HHhmm. This Server is a Disaster Recovery Multi-purpose server, so it's for
back purposes.

In my AD, I appear to have two separate groups.
(1) Under Built-in is the "Remote Desktop Users" group
(2) Under another manually created group called Security Groups is "Remote
Users" group.

I'm not sure why there are two separate groups that have similar names??

How can I tell which of these two groups is the security group used for
Terminal Services?

"Vera Noest [MVP]" wrote:

> It is *not* recommended to run TS on a Domain Controller, both for
> performance and security reasons!
> That said, you will have to enable the following setting in the
> Default Domain Controller Policy:
> Computer Configuration - Windows Settings - Security Settings -
> Local Policies - User rights Assignment
> "Allow log on through Terminal Services"
> and add the Remote Desktop Users group to the list of allowed users
>
> There are no machine-local groups on a DC, only domain-local.
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?TWFyYyBT?= <MarcS.TakeThisOut@discussions.microsoft.com> wrote on 26
> mar 2008 in microsoft.public.windows.terminal_services:
>
> > I have two Terminal Servers. Both Windows 2003 Standard. One is
> > also a DC.
> >
> > For a user, she can logon to the Terminal Server (non-DC) no
> > problem.
> >
> > For other TS that is a DC, I have tried to log her on remotely
> > for the first time, but when the user tries to access that
> > server they get this error: "you must be granted the Allow logon
> > through terminal services right. Members of the remote desktop
> > users have this right." She is already a member of a domain-wide
> > Security Group called Remote Users.
> >
> > 1. Do I need to log her on 1x locally at the DC Terminal
> > Serverf?
> >
> > 2. Where is the built-in Remote Desktop Users Group on a DC.
> > It's not listed under Computer Managament, like on the non-DC
> > Terminal Server. On the non-DC Terminal Server, I added the
> > domain-wide Remote Users Security group to the Local built-in
> > Remoter users group.
>

Seems to me you have already answered your own question
one group is Built-in, the other is manually created.
I've no idea why someone at your company has created a group with a
similar name as the built-in group, but it's the built-in domain
local group you need to use (assuming that no other changes have
been made to the default configuration of your DC and AD).
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?TWFyYyBT?= <MarcS DeleteThis @discussions.microsoft.com> wrote on 27
mar 2008 in microsoft.public.windows.terminal_services:

> HHhmm. This Server is a Disaster Recovery Multi-purpose server,
> so it's for back purposes.
>
> In my AD, I appear to have two separate groups.
> (1) Under Built-in is the "Remote Desktop Users" group
> (2) Under another manually created group called Security Groups
> is "Remote Users" group.
>
> I'm not sure why there are two separate groups that have similar
> names??
>
> How can I tell which of these two groups is the security group
> used for Terminal Services?
>
> "Vera Noest [MVP]" wrote:
>
>> It is *not* recommended to run TS on a Domain Controller, both
>> for performance and security reasons!
>> That said, you will have to enable the following setting in the
>> Default Domain Controller Policy:
>> Computer Configuration - Windows Settings - Security Settings -
>> Local Policies - User rights Assignment
>> "Allow log on through Terminal Services"
>> and add the Remote Desktop Users group to the list of allowed
>> users
>>
>> There are no machine-local groups on a DC, only domain-local.
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> =?Utf-8?B?TWFyYyBT?= <MarcS DeleteThis @discussions.microsoft.com> wrote on
>> 26 mar 2008 in microsoft.public.windows.terminal_services:
>>
>> > I have two Terminal Servers. Both Windows 2003 Standard. One
>> > is also a DC.
>> >
>> > For a user, she can logon to the Terminal Server (non-DC) no
>> > problem.
>> >
>> > For other TS that is a DC, I have tried to log her on
>> > remotely for the first time, but when the user tries to
>> > access that server they get this error: "you must be granted
>> > the Allow logon through terminal services right. Members of
>> > the remote desktop users have this right." She is already a
>> > member of a domain-wide Security Group called Remote Users.
>> >
>> > 1. Do I need to log her on 1x locally at the DC Terminal
>> > Serverf?
>> >
>> > 2. Where is the built-in Remote Desktop Users Group on a DC.
>> > It's not listed under Computer Managament, like on the non-DC
>> > Terminal Server. On the non-DC Terminal Server, I added the
>> > domain-wide Remote Users Security group to the Local built-in
>> > Remoter users group.

The strange thing is if I add a user to only the manual Security Group, and
not the built-in, the user CAN still access the TS.

