win XP Pro SP2 with latest RDP. Workgroup vs. domain

[mikesw]

I have two Win Xp Pro SP2 machines with all the latest patches and
the latest version of RDP. I have a home network with these two machines
which can share printers, and disk drives. The are connected to a Belkin
router and a DSL modem to the internet. RDP is enabled in the firewall
in both machines. I have the checkbox enabled on both machines under
the System-->Remote screen so that both machines will allows RDP connections.
One machine has a user account that has admin priveleges, but not password.
The second machine has no user accounts since when it boots up it boots
directly to the desktop. The two different computers (with different names)
are in the same WorkGroup called MSHOME.

Problem:
a). When I use RDP to connect to the other machine I can't connect. I have
disabled the usage of the TS Gateway under Advanced Tab in RDP since I
don't have a TS Gateway server. If I assign a password to the user who
has admin priveleges on the machine that has the user account, and repeat
the above steps, it still can't connect.

b). When I select from the drop down menu to browser for more computers
I get a popup box, but when I select the name shown to expand a list, it
complains about terminal service/server.

c). In addition to item (b) above, I don't get any list of the other
computer that
is in the same Workgroup called MSHOME as me. In fact, I don't see any
Workgroup names to select and the associated computers they may contain.
All I see is the capability to enter the domain name, but I'm not in a domain.
Will a workgroup name work here? If in the computer name field I enter
MSHOME\My computer name for the computer I'm trying to connect to, it
doesn't like that either. So how does RDP handle WORKGROUP(S) vs. a domain in
RDP?

d). If I go to the Advance tab under Add user in the System screen and search
for a location, no other computers are shown here nor any WorkGroup names.
However, under view my network, I can see the Workgroup MSHOME and
both computers listed here.

Additional info to the above, I've looked at my Win XP Pro computer at work
which is in a domain. It has the v5.1 RDP which is very old. I can browse for
more computers and see the domain name along with expand the list to see
all the (I assume) other Workgroups in the domain which can be expanded
further.
In the search location field of the System-Remote->Add User screen I can see
the
list of computers too. However, I assume the company has a Terminal Server
Gateway setup to allow this computer to see all the above. In the case of my
home network, I'm having problems.

Presently - Disconnected!...... Help requested....

 

[Sooner Al [MVP]]

I have two Win Xp Pro SP2 machines with all the latest patches and
the latest version of RDP. I have a home network with these two machines
which can share printers, and disk drives. The are connected to a Belkin
router and a DSL modem to the internet. RDP is enabled in the firewall
in both machines. I have the checkbox enabled on both machines under
the System-->Remote screen so that both machines will allows RDP
connections.
One machine has a user account that has admin priveleges, but not
password.
The second machine has no user accounts since when it boots up it boots
directly to the desktop. The two different computers (with different
names)
are in the same WorkGroup called MSHOME.

Problem:
a). When I use RDP to connect to the other machine I can't connect. I have
disabled the usage of the TS Gateway under Advanced Tab in RDP since I
don't have a TS Gateway server. If I assign a password to the user who
has admin priveleges on the machine that has the user account, and repeat
the above steps, it still can't connect.

b). When I select from the drop down menu to browser for more computers
I get a popup box, but when I select the name shown to expand a list, it
complains about terminal service/server.

c). In addition to item (b) above, I don't get any list of the other
computer that
is in the same Workgroup called MSHOME as me. In fact, I don't see any
Workgroup names to select and the associated computers they may contain.
All I see is the capability to enter the domain name, but I'm not in a
domain.
Will a workgroup name work here? If in the computer name field I enter
MSHOME\My computer name for the computer I'm trying to connect to, it
doesn't like that either. So how does RDP handle WORKGROUP(S) vs. a domain
in
RDP?

d). If I go to the Advance tab under Add user in the System screen and
search
for a location, no other computers are shown here nor any WorkGroup names.
However, under view my network, I can see the Workgroup MSHOME and
both computers listed here.

Additional info to the above, I've looked at my Win XP Pro computer at
work
which is in a domain. It has the v5.1 RDP which is very old. I can browse
for
more computers and see the domain name along with expand the list to see
all the (I assume) other Workgroups in the domain which can be expanded
further.
In the search location field of the System-Remote->Add User screen I can
see
the
list of computers too. However, I assume the company has a Terminal Server
Gateway setup to allow this computer to see all the above. In the case of
my
home network, I'm having problems.

Presently - Disconnected!...... Help requested....

By default users must have a password in order to connect to a PC with
Remote Desktop. Remember the user and password are local to the PC your
connecting to not the PC your connecting from.

