Problem
You obtain a new Windows Server 2012 R2 VM from your system admins. You develop on this, and then provide other users the name or IP address of your VM so that they can view your development efforts. You add their AD accounts to the server's local Remote Desktop Users group. They report that they are unable to connect, seeing this message:
Solution
Check the Allow log on through remote desktop services user right:
Start > Administrator Tools > Local Security Policy > Local Policies > User Rights Assignmentor
mmc > Result Set of Policy > expand tree > Windows Settings > Security Settings > Local Policies > User Rights AssignmentIf the security setting for this policy only includes the local Administrators group, add your users to this group.
Notes
- By default, the security setting for this policy should include the local Administrators and Remote Desktop Usersgroups. However, your system admins may have configured the domain's GPO to not include the Remote Desktop Users group.
- Though adding users to the local Administrators group does get them remote access, it provisions your users with a higher level of server access than you may want to grant. The long term and best solution is to request system admins to modify the domain GPO to include the Remote Desktop Users group in the security setting for the Allow log on through remote desktop services user right.
- Using the RSoP snap-in will help you see what GPO is applied.
1 comment:
I could not resist commenting. Well written!
Post a Comment