Re: Preventing logon to local accounts


Hi Becky,

Just to go over it from the beginning, you have created a new gpo with the
settings to enable RDP, you have created a security group and added the
workstations to this security group then, on the gpo you removed
authenticated users and added the group containing the workstations. we know
this works because RDP is enabled and greyed out on the remote tab is system
properties
The next step is to configure restricted groups, so take the security group
that you created add the users to this group, then on the same gpo as above
follow these steps:

goto windows settings/security settings/restricted groups/right click add
new group/add your global security group that contains the users that you
want to access the workstations using rdp/

Select this group is a member of: choose remote desktop user



you do not have to specify the user security group to the gpo filter as this
is a computer policy.


Gpupdate /force


Have you tried to RDP as the domain administrator? And does this work?

If you can’t see anything out of the ordinary using the gpo results tools
then, add another workstation to the domain, don’t add this workstation in to
the security group that is filter for the rdp gpo.

Then enable rdp manually right click my computer, properties, remote tab,
select remote user , add the security group that contains the users. Then try
to rdp to this workstation.

This will identify if indeed it is a gpo conflict

What service pack is on the workstation?

And have you looked in the event logs for errors, right click my computer
and select manage, you will see event view, have a scan through for any
errors.

"JAMiE132" wrote:

Hi,

If you have group policy management console installed on your DC then you
can use the Group policy results wizard, you can use this wizard to target
specific workstation and user, this will give you a summary of what has been
applied and what has been denied.

If you dont have gpmc installed you can use gpresult from a command prompt,
this will show you the same info as above, just not in a gui.

I sent you an email with some questions!

Regards,

Jamie

"BeckyBoo123" wrote:

I didn't actually know that I could do that!
Well I followed your instructions again but I still get the same message :-(

The firewall is disabled on the workstation.
Is there anyway for me to check if the other policy applied to this
worksation is blocking out what I am trying to change?

"JAMiE132" wrote:

Hi Becky,

I totally understand....Go to your server or a workstation right click
computer, select manage, where it says computer management right click this
and choose connect to computer, from here you enter the workstation name,
once connected, expand local users and groups, then select groups, open
remote desktop users.


Also what is the status of the firewall on the workstation?


Regards,

Jamie

"BeckyBoo123" wrote:

Hi,

I have changed that back to the default level now and tried again. It still
didn't work.

I logged into the work station (whilst sat in front of it) and checked that
remote user connections is enabled, it is but the "select users" box is
greyed out. Is there a way of adding this to the policy, instead of changing
the policy so it lets me check on the local machine that the user is listed?

Hope you can understand that, I am starting to confuse myself now!

"JAMiE132" wrote:

>>>>>> You can use "Allow log on locally" Group Policy setting (Computer
Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignments) and replace local Users with
Domain Users in the listing of groups in this category. Just make
sure you test this on target PCs to avoid any collateral
damage...

Perhaps you need to put this back to the default, domain users group are by
default a member of the local users on a workstation, this doesnt mean they
can logon locally, as long as they only have a domain user account.

If you have rdp enabled and the group specified in the remote desktop users
group on the local machine then there should be no problem. I recommend that
you reverse the change above, check that rdp is enabled on the workstation,
right click computer, properties, remote tab, from here check that the box
for remote desktop is ticked, then make sure the group is added.


Regards,

Jamie

"BeckyBoo123" wrote:

Hi Guys, thanks for the advise. I am on information overload now!

Connecting to what? Do you have a terminal server? That would be a
good idea if you have a lot of remote users.

Ok, just to sum it all up, (I think this is right) we have 2 AD server's and
6 Terminal Servers. We have several hundred PC users which connect to TS's
for access to our profit system. Users also use their PC's for email access
and other things locally, however we are trying to gradually add these PC's
to the domain.
So, certain users use VPN to connect up from home. They can connect to the
TS applications with no problem, and they can connect up to their local
account by using RDC, but on the test machine that I have connected to the
domain and removed the local account on, I can't connect to it via RDC
(emulating the method they would use from home).

You can use "Allow log on locally" Group Policy setting (Computer
Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignments) and replace local Users with
Domain Users in the listing of groups in this category. Just make
sure you test this on target PCs to avoid any collateral
damage...

This was originally set to list the specific user only, so I have now
changed it to display the domain user.

Create a GPO, filter this with a security group that contains the
workstations that you would like to enable RDP.

Enable RDP on the selected workstations:

1. In the group policy object, click to expand Computer Configuration,click
to expand Administrative Templates, click to expand Windows Components, >>>>and
then click to expand Terminal Services.

2. Double-click the "Allow users to connect remotely using Terminal
Services" policy.

3. Set the policy to Enable, and then click OK


however instead of visiting each workstation


goto windows settings/security settings/restricted groups/right click add
new group/add your global security group that contains the users that you
want to access the workstations using rdp/Select this group is a member
of:choose remote desktop user

This setting was already in place, but I checked it and it all looks in order.

The only things that I have noticed is that the Domain computer in question
is activley a member of 2 groups, RDP's and Desktop users (desktop users is
the policy I have been working on to customize the domain PC's).

Could this be the cause?





.

Relevant Pages

  • Re: GPO testing
    ... Here are the steps I used to create and link the GPO: ... Placed two users in the security group Test Group. ... Right clicked on the new policy called "test" and selected edit. ... Test Group on my XP workstation. ...
    (microsoft.public.windows.group_policy)
  • Re: GPO testing
    ... Here are the steps I used to create and link the GPO: ... Placed two users in the security group Test Group. ... Went to GPMC and right clicked on Group Policy Results and selected ... Test Group on my XP workstation. ...
    (microsoft.public.windows.group_policy)
  • Re: GPO testing
    ... I put the users into a security group under the OU. ... Here are the steps I used to create and link the GPO: ... Went to GPMC and right clicked on Group Policy Results and selected ... Test Group on my XP workstation. ...
    (microsoft.public.windows.group_policy)
  • Re: GPO testing
    ... Group policy actually has nothing to do with groups. ... GPO will NOT ... I put the users into a security group under the OU. ... Test Group on my XP workstation. ...
    (microsoft.public.windows.group_policy)
  • Re: group policy does not show all available options
    ... I'm not managing the GPO from a different workstation. ... RDP to connect to the server. ...
    (microsoft.public.win2000.active_directory)
Loading