Active Directory and Terminal Server

By bankajac
in Microsoft (Windows)

 Share

Recommended Posts

Mentor

bankajac

Posted
Posted

I have a domain controller (Server 1) and a termianl server (Server 2). I set up a user in AD and make them a member of the Remote Desktop Users. I granted the Remote Desktop Users the right to lon on through Terminal Services. I can log on through Remote Desktop as the Administrator but not the user which I set up. What am I missing here?

I will be installing terminal services licenses once I get this working. Is it better to have the terminal server also be the licenses server or should I make the other server the license server?

Thanks in advance.

Link to comment
https://www.neowin.net/forum/topic/506510-active-directory-and-terminal-server/
Share on other sites
Mentor

bankajac

Posted
  • Author
Posted

I have tried everything and I cannot log on to the through terminal services as the user I set up. I can log on locally to the terminal server. I made the domain controller also the license server but the terminal server cannot locate the license server automatically. I have to manually enter the computer name. Any help will be greatly appreciated.

Thanks

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

If your having problems locating your lic server

http://support.microsoft.com/kb/279561/

How to override the license server discovery process in Windows Server 2003 Terminal Services

http://technet2.microsoft.com/WindowsServe...3.mspx?mfr=true

Set preferred Terminal Server license servers

Not sure exactly what you mean by "I have to manually enter the computer name."

Mentor

bankajac

Posted
  • Author
Posted

Thanks for the reply Budman, but I resolved the license server. I just cannot figure out why I cannot log on to the terminal server through a terminal session with a user other than the Administrator. On the domain controller (in Domain Security Settings) I configured to allow Remote Desktop Users to connect through terminal services. I made the user a member of the Remote Desktop Group. On the terminal server in local security policy I configured Administrators and Remote Desktop Users to log on through terminal services. Here if I remove the Administrators group then I cannot log on through terminal services at all.

I apologize but I am very new to Active Directory. I am just trying to learn by doing. I was under the impression that the above is all I had to do to log on through terminal services. I am not sure why it only lets the administrator log and not the user who is the member of the Remote Desktop Group. It keeps on giving me the message that only members of the Remote Desktop Group can log on through termianl services. The user I careted is a member of the Remote Desktop Group. I just don't understand.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

If I am reading what you have done correctly - you have not put the user in the LOCAL Remote Desktop users Group on the terminal server itself.. But in the domain group called the same thing.

This user needs to be placed in "termianl server (Server 2)." Local RD users group..

http://technet2.microsoft.com/WindowsServe...3.mspx?mfr=true

Enabling users to connect remotely to the server.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

So you put the Domain Remote Desktop Users into the Local RD Users group?

Put the domain "USER" account you want to access the terminal server into the terminal servers local Remote Desktop Users group.

From the previous link I gave

--

It is highly recommended that you use the Remote Desktop Users group to grant individuals access to terminal servers, rather than assigning the required permissions manually

Caution: If you alter the default permissions on the Remote Desktop Users group or remove this group, members of this group might lose the ability to log on remotely to terminal servers.

--

This error "only members of the Remote Desktop Group can log on through termianl services." would sure point to you not having the account in this group.

http://technet2.microsoft.com/WindowsServe...3.mspx?mfr=true

Add users to the Remote Desktop Users group

Mentor

bankajac

Posted
  • Author
Posted

Budman thank you very much for taking the time to help a novice. You are a genious. Everything is working great now. I have two more issues I have to learn or resolve and I will be ready to use this server.

First, I have configured DHCP on the server. Once I did that I knew that I was going to lose internet connectivity. I have learned that what I need to do is to enable DNS forwarding for internet connections. In the forwarders area of the DNS server I typed in my ISP address of the DNS servers. The internet does not work. This is the area I amtotally lost on. Can you hel pme with this also?

My second issue is that I want my terminal server users to have access to a shared printer on Server 1 (I know that this is also the domain controller and should not be a print server). What I did to allow TS users to connect is what you said above except I created a group call TS App Users and made them a member of the Local RD Users group. That way I can just add users to that domain group and give them access to the TS server. I want those same users to have access to the printer but when I log on and try to connect to the printer in AD it says that I don have rights on that computer to connect. It would benice if I can somehow set up the TS User group to have access to the printer as well as the shared folder without the user havain to do anything, but I think that I am getting ahead of myself. That way when a TS App User logs on, the have a mapped drive to the share and a printer all set up. I say that I am getting ahead of myself because this probably involves scripting.

