatrick DangerD-9009 · Nov 22, 2021 at 02:02 PM
srv3 is multi-homed. Multi-homing a domain controller will always cause no end to grief for active directory DNS [do not install active directory domain services on hypervisor]
Domain controller and all members must use the static ip address of DC listed for DNS and no others such as router or public DNS [remove google DNS]
I did not look further since these two are show stoppers.
--please don't forget to upvote and Accept as answer if the reply is helpful--
0 Votes 0 ·
Show more commentspiaudonn answered • Nov 23, '21
Note that "Remote Desktop Users" group in the AD console [since you have the windows-active-directory tag] is only used to give RDP access to the domain controllers.
Just make sure you keep this group empty. You don't want non-admin opening interactive sessions on your domain controllers [it's a no-no-no].To allow a user to open an RDP session on a member server the user will need the "Allow log on through Remote Desktop Services" privilege on the target system. This is given by default on member server to the users member of the local group "Remote Desktop Users" [the group on the local server, not the AD group]. Or you can specify your own through group policy. Everything is explained in the post @DSPatrick mentioned. I just tried it on my different labs, it works fine on Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019.
When Network Level Authentication is enabled [which should be the case by default, and stay that way], you will also need the privilege "Access this computer from the network" which is by default is given to the "Users" group [which by default contain the AD group "Domain Users" group, so everyone unless you played with that group in AD].
When you got the following error message, you should see on an event id 4625 on the the target server telling you why it failed [likely lack of the privileges aforementioned].
Comment
Comment Show 0
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
5 Replies
· · ·
Habanero
OP
Nov 23, 2016 at 16:07 UTC
That is for Domain Controllers, you need to add the users to the local Remote Desktop Users group on each workstation. You can use Group Policy to push that out.ryanbrad wrote:
I have added the group "Domain Users" to the group "Remote Desktop Users" within AD users and computers.
//community.spiceworks.com/how_to/907-gpo-to-push-out-local-administrators-across-a-domain
Use Remote Desktop Users instead of Local Admins
3
· · ·
Pure Capsaicin
OP
Nov 23, 2016 at 16:11 UTCWhy I wonder about the reason...... as allowing everyone to remote in other machines is weird.....
Have you added them to the group here:
If they try to RDP, what's the error they are getting?
You might as well just add the RDP rights for 'Authenticated Users' if you really want anyone to RDP into any computer... Did you also set firewall rules to allow RDP and such?
6
· · ·
Mace
OP
Nov 23, 2016 at 16:14 UTCActive Directory & GPO expert
62 Best Answers
236 Helpful Votes
Sounds like you are confusing the local Remote Desktop Users group and the domain Remote Desktop Users group. If you are adding users to the domain group, you need to add that group to the local machine.
3
· · ·
Mace
OP
Nov 23, 2016 at 16:27 UTCActive Directory & GPO expert
126 Best Answers
262 Helpful Votes
GPO option is good idea as you also need to enable RDP on all computers
//www.dannyeckes.com/server-2012-enable-remote-desktop-rdp-group-policy-gpo/
0
· · ·
Pure Capsaicin
OP
Nov 24, 2016 at 04:01 UTCIn addition to all the great ideas here [Not sure the purpose of enabling RDP to all computers]. First you should create a separate GPO for only the OU of computers or users. Then I would like to recommend to lock down the users that have access to RDP [By Security Groups] as shown below:
//www.itnotes.eu/?p=2224
Make sure you also enable RDP access through Windows Firewall
//www.alexcomputerbubble.com/using-group-policy-settings-to-enable-remote-desktop/
0
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.
Add the user to the Remote Desktop User Group
This can be achieved in a couple of ways. I wil be showing both very shortly. First via the Active Directory Users and Computer [ADUC] and this can also be launched via the dsa.msc. I will recommend you see this guide in order to learn something new “This computer is a domain controller: The snap-in cannot be used on a domain controller, domain accounts are managed by ADUC snap-in“.
To add it in the Remote Desktop Users group, launch the Server Manager
– Click on Tools,
– And then on Active Directory Users and ComputersThis will open theActive Directory Users and Computers snap-in. Double click on the Remote Desktop users as shown below.
This will open up the Remote Desktop Users Properties window. Navigate to the Members tab and click onAddto add users.
Enter the user’s name and click on Check names as shown below. As you can see, the object is presented in AD. Click on Ok to close theRemote Desktop Users Properties window. You will have to click on OK again.
This is how you can add users to the Remote Desktop Group on a DC. You may also have to “Allow Log on through Remote Desktop Services” on a DC if not enabled already.