I notice that most users are in both groups.

My confusion is that I don't see where the manual Security Group it being
used. Is the Built-in Remote Desktop Group automatically configured so that
if a user is part of that Built-in Remote Desktop group they can access a TS.
Is there a place on the TS where either of these Security Groups is added to
allow for access. Or is it just inherited as part of being in that group

"Vera Noest [MVP]" wrote:

> Seems to me you have already answered your own question
> one group is Built-in, the other is manually created.
> I've no idea why someone at your company has created a group with a
> similar name as the built-in group, but it's the built-in domain
> local group you need to use (assuming that no other changes have
> been made to the default configuration of your DC and AD).
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?TWFyYyBT?= <MarcS.TakeThisOut@discussions.microsoft.com> wrote on 27
> mar 2008 in microsoft.public.windows.terminal_services:
>
> > HHhmm. This Server is a Disaster Recovery Multi-purpose server,
> > so it's for back purposes.
> >
> > In my AD, I appear to have two separate groups.
> > (1) Under Built-in is the "Remote Desktop Users" group
> > (2) Under another manually created group called Security Groups
> > is "Remote Users" group.
> >
> > I'm not sure why there are two separate groups that have similar
> > names??
> >
> > How can I tell which of these two groups is the security group
> > used for Terminal Services?
> >
> > "Vera Noest [MVP]" wrote:
> >
> >> It is *not* recommended to run TS on a Domain Controller, both
> >> for performance and security reasons!
> >> That said, you will have to enable the following setting in the
> >> Default Domain Controller Policy:
> >> Computer Configuration - Windows Settings - Security Settings -
> >> Local Policies - User rights Assignment
> >> "Allow log on through Terminal Services"
> >> and add the Remote Desktop Users group to the list of allowed
> >> users
> >>
> >> There are no machine-local groups on a DC, only domain-local.
> >> _________________________________________________________
> >> Vera Noest
> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> TS troubleshooting: http://ts.veranoest.net
> >> ___ please respond in newsgroup, NOT by private email ___
> >>
> >> =?Utf-8?B?TWFyYyBT?= <MarcS.TakeThisOut@discussions.microsoft.com> wrote on
> >> 26 mar 2008 in microsoft.public.windows.terminal_services:
> >>
> >> > I have two Terminal Servers. Both Windows 2003 Standard. One
> >> > is also a DC.
> >> >
> >> > For a user, she can logon to the Terminal Server (non-DC) no
> >> > problem.
> >> >
> >> > For other TS that is a DC, I have tried to log her on
> >> > remotely for the first time, but when the user tries to
> >> > access that server they get this error: "you must be granted
> >> > the Allow logon through terminal services right. Members of
> >> > the remote desktop users have this right." She is already a
> >> > member of a domain-wide Security Group called Remote Users.
> >> >
> >> > 1. Do I need to log her on 1x locally at the DC Terminal
> >> > Serverf?
> >> >
> >> > 2. Where is the built-in Remote Desktop Users Group on a DC.
> >> > It's not listed under Computer Managament, like on the non-DC
> >> > Terminal Server. On the non-DC Terminal Server, I added the
> >> > domain-wide Remote Users Security group to the Local built-in
> >> > Remoter users group.
>

Since you seem to have a non-default installation, it is difficult
for me to say what will work for you now.

But the default setup is like this:
On a Terminal Server which is *not* a DC, you have to make sure
that the users are members of the local built-in group Remote
Desktop Users, on the server itself. That can be achieved either by
putting the individual user accounts into this group, or by putting
one or more user groups which contain the user accounts in the
local Remote Desktop User group. As an example (but not necessarily
a good configuration): if you put the built-in domain user group
"Domain Users" (of which all users are a member) into the local
built-in Remote Desktop Users group on a member server, then all
domain users can connect to the server by rdp.

