Let me start this with, I have read every article and forum post I can find about this issue. I know that it should be as easy as granting a permsission to the user/groups.

I have 2 domain contollers (both running Server 2008 Standard), both of them are going to need to be logged in by users other than the Domain Administrators group. I have added the group that the users are in (Developers) to the following GPO.

Default Domain Contollers Policy -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignement -> Allow log on through Remote Desktop Services and Allow log on locally.

I have verified that these settings are being applied to the DCs by running RSOP.MSC on the two controllers and I can see that the settings that I change to the GPO are being reflected in the RSOP.MSC results.

When a user, other than a Domain Admin, tries to log in, they get the error "The connection was denied because the user account is not authorized for remote login."

Is there any other location/setting that I am missing on the GPO or perhaps the server it self that would be related to why this is not working.

Any help would be greatly appreciated.

Thank you,

Alex

You also need to modify the permissions of the RDP-Tcp connection (Security tab) in RD Session Host configuration console - or simply add the users to built-in Remote Desktop Users group

hth
Marcin

• Edited by Marcin PolichtMVP Monday, February 20, 2012 7:24 PM
• Proposed as answer by Ace Fekay [MCT]MVP Tuesday, February 21, 2012 6:01 AM
• Marked as answer by Bruce-Liu Wednesday, February 22, 2012 8:06 AM

Thank you for the suggestion, I have tried to do that on one of the DCs and I get the following error, "The following error occured while attempting to save properties for the Remote Desktop Users on computer COMPUTER_NAME: The request is not supported."

-Alex

• Edited by alex.derr Monday, February 20, 2012 7:29 PM Grammer Correction

I provided two suggestions - which one of the two are you referring to?

The first one involves modifying permissions of the RDP-Tcp connection from the Remote Desktop Session Host Configuration (legacy Terminal Services Conifguration) console. Have you tried that?

I assume you are referring to the second. If so, make sure that you are logged on with a Domain Admin account and you are running the ADUC in the elevated context

hth
Marcin

• Edited by Marcin PolichtMVP Monday, February 20, 2012 7:33 PM

Marcin -

I have tried both of your suggestions. After modifing the security properties for the RDP-tcp connection and allowing the Developer group full controll, I am still getting the error message when trying to RDP to the DC.

When I made the changes I was logged in as a Domain Admin and ran everything with elevated permissions.

Thank you,

Alex

Can you post the output of

gpresult /scope:computer /z

from the domain controller where you are seeing this issue?

hth
Marcin

Here is the output of the gpresult:

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 2/20/2012 at 12:50:33 PM



RSOP data for INTERNAL\aderr on TUWINAD02 : Logging Mode
---------------------------------------------------------

OS Configuration:            Additional/Backup Domain Controller
OS Version:                  6.1.7601
Site Name:                   TucsonDR
Roaming Profile:             N/A
Local Profile:               C:\Users\aderr
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=TUWINAD02,OU=Domain Controllers,DC=internal,DC=az,DC=gov
    Last time Group Policy was applied: 2/20/2012 at 12:45:56 PM
    Group Policy was applied from:      TUWINAD02.internal.az.gov
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        INTERNAL
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Controllers Policy
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Pre-Windows 2000 Compatible Access
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        TUWINAD02$
        Read-only Domain Controllers
        Domain Controllers
        Enterprise Read-only Domain Controllers
        Denied RODC Password Replication Group
        System Mandatory Level
        
    Resultant Set Of Policies for Computer
    ---------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MaxRenewAge
                Computer Setting:  7

            GPO: Default Domain Policy
                Policy:            MaxServiceAge
                Computer Setting:  600

            GPO: Default Domain Policy
                Policy:            MaxClockSkew
                Computer Setting:  5

            GPO: Default Domain Policy
                Policy:            MaxTicketAge
                Computer Setting:  10

        Audit Policy
        ------------
            N/A

        User Rights
        -----------
            GPO: Default Domain Controllers Policy
                Policy:            MachineAccountPrivilege
                Computer Setting:  Authenticated Users
                                   
            GPO: Default Domain Controllers Policy
                Policy:            ChangeNotifyPrivilege
                Computer Setting:  Everyone
                                   LOCAL SERVICE
                                   NETWORK SERVICE
                                   Administrators
                                   Authenticated Users
                                   Pre-Windows 2000 Compatible Access
                                   