Can you ping the PC your trying to connect to by IP or NetBIOS name?

Have you opened/forwarded TCP Port 3389 through any firewall or router the
PC is behind?

http://theillustratednetwork.mvps.o...pSetupandTroubleshooting.html#Port_forwarding

Make sure the RDP 6 client on your XP boxes is configured like this...

http://theillustratednetwork.mvps.org/ScreenShots/XP/RDP6-XPClientSettings.jpg

Note that in a work group environment you normally can not browse for other
PCs with Remote Desktop without applying a registry hack.

http://tinyurl.com/2wq5u6

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...

 

[mikesw]

By default users must have a password in order to connect to a PC with
Remote Desktop. Remember the user and password are local to the PC your
connecting to not the PC your connecting from.

Hmmm, after I couldn't log into the machine that only had a user account
with no password, I went to that
machine and gave it a password and still couldn't connect.

Moreover, in the newer versions of Remote desktop on the of the tabs allows
one in a drop down to select
"prompt for password" or not to. I assume when I select not to prompt for
password, it will allow me in
without a password. What is the case when both computers have the exact same
username and password
accounts? Will RDP use the the current logged in username and password on
the machine I'm connecting from
and apply this username/password to the computer I'm trying to RDP/connect
to so that I can login automatically?

Can you ping the PC your trying to connect to by IP or NetBIOS name?

Have you opened/forwarded TCP Port 3389 through any firewall or router the
PC is behind?

Although all PC's within the local network of my apartment find each other
via the Belkin router (not a point-to-point
system/ad-hoc), I'm not trying to connect from outside the local lan yet
,from/to somewhere in the world. Thus,
I'd think that I wouldn't need to setup port forwarding in the router just
to connect between PC's in the same room.

http://theillustratednetwork.mvps.o...pSetupandTroubleshooting.html#Port_forwarding

Thanks. I've read this from previous posts on this site.

NOTE: If I enter http://theillustratednetwork.mvps.org into my browser, I
get you are not authorized to view this
site. However, If I use the rest of the path you supply, I can see the web
info. So if one goes to the
homepage of this site, how does one know what else is there to select and
find if the homepage is not accessible?
Remove the homepage protections so that one can get to the homepage!

Make sure the RDP 6 client on your XP boxes is configured like this...

http://theillustratednetwork.mvps.org/ScreenShots/XP/RDP6-XPClientSettings.jpg

Yes, this is what I already did and still couldn't connect.

Note that in a work group environment you normally can not browse for other
PCs with Remote Desktop without applying a registry hack.

http://tinyurl.com/2wq5u6

Thanks. I'll look into these registry setting(s) just to see what happens.

 

[Sooner Al [MVP]]

Hmmm, after I couldn't log into the machine that only had a user account
with no password, I went to that
machine and gave it a password and still couldn't connect.

Moreover, in the newer versions of Remote desktop on the of the tabs
allows
one in a drop down to select
"prompt for password" or not to. I assume when I select not to prompt for
password, it will allow me in
without a password. What is the case when both computers have the exact
same
username and password
accounts? Will RDP use the the current logged in username and password on
the machine I'm connecting from
and apply this username/password to the computer I'm trying to RDP/connect
to so that I can login automatically?

Although all PC's within the local network of my apartment find each other
via the Belkin router (not a point-to-point
system/ad-hoc), I'm not trying to connect from outside the local lan yet
,from/to somewhere in the world. Thus,
I'd think that I wouldn't need to setup port forwarding in the router just
to connect between PC's in the same room.


Thanks. I've read this from previous posts on this site.

NOTE: If I enter http://theillustratednetwork.mvps.org into my browser, I
get you are not authorized to view this
site. However, If I use the rest of the path you supply, I can see the web
info. So if one goes to the
homepage of this site, how does one know what else is there to select and
find if the homepage is not accessible?
Remove the homepage protections so that one can get to the homepage!


Yes, this is what I already did and still couldn't connect.


Thanks. I'll look into these registry setting(s) just to see what happens.

No the machine you want to login to with Remote Desktop must have a password
by default for the account your logging in with. Here is a RDP 6
authentication FAQ you may be interested in.

http://blogs.msdn.com/ts/archive/2007/01/22/vista-remote-desktop-connection-authentication-faq.aspx

As a test you might create a new account on the PC your trying to login to,
with a password, assign them to the Remote Desktop Users Group and try to
login.

Is the machine listening on TCP Port 3389?

http://theillustratednetwork.mvps.o...pSetupandTroubleshooting.html#Troubleshooting

Are you running any type of other software firewall or anti-virus/trojan
software like NAV or OneCare Live that may be blocking incoming Remote
Desktop requests?

