Prev: Multiple Logon problem with session broker
Next: Unable to take normal RDP session of remote system with administr
From: Matt Levy on 25 May 2010 10:27 Here's the problem - Users (standard Domain Users in Active Directory) can connect to the VPN, fire up Remote Desktop and connect\logon to their machines here at the office on the first try, no problems at all. Upon finishing up and selecting the "Logoff" option, the Remote Desktop session on their end closes as expected - But when any of them attempt to reconnect to their machines via Remote Desktop again later they get an error stating, "You do not have access to logon to this Session". This persists until their machine here at the office is rebooted. I have tested this locally on the network and the problem persists. The Second time a user (non-administrator) tries to connect to the machine it gets the error message. I have seen on some other forums that others have had the same problem but no solution.
From: Matt Levy on 27 May 2010 17:57
Hi, I have a solution. I had exactly the same problem. It seems a user if not a member of the "Remote Desktop Users" or Local Administrators group needs to be granted the "User access" permission on the rdp-tcp connection. Now to do this on a 2000 or 2003 Server, you would launch the admin tool "Terminal Services Configuration" but this tool is not available in XP and I can't find a command line to edit the permissions on the rdp-tcp connections. It seems the that the only difference members of the Remote Desktop Users group on a XP machine and the users specified in the "Allow log on through Terminal Services" user right is that "User access" permission on the rdp-tcp connection. The workaround seems to be to add users to the local Remote Desktop Users group. So I had to add specific users to the Remote Desktop Users group on each machine in my domain. Now you could manually log onto each machine with admin rights and add each user to the local group which is not ideal if you have 700 or so XP desktops. There is a GPO that can be used to do this and it does not use the Remote Desktop Users group in AD which I believe grants members RDC rights on your Domain Controllers ONLY! The GPO is configured like this: How to add a domain group to the Remote Desktop Users group by using Group Policy 1. Open the Group Policy Management Console (GPMC). To do this, click Start, click Run, type GPMC.msc, and then press ENTER. 2. Create and link a GPO that is named Restricted Groups to the terminal server organizational unit (OU). 3. Right-click the Restricted Groups GPO that is linked to the terminal server OU, and then click Edit. 4. Configure the Restricted Groups setting in the following location in Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Restricted Groups\ 5. Right-click Restricted Groups, and then click Add Group. 6. Click Browse, click Locations, select the locations that you want to browse, and then click OK. 7. Type Remote Desktop Users in the Enter the object names to select box, and then click Check Names. Or, click Advanced, and then click Find Now to list all available groups. (I'm not sure this step works because it may be adding the DOMAIN\Remote Desktop Users but you want the BUILTIN\Remote Desktop Users, if you just type Remote Desktop Users in step 5 instead of browsing) 8. Click the Remote Desktop Users group, and then click OK. 9. In the Add Groups dialog box, click OK to close it. The Remote Desktop Users Properties dialog box opens. 10. In the Members of this group section, click Add. 11. Click Browse. 12. In the Select Users or Groups dialog box, type the name of the domain group. 13. Click Check Names, and then click OK to close the dialog box. 14. Click OK to close the dialog box and to finish adding the domain group to the Remote Desktop Users group. Incidently I use the same GPO to enable remote desktop connections by: The Allow users to connect remotely using Terminal Services policy setting is in the following location: Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Connections\ "Matt Levy" wrote: > Here's the problem - Users (standard Domain Users in Active Directory) can > connect to the VPN, fire up Remote Desktop and connect\logon to their > machines here at the office on the first try, no problems at all. Upon > finishing up and selecting the "Logoff" option, the Remote Desktop session on > their end closes as expected - But when any of them attempt to reconnect to > their machines via Remote Desktop again later they get an error stating, "You > do not have access to logon to this Session". This persists until their > machine here at the office is rebooted. I have tested this locally on the > network and the problem persists. The Second time a user (non-administrator) > tries to connect to the machine it gets the error message. > > I have seen on some other forums that others have had the same problem but > no solution. |