I thank you in advance for taking your valuable time to help me.

Mentor

bankajac

Posted
  • Author
Posted

I just got my first issue resolved. When I set up DHCP I picked a scope of 192.168.0.100 - 192.168.0.200. The gateway is 192.168.0.1. When I disabled DHCP on the router, I did not change the device IP to 192.168.0.1. I could not ping and IP address outside the network. Now that I can connect to the internet from the servers and the clients, I will work on the printer and share issue I mentioned above. I feel like I am learning alot setting this up. The best way to learn for me is to do.

Experienced

ShadowPHP

Posted
Posted
  bankajac said:

My second issue is that I want my terminal server users to have access to a shared printer on Server 1 (I know that this is also the domain controller and should not be a print server). What I did to allow TS users to connect is what you said above except I created a group call TS App Users and made them a member of the Local RD Users group. That way I can just add users to that domain group and give them access to the TS server. I want those same users to have access to the printer but when I log on and try to connect to the printer in AD it says that I don have rights on that computer to connect. It would benice if I can somehow set up the TS User group to have access to the printer as well as the shared folder without the user havain to do anything, but I think that I am getting ahead of myself. That way when a TS App User logs on, the have a mapped drive to the share and a printer all set up. I say that I am getting ahead of myself because this probably involves scripting.

Printers

You could try and use a logon script for TS Users that would automatically connect to a printer.

To connect to printers use con2prt.exe. It should be located in your Windows/System32 directory on Server 2003.

Shared Drive

In said logon script, put a line saying

net use S: \\server\shared

to connect the S drive to \\server\shared

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • It's been four years, and I still don't have a strong enough reason to upgrade to Windows 11

      By Jaybonaut · Posted

      Not after SP1. There was a legitimate file copy issue prior.
    • Microsoft 365 security in the spotlight after Washington Post hack

      By zikalify · Posted

      Microsoft 365 security in the spotlight after Washington Post hack by Paul Hill The Washington Post has come under cyberattack which saw Microsoft email accounts of several journalists get compromised. The attack, which was discovered last Thursday, is believed to have been conducted by a foreign government due to the topics the journalists cover, including national security, economic policy, and China. Following the hack, the passwords on the affected accounts were reset to prevent access. The fact that a Microsoft work email account was potentially hacked strongly suggests The Washington Post utilizes Microsoft 365, which makes us question the security of Microsoft’s widely used enterprise services. Given that Microsoft 365 is very popular, it is a hot target for attackers. Microsoft's enterprise security offerings and challenges As the investigation into the cyberattack is still ongoing, just how attackers gained access to the accounts of the journalists is unknown, however, Microsoft 365 does have multiple layers of protection that ought to keep journalists safe. One of the security tools is Microsoft Defender for Office 365. If the hackers tried to gain access with malicious links, Defender provides protection against any malicious attachments, links, or email-based phishing attempts with the Advanced Threat Protection feature. Defender also helps to protect against malware that could be used to target journalists at The Washington Post. Another security measure in place is Entra ID which helps enterprises defend against identity-based attacks. Some key features of Entra ID include multi-factor authentication which protects accounts even if a password is compromised, and there are granular access policies that help to limit logins from outside certain locations, unknown devices, or limit which apps can be used. While Microsoft does offer plenty of security technologies with M365, hacks can still take place due to misconfiguration, user-error, or through the exploitation of zero-day vulnerabilities. Essentially, it requires efforts from both Microsoft and the customer to maintain security. Lessons for organizations using Microsoft 365 The incident over at The Washington Post serves as a stark reminder that all organizations, not just news organizations, should audit and strengthen their security setups. Some of the most important security measures you can put in place include mandatory multi-factor authentication (MFA) for all users, especially for privileged accounts; strong password rules such as using letters, numbers, and symbols; regular security awareness training; and installing any security updates in a timely manner. Many of the cyberattacks that we learn about from companies like Microsoft involve hackers taking advantage of the human in the equation, such as being tricked into sharing passwords or sharing sensitive information due to trickery on behalf of the hackers. This highlights that employee training is crucial in protecting systems and that Microsoft’s technologies, as advanced as they are, can’t mitigate all attacks 100 percent of the time.
    • It's been four years, and I still don't have a strong enough reason to upgrade to Windows 11