The above assumes that you have not modified the security settings
of the rdp-tcp connection, i.e. that the Remote Desktop Users group
is still on the permissions list. Check this in Terminal Services
Configuration - rdp-tcp connection - properties - security

Since one of your Terminal Servers is a DC (again, this is *not*
recommended!), the requirements are different. A DC does not have a
local built-in Remote Desktop group, so instead you have to make
sure that users are members of the domain local built-in group
Remote Desktop Users.
And since by default only Administrators have the right to logon to
a DC, you also have to change the Default Domain Controller Policy:

Go to Computer Configuration - Windows Settings - Security Settings
- Local Policies - User rights Assignment
"Allow log on through Terminal Services"

and add the domain local built-in Remote Desktop Users group to the
list of allowed users.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?TWFyYyBT?= <MarcS.DeleteThis@discussions.microsoft.com> wrote on 27
mar 2008 in microsoft.public.windows.terminal_services:

> The strange thing is if I add a user to only the manual Security
> Group, and not the built-in, the user CAN still access the TS.
>
> I notice that most users are in both groups.
>
> My confusion is that I don't see where the manual Security Group
> it being used. Is the Built-in Remote Desktop Group
> automatically configured so that if a user is part of that
> Built-in Remote Desktop group they can access a TS.
> Is there a place on the TS where either of these Security
> Groups is added to
> allow for access. Or is it just inherited as part of being in
> that group
>
> "Vera Noest [MVP]" wrote:
>
>> Seems to me you have already answered your own question
>> one group is Built-in, the other is manually created.
>> I've no idea why someone at your company has created a group
>> with a similar name as the built-in group, but it's the
>> built-in domain local group you need to use (assuming that no
>> other changes have been made to the default configuration of
>> your DC and AD).
>> _________________________________________________________ Vera
>> Noest MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> =?Utf-8?B?TWFyYyBT?= <MarcS.DeleteThis@discussions.microsoft.com> wrote on
>> 27 mar 2008 in microsoft.public.windows.terminal_services:
>>
>> > HHhmm. This Server is a Disaster Recovery Multi-purpose
>> > server, so it's for back purposes.
>> >
>> > In my AD, I appear to have two separate groups.
>> > (1) Under Built-in is the "Remote Desktop Users" group
>> > (2) Under another manually created group called Security
>> > Groups is "Remote Users" group.
>> >
>> > I'm not sure why there are two separate groups that have
>> > similar names??
>> >
>> > How can I tell which of these two groups is the security
>> > group used for Terminal Services?
>> >
>> > "Vera Noest [MVP]" wrote:
>> >
>> >> It is *not* recommended to run TS on a Domain Controller,
>> >> both for performance and security reasons!
>> >> That said, you will have to enable the following setting in
>> >> the Default Domain Controller Policy:
>> >> Computer Configuration - Windows Settings - Security
>> >> Settings - Local Policies - User rights Assignment
>> >> "Allow log on through Terminal Services"
>> >> and add the Remote Desktop Users group to the list of
>> >> allowed users
>> >>
>> >> There are no machine-local groups on a DC, only
>> >> domain-local.
>> >> _________________________________________________________
>> >> Vera Noest
>> >> MCSE, CCEA, Microsoft MVP - Terminal Server
>> >> TS troubleshooting: http://ts.veranoest.net
>> >> ___ please respond in newsgroup, NOT by private email ___
>> >>
>> >> =?Utf-8?B?TWFyYyBT?= <MarcS.DeleteThis@discussions.microsoft.com> wrote
>> >> on 26 mar 2008 in
>> >> microsoft.public.windows.terminal_services:
>> >>
>> >> > I have two Terminal Servers. Both Windows 2003 Standard.
>> >> > One is also a DC.
>> >> >
>> >> > For a user, she can logon to the Terminal Server (non-DC)
>> >> > no problem.
>> >> >
>> >> > For other TS that is a DC, I have tried to log her on
>> >> > remotely for the first time, but when the user tries to
>> >> > access that server they get this error: "you must be
>> >> > granted the Allow logon through terminal services right.
>> >> > Members of the remote desktop users have this right." She
>> >> > is already a member of a domain-wide Security Group called
>> >> > Remote Users.
>> >> >
>> >> > 1. Do I need to log her on 1x locally at the DC Terminal
>> >> > Serverf?
>> >> >
>> >> > 2. Where is the built-in Remote Desktop Users Group on a
>> >> > DC. It's not listed under Computer Managament, like on the
>> >> > non-DC Terminal Server. On the non-DC Terminal Server, I
>> >> > added the domain-wide Remote Users Security group to the
>> >> > Local built-in Remoter users group.

2 things.
1. I think I figured out why there is a 2nd manual "Remote Users" Security
group. On the TS *non-DC* in the Local Remote Desktop Users is added the
other Security Group. The consultants must have added users to that in AD,
and this Security group was added to the Remote Desktop Users.

2. For the RDP-Tcp permissions, Remote Desktop Users is there with User
Access and Guess Acess only checked. Only Administrators and System have
Full Control. Is that ok?

