Re: new Group Policy and did not connect remote desktop connection
- From: "Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx>
- Date: Wed, 27 Feb 2008 23:08:15 -0800
There are at least five things that relate to allowing logon remotely (e.g. via Terminal Services):
1. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignemnt\Allow log on through Terminal Services - this controls who has the right to logon via Terminal Services at computers. The default for Servers and Workstations is members of the local Administrators group and members of the local Remote Desktop Users group. For Domain Controllers, the default is only members of the Administrators group.
2. Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Allow users to connect remotely using Terminal Services - controls whether anyone is allowed to connect to this computer remotely using Terminal Services, regardless of whether they have the "right" per item 1 above. If this setting is Not Configured via GPO, an administrator can enable it locally by using the Control Panel, System, Remote dialog.
3. membership of local groups, particularly, Administrators and Remote Desktop Users. Unless the default is changed by "Defining" item 1 (or item 5), a user's account must be a member of one of these groups before they will be permitted to logon via Terminal Services, assuming it is permitted at all (see 2 above). By default, the Remote Desktop Users group is empty.
4. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignemnt\Deny log on through Terminal Services - specifies who is NOT permitted to logon using Terminal Services
5. Permission to use RDP-Tcp sessions - (local) Administrative Tools, Terminal Services Configuration, Connections - Properties, Permissions
You can populate any local Group (e.g. Remote Desktop Users) using Computer Configuration, Windows Settings, Security Settings, Restricted Groups.
For what it is worth, unless you have a particular, special objective or need, I suggest not changing item 1, 4 or 5 from the default, Enabling item 2 via GPO and populating the Administrators and Remote Desktop Users group (item 3) using Restricted Groups in a (seperate) GPO.
There may be other things that control logon via Terminal Services, but I think those above are probably the most common.
--
Bruce Sanderson
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"Hasan Cakır" <HasanCakr@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:5D890CEF-220B-4665-82BF-C0CD41468FDB@xxxxxxxxxxxxxxxx
Hi;
I created windows 2003 Server a new Group Policy and add user, i connect
remote desktop connection to the server but "The local policy of this system
does not permit you to login interactively" display error.I setup local
policy User Rights Assigment" on Log on Allow through Terminal Sevices add
user that is not problem.What can i do ?
Best regards.
.
- References:
- new Group Policy and did not connect remote desktop connection
- From: Hasan Cakır
- new Group Policy and did not connect remote desktop connection
- Prev by Date: Re: samples
- Next by Date: change registry permission with GPO
- Previous by thread: Re: new Group Policy and did not connect remote desktop connection
- Next by thread: quick(ish) question
- Index(es):
Relevant Pages
|