Here is the URL for the main page...

http://theillustratednetwork.mvps.org/LAN/The_Illustrated_Network.html

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...

 

[mikesw]

Here's some updated information for you to add to the website
http://theillustratednetwork.mvp.org .

a). Since all my PC's are connected within the same subnet and are behind a
belkin router and DSL line to the
internet, and all I want is to RDP from/to these various PC's but not from
or to the external world (internet),
I do not need to setup RDP port forwarding in the Belkin router. Only if I
want to go to the office or from the
office using RDP, do I have to setup port forwarding. Thus, a local subnet
doing RDP without port forwarding
has been tested and works. Please update the website to make the distinction
between these two different
scenarios since not everyone wants to go to/from the internet.

b). Modifying the section on where one adds users to the list of users
allowed to RDP to the computer that a
"password" is required to do this. Thus if one has a boot to the desktop
without
any accounts, then one has to be created with a password and if a user
account has been defined, but without
a password, one has to be defined. If I recall ,older RDP clients would
allow one to login without a password
based on a pulldown menu option.

c). The portquery UI tool helped me isolate my problem about not being able
to connect from a desktop with
a directly wired lan cable to the belking router which wirelessly connected
to a laptop. Although Terminal
Services is listed as "Started", my "Startup Status" was "Manual". The
"theillustratednetwork" picture shows
this as "Automatic". Question: which way is correct? However, I was able to
connect leaving it as "Manual".
The command "netstat -a" didn't show the port "3389" as "listening". I have
,"let users connect to this
PC for RDP" checkbox set and added my user account name that has a password
to the remote users list.
Moreover, the firewall did have in the exceptions screen "Remote Desktop"
checkbox checked. I would
think that the "Allow remote connections RDP" and/or having the firewall RDP
checkbox set, that "netstat -a " should show
that port 3389 would be listening since one of these checkboxs activates
the port to listen but this isn't the case.

After all of this, there are two things missing in the documents that was
missed on http:\theillustratednetwork.mvp.org
that should be added.

1st thing:
1). In the firewall window under the "Advanced" tab there is listed
the network adaptor that the OS will use
for network connections. One of the assumptions made on the
mvp.org website is that there is only ONE
NETWORK ADAPTER in the computer. Which in this case will allow RDP
connections to work as expected.
In the case of my laptop there are TWO NETWORK ADAPTORS.
The wired LAN one isn't plugged in, whereas the other one is an
internal wireless one which is being used.
2). The belkin router then assigns via DHCP a network address to the
wirelss one, but since the wired lan
one isn't connected, it isn't assigned a network address.
3). In addition, one has to select the network adapter that is being
used (in my case the wireless one)
and click on the settings button. What is displayed is a list of
services that this network adaptor
should let through. One of the services listed is "Remote
Desktop" which was unchecked. Upon
checking this box and saving it, it will activate port 3389 as
listening under "netstat -a". After doing
this, I was able to RDP from the client to this machine and login
without problem.
Hence, add this to theillustrated.mvp.org website for multiple
Network adaptors on configuring Remote Desktop.
4). If one edits, the Remote Desktop service assigned to the network
adaptor, one can enter the
IP address of the computer hosting this service. For Remote
Desktop, this isn't necessary to fill in.
It is unknown if this is supposed to be the Terminal Services
Server since it is this machine which
hosts the terminal services when running and may default to the
loopback address 127.0.0.1
which isn't shown but is used behind the scenes.
5). The added feature is that one can have multiple network cards that
can have various services allowed
to come thru the network card or not. In this case Remote Desktop.

2nd thing:
1). Under the firewall exception for Remote Desktop, one can edit
this which displays a checked port number.
If one selects the button "Change Scope", various radio buttons
are displayed that allows
one to let everyone to connect via RDP, only this subnet, or
custom where one enters the specific
comma separated IP addresses of computers on the subnet or
external that can connect via RDP
to this machine. The probable intent of these screens maybe
that when this computer, using its firewall ,acts
like a router via internet connection sharing using a modem
vs. a dedicated DSL/Router box that these
screens are used. However, since one can firewall the computer
within the local subnet from any other PC, it will
be useful to let only the local subnet PC's coming in on a
particular Network adpator card(s),
or only specific ones using custom. If one allows all, then if
the dedicated DSL/router box to
the internet is connected then the whole internet can get to the
machine if they have an account
to login into (along with setting up port forwarding) or via the
ICS via the modem and no port forwarding.