      By Case_f · Posted

      Comments like these are genuinely fascinating to me because they're so far from anything I experience as a daily user of Win 11 since the first public beta. AI stuff? Have it turned off completely, never pops up anywhere. Forced MS account? Yes, they strongly recommend it and kinda push it lately during big updates and such, but it's still not forced. Pop up dialogs when you're not using Edge? Yeah, I vaguely remember seeing some reminders about using Edge a long time ago. I just clicked them away and kept using Vivaldi as usual (but frankly, I'd still much rather use Edge than Chrome - which I'm forced to use at work - I've grown to dislike Google a lot more than Microsoft lately, even if I am still deeply rooted in their ecosystem unfortunately). Awful context menus? A single simple tweak will get you the old context menus. Search in Windows using Bing? People use search in Windows for anything else than to search for local files or apps? Why? I just don't get a lot of the complains people have about Win 11.
    • How to change folder colors in OneDrive

      By PurSpyk · Posted

      Nice, but if you change the colour, the folder no longer shows image preview on the actual folder icon.
    • Taiwan hits Huawei and SMIC with new export restrictions

      By David Uzondu · Posted

      Taiwan hits Huawei and SMIC with new export restrictions by David Uzondu Taiwan has added Huawei and Semiconductor Manufacturing International Corporation, or SMIC, to its export control entity list. According to CNBC, this means companies in Taiwan now need a special license to ship certain high-tech goods to these two mainland Chinese firms. The conflict has been escalating for a while. The United States government, for instance, has been going after Huawei since at least 2019, putting the telecom equipment maker on its own Entity List over national security fears. The worry has always been about Huawei's connections to the Chinese government and the potential for its network gear to be used for spying. The United Kingdom eventually followed suit, ordering all Huawei 5G equipment to be ripped out of its networks by 2027. Remember, in December 2020, the US added SMIC to its Entity List over its alleged ties to the Chinese military. The goal was to choke off the chipmaker's access to the tools it needs to produce the most advanced semiconductors. Despite all the pressure, the two firms managed to collaborate and produce a 7nm chip for Huawei's Mate 60 phone, which annoyed some people in Washington who thought the sanctions had completely crippled China's chipmaking ambitions. This new blacklisting from Taiwan just tightens the screws even more. Last year, research firm TechInsights found a TSMC-made chip inside a Huawei AI training card. That was a huge "oh no" moment because it showed that, despite all the American restrictions, Huawei was still getting its hands on advanced Taiwanese silicon. That discovery led directly to the U.S. Commerce Department leaning on TSMC to shut down access for Chinese clients to specific AI chips. Huawei had cleverly exploited loopholes to hoard millions of GPU dies for its Ascend AI chip program, a direct attempt to build a homegrown alternative to Nvidia's dominant hardware. For Taiwan, this feels less like a trade issue and more like a matter of survival. The island's lead in chipmaking, largely thanks to TSMC, is often seen as its "silicon shield." The idea is that global reliance on Taiwanese chips makes any military action by China a huge risk for the world. Letting its most advanced tech reach the country that threatens its very existence could seriously weaken that shield. Source: CNBC

  • Recent Achievements

    • Explorer
      Legend20 went up a rank
      Explorer
    • One Month Later
      jezzzy earned a badge
      One Month Later
    • First Post
      CSpera earned a badge
      First Post
    • One Month Later
      MIR JOHNNY BLAZE earned a badge
      One Month Later
    • Apprentice
      Wireless wookie went up a rank
      Apprentice

  • Popular Contributors

    1. 1
      +primortal
      617
    2. 2
      ATLien_0
      277
    3. 3
      +FloatingFatMan
      179
    4. 4
      Michael Scrip
      150
    5. 5
      Steven P.
      115
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!