0

I am a learner in AD and GPO's. Though I have implemented some GPO's in my environment, now a little bit confused.. My confusion is with the overriding of GPO. Basically what I am trying is that I need to enable RDP for a user to a specific server, which is not a DC. Here's my scenario:

We have a domain wide GP applied in the environment. For enabling a user for RDP, I have added him to "Allow log on through terminal services" GP. Now assume the two situations mentioned below:

  1. I have added him to Remote desktop users group in AD. After updating the group policy, I have checked login with his credentials. But can't login, error is "the requested session access is denied".

  2. I have removed him from the remote desktop users group of AD. And this time added him to the Remote Desktop Users group of local users and group (lusrmgr.msc) of that server. This time checking login with his credentials was successful.

I have checked the following command in that specific server and it shows that the domain wide policy is being applied in RDP setting.

gpresult /Scope Computer /v

I am a bit confused how the policy is overriden. I believe local group policy is overriden by default with domain wide policy, if domain wide policy is enabled. This shows I am wrong. Can someone please clarify this?

FYI, my DC server is Windows 2003 R2 and other servers are 2008R2.

serverstackqns
  • 764
  • 3
  • 16
  • 42
  • What is the specific object that you setup to get this to work? The order is Local Group Policy > Site > Domain > Organizational unit http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx – Nixphoe Nov 05 '14 at 14:37
  • `1.` `I have added him to "Allow log on through terminal services" GP` - What does that mean exactly? What settings are configured in that GPO? `2.` The Remote Desktop Users domain Builtin group allows users to log into Domain Controllers via RDS. It does not proffer the right to log into member servers via RDS. – joeqwerty Nov 05 '14 at 16:06
  • Also, have a read of this - http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx – joeqwerty Nov 05 '14 at 16:12
  • @Nixphoe: I know the order and we use domain wide GP. I have checked the following command in that specific server and it shows that the domain wide policy is being applied in RDP setting. gpresult /Scope Computer /v – serverstackqns Nov 07 '14 at 05:56
  • 1
    @joeqwerty: 1. As I said, we have a GPO configured to "Allow log on through terminal services". I added that specific user account to this GPO. This GPO has been defined and the users included are Administrators (group) and then 2 users. 2. Regarding your 2nd point, does that mean we should configure the user in GPO as well as in the Remote Desktop Users group in the local computer? If so, Remote Desktop Users group in AD is just for giving RDP access to domain controllers. Am I right? – serverstackqns Nov 07 '14 at 06:32
  • 1
    @serverstackqns Regarding your second point, you're correct. That policy only applies to domain controllers. The easiest way to manage this is to create a remote desktop users group in AD, then add that group to the local remote desktop users group using Group Policy. That way you can centrally manage access and you don't have to worry about keeping track of local groups. – tfrederick74656 Nov 11 '14 at 17:15

0 Answers0