Domain authentication issues ...

G

Guest

I have an SBS server as my Domain Controller using Active Directory.
I have 2 W2003R2 servers running as Terminal Servers.
I have a group of local domain users on my LAN that access my Terminal
Servers via RDP. They are added to the DC's Remote Desktop Users security
group.

When a user logs onto my first Terminal Server (TS1) via RDP, they are
granted access with no adjustments to TS1. If I've forgotten to add the user
to the DC's Remote Desktop Users security group, they cannot gain access, but
can as soon as I do.

When the same user tries to log onto TS2, they receive the error message:
"To log onto this remote computer, you must be granted the Allow log on
through Terminal Services right ...." and suggests the Remote Desktop Users
group. If I add that user to the Remote Desktop Users group on TS2, they can
gain access.

Why would TS1 get the security from the DC but TS2 does not? Can someone
point me in a direction ?

Thanks

Steve
 
B

Binu Kumar

This clearly seems to be a Group Policy Issue...
Make Sure the 2 TS Servers are in the same OU
Make sure the Local RDP group is not a member of the Domain RDP Group...

--
Binu Kumar (MCSE NT/2000/2003)
SBS 2000/2003
Microsoft ( PSS )

===============================
 
J

Jorge Silva

Hi Steve
Users must be added to the Remote Desktop Users security group on the TS
servers and not on the DC, actually the SBS doesn't run Terminal Services,
however can act like a TS Licensing Server.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
 
G

Guest

Correct. My SBS machine is the DC and the W2003R2 servers are Terminal
Servers.

That's what Microsoft tells me, yet my TS1 doesn't require that for users to
log on. It requires that my user is in the Remote Desktop Users group on the
DC.
My TS2, however requires what you're saying.

Why, then, if the TS does require the users to be in the local group, does
TS1 allow users to log on via RDP?

Steve
 
G

Guest

Thanks for the reply. Please excuse my ignorance, but how do I determine if
the 2 TS Servers are in the same OU?
 
J

Jorge Silva

Unless something has been change, Members of Local Administrators and Remote
Desktop Users can logon through TS on the member servers, you can check this
on the Local GPO each of these Member servers,
type from cmd: gpedit.msc
and navigate to:
computer configuration->windows settings->security settings->Local
policies->User rights Assign->Allow logon through TS


--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
 
J

Jorge Silva

in that case you may have users that are members of some group that denies
logon through terminal services.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
 
G

Guest

The same user that logs onto TS1 without issue, simply by being a member of
the Remote Desktop Users group on the DC cannot log onto TS2.
 
J

Jorge Silva

What can I say....
The Users must be members of Remote Desktop Users on BOTH Servers.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

HELP !!! User cannot log into the Terminal Server 2
Domain user cannot RDP to Vista Business workstation 1
Applying Group Policies 1
Can't Authenticate correctly to Domain Controller to login to TS. 0
Logon Scripts _ Urgent Help! 1
Can't remote logon to Vista Business Premium laptop 3
Business Cloud Solutions Thoughts and Opinions 0
Remote desktop on domain: The local policy of this system does not permit you to logon interactively 1

Top