            GPO: Default Domain Controllers Policy
                Policy:            IncreaseBasePriorityPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            TakeOwnershipPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            RestorePrivilege
                Computer Setting:  Administrators
                                   Backup Operators
                                   Server Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            DebugPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            SystemTimePrivilege
                Computer Setting:  LOCAL SERVICE
                                   Administrators
                                   Server Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            SecurityPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            ShutdownPrivilege
                Computer Setting:  Administrators
                                   Backup Operators
                                   Server Operators
                                   Print Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            AuditPrivilege
                Computer Setting:  LOCAL SERVICE
                                   NETWORK SERVICE
                                   
            GPO: Default Domain Controllers Policy
                Policy:            InteractiveLogonRight
                Computer Setting:  Account Operators
                                   Administrators
                                   Backup Operators
                                   INTERNAL\dclemmer
                                   INTERNAL\Developers
                                   INTERNAL\SysAdmins
                                   Print Operators
                                   Server Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            CreatePagefilePrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            BatchLogonRight
                Computer Setting:  Administrators
                                   Backup Operators
                                   Performance Log Users
                                   
            GPO: Default Domain Controllers Policy
                Policy:            NetworkLogonRight
                Computer Setting:  Everyone
                                   Administrators
                                   Authenticated Users
                                   ENTERPRISE DOMAIN CONTROLLERS
                                   Pre-Windows 2000 Compatible Access
                                   
            GPO: Default Domain Controllers Policy
                Policy:            SystemProfilePrivilege
                Computer Setting:  Administrators
                                   NT SERVICE\WdiServiceHost
                                   
            GPO: Default Domain Controllers Policy
                Policy:            RemoteShutdownPrivilege
                Computer Setting:  Administrators
                                   Server Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            BackupPrivilege
                Computer Setting:  Administrators
                                   Backup Operators
                                   Server Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            EnableDelegationPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            UndockPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            SystemEnvironmentPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            RemoteInteractiveLogonRight
                Computer Setting:  INTERNAL\dclemmer
                                   INTERNAL\Developers
                                   INTERNAL\Domain Admins
                                   INTERNAL\Domain Users
                                   INTERNAL\SysAdmins
                                   
            GPO: Default Domain Controllers Policy
                Policy:            LoadDriverPrivilege
                Computer Setting:  Administrators
                                   Print Operators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            IncreaseQuotaPrivilege
                Computer Setting:  LOCAL SERVICE
                                   NETWORK SERVICE
                                   Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            ProfileSingleProcessPrivilege
                Computer Setting:  Administrators
                                   
            GPO: Default Domain Controllers Policy
                Policy:            AssignPrimaryTokenPrivilege
                Computer Setting:  LOCAL SERVICE
                                   NETWORK SERVICE
                                   
        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            LSAAnonymousNameLookup
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            TicketValidateClient
                Computer Setting:  Enabled

            GPO: Default Domain Controllers Policy
                Policy:            @wsecedit.dll,-59013
                ValueName:         MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
                Computer Setting:  1

            GPO: Default Domain Controllers Policy
                Policy:            @wsecedit.dll,-59043
                ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
                Computer Setting:  1

            GPO: Default Domain Controllers Policy
                Policy:            @wsecedit.dll,-59044
                ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            @wsecedit.dll,-59058
                ValueName:         MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
                Computer Setting:  1

            GPO: Default Domain Controllers Policy
                Policy:            @wsecedit.dll,-59018
                ValueName:         MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
                Computer Setting:  1

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            GPO: Default Domain Policy
                Groupname: INTERNAL\SysAdmins
                Members:   N/A
                           
        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions
                Value:       3, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAUAsDefaultShutdownOption
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AutoInstallMinorUpdates
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\DetectionFrequency
                Value:       12, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallDay
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Controllers Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsers
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAUShutdownOption
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallTime
                Value:       3, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\DetectionFrequencyEnabled
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AUPowerManagement
                Value:       1, 0, 0, 0
                State:       Enabled

Verify that the users in question don't have the "Deny this user permissions to log on to Remote Desktop Session host server" checkbox enabled on the RDS Profile tab of their accounts' Properties dialog box (in ADUC)

hth
Marcin

Thank you for that suggestion, it was not the direct problem. I added the Developers group to the Remote Desktop Users group and tried the log in and that was the problem. I am not sure why I didnt think of that earlier, maybe it was too easy of a solution??

But at any rate, thank you for your time, it helped me find the issue and solve it.

Much apprecitated!

Alex

• Marked as answer by alex.derr Monday, February 20, 2012 8:39 PM

Alex - can you clarify how this is different from what I recommended earlier?

"You also need to modify the permissions of the RDP-Tcp connection (Security tab) in RD Session Host configuration console - or simply add the users to built-in Remote Desktop Users group "

cheers,
Marcin

• Proposed as answer by Ace Fekay [MCT]MVP Tuesday, February 21, 2012 6:01 AM

This information is not accurate.