What is Remote Desktop Group Policy
Almost all users who are interested in building safe connections between computers on the internet might have heard about RDP or VPN. RDP stands for the Remote Desktop Protocol. It is a network of communications protocol developed by Microsoft, to allow users to connect to another computer.
With RDP, one can connect to any computer that runs Windows. With RDP, you can connect to the remote PC, view the same display and interact as if you are working on that machine locally.
Some instances where you may need to use RDP include;
- When traveling or when on vacation and you need to access your work computer
- When you can’t go to your office due to certain reasons and you still need to fulfill your daily tasks
- When you are a system admin and you need to perform administrative duties on your PC such as computer troubleshooting, tune-up, ID protection setting, printer set-up, software installation, email setup, virus and spyware removal, among others.
- When you need to give a demo and you need to access data from a private device
- When you want to personalize your remote desktop on experiences such as resolution, connection setting, screen setting, toolbar, start menu, icons among others.
How to Enable Remote Desktop Remotely on Windows 10
The easiest way to enable Remote Desktop on the Windows operating system family is to use a Graphical User Interface [GUI]. To do this, you need to;
Open the “System” control panel, go to “Remote Setting” and enable the “Allow remote connection to this computer” option in the Remote Desktop section.
However, performing the above process will need local access to the computer on which you want to enable the RD.
By default, remote desktop is disabled in both desktop versions of Windows and in Windows Server.
How to Enable Remote Desktop Remotely Using PowerShell
Suppose you want to remotely enable RDP on Windows Server 2012 R2/2016/2019. Here is the procedure to achieve the same;
- On your computer, open the PowerShell console and run the following commands to connect to your remote server.Enter-PSSession -ComputerName server.domain.local -Credential domain\administrator.
- You will have established a remote session with a computer and now you can execute PowerShell commands on it. To enable Remote Desktop, you need to change registry parameter fDenyTSConnections from 1 to 0 on the remote machine. Run the command;Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
- When RDP is enabled this way [as opposed to GUI method] the rule that allows remote RDP connections is not enabled in the Windows Firewall rules.
- To allow incoming RDP connections in Windows Firewall, run the command;Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
- If for some reason the firewall rule is deleted, you can create it manually using the following commands.netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
- In case you need to allow secure RDP authentication [NLA – Network Level Authentication] run the command;Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1
- Now from your computer, you can check the TCP 3389 port on the remote host to see if it has become available. To do so, run the command below’Test-NetConnection 192.168.1.11 -CommonTCPPort RDP.
- If successful, you should get results similar to what is shown below’
The above results mean RDP on the remote host is enables and you can establish a remote desktop connection using mstsc client.How to Enable/Disable Remote Desktop Using Group Policy
You can enable or disable remote desktop using group policy. To do so, perform the following steps
- Search gpedit.msc in the Start menu. In the program list, click gpedit.msc as shown below;
- After Local Group Policy Editor opens, expand Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Connections.
- On the right-side panel. Double-click on Allow users to connect remotely using Remote Desktop Services. See below;
- Select Enabled and click Apply if you want to enable Remote Desktop. Select Disabled and click Apply if you need to disable it.
Now you will have enabled or disabled remote desktop using group policy
Network Level Authentication NLA on the remote RDP server
Network Level Authentication is a method used to enhance RD Session Host server security by requiring that a user be authenticated to RD session Host Server before a session can be created.
If you want to restrict who can access your PC, you can choose to allow access only with Network Level Authentication [NLA]. NLA is an authentication tool used in RDP Server. When a user tries to establish a connection to a device that is NLA enabled, NLA will delegate the user’s credentials from the client-side Security Support Provider to the server for authentication, before creating a session.
The advantages of Network Level Authentication is;
- It requires fewer remote computer resources initially.
- It can provide better security by reducing the risk of denial of service attacks.
To configure Network Level Authentication for a connection, follow the steps below.
- On the RD Session Host Server, open Remote Desktop Session Host Configuration. To do so, click Start>>Adminstrative Tools1>>Remote Desktop Services>> Remote Desktop Session Host Configuration.
- Under Connections, right-click the name of the connection and then click Properties.
- On the General tab, select Allow the connection only from computers running Remote Desktop with Network Level Authentication checkbox
- Click OK
Note, under step 3, if the “Allow connections only from computers running a remote desktop with network-level authentication” checkbox is not enabled, the “Require user authentication for remote connections by using network-level authentication” Group Policy setting has to be enabled, and has been applied to the RD Session Host Server.
Video liên quan