"Vera Noest [MVP]" wrote:

> Since you seem to have a non-default installation, it is difficult
> for me to say what will work for you now.
>
> But the default setup is like this:
> On a Terminal Server which is *not* a DC, you have to make sure
> that the users are members of the local built-in group Remote
> Desktop Users, on the server itself. That can be achieved either by
> putting the individual user accounts into this group, or by putting
> one or more user groups which contain the user accounts in the
> local Remote Desktop User group. As an example (but not necessarily
> a good configuration): if you put the built-in domain user group
> "Domain Users" (of which all users are a member) into the local
> built-in Remote Desktop Users group on a member server, then all
> domain users can connect to the server by rdp.
>
> The above assumes that you have not modified the security settings
> of the rdp-tcp connection, i.e. that the Remote Desktop Users group
> is still on the permissions list. Check this in Terminal Services
> Configuration - rdp-tcp connection - properties - security
>
> Since one of your Terminal Servers is a DC (again, this is *not*
> recommended!), the requirements are different. A DC does not have a
> local built-in Remote Desktop group, so instead you have to make
> sure that users are members of the domain local built-in group
> Remote Desktop Users.
> And since by default only Administrators have the right to logon to
> a DC, you also have to change the Default Domain Controller Policy:
>
> Go to Computer Configuration - Windows Settings - Security Settings
> - Local Policies - User rights Assignment
> "Allow log on through Terminal Services"
>
> and add the domain local built-in Remote Desktop Users group to the
> list of allowed users.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?TWFyYyBT?= <MarcS.TakeThisOut@discussions.microsoft.com> wrote on 27
> mar 2008 in microsoft.public.windows.terminal_services:
>
> > The strange thing is if I add a user to only the manual Security
> > Group, and not the built-in, the user CAN still access the TS.
> >
> > I notice that most users are in both groups.
> >
> > My confusion is that I don't see where the manual Security Group
> > it being used. Is the Built-in Remote Desktop Group
> > automatically configured so that if a user is part of that
> > Built-in Remote Desktop group they can access a TS.
> > Is there a place on the TS where either of these Security
> > Groups is added to
> > allow for access. Or is it just inherited as part of being in
> > that group
> >
> > "Vera Noest [MVP]" wrote:
> >
> >> Seems to me you have already answered your own question
> >> one group is Built-in, the other is manually created.
> >> I've no idea why someone at your company has created a group
> >> with a similar name as the built-in group, but it's the
> >> built-in domain local group you need to use (assuming that no
> >> other changes have been made to the default configuration of
> >> your DC and AD).
> >> _________________________________________________________ Vera
> >> Noest MCSE, CCEA, Microsoft MVP - Terminal Server
> >> TS troubleshooting: http://ts.veranoest.net
> >> ___ please respond in newsgroup, NOT by private email ___
> >>
> >> =?Utf-8?B?TWFyYyBT?= <MarcS.TakeThisOut@discussions.microsoft.com> wrote on
> >> 27 mar 2008 in microsoft.public.windows.terminal_services:
> >>
> >> > HHhmm. This Server is a Disaster Recovery Multi-purpose
> >> > server, so it's for back purposes.
> >> >
> >> > In my AD, I appear to have two separate groups.
> >> > (1) Under Built-in is the "Remote Desktop Users" group
> >> > (2) Under another manually created group called Security
> >> > Groups is "Remote Users" group.
> >> >
> >> > I'm not sure why there are two separate groups that have
> >> > similar names??
> >> >
> >> > How can I tell which of these two groups is the security
> >> > group used for Terminal Services?
> >> >
> >> > "Vera Noest [MVP]" wrote:
> >> >
> >> >> It is *not* recommended to run TS on a Domain Controller,
> >> >> both for performance and security reasons!
> >> >> That said, you will have to enable the following setting in
> >> >> the Default Domain Controller Policy:
> >> >> Computer Configuration - Windows Settings - Security
> >> >> Settings - Local Policies - User rights Assignment
> >> >> "Allow log on through Terminal Services"
> >> >> and add the Remote Desktop Users group to the list of
> >> >> allowed users
> >> >>
> >> >> There are no machine-local groups on a DC, only
> >> >> domain-local.
> >> >> _________________________________________________________
> >> >> Vera Noest
> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> >> TS troubleshooting: http://ts.veranoest.net
> >> >> ___ please respond in newsgroup, NOT by private email ___
> >> >>
> >> >> =?Utf-8?B?TWFyYyBT?= <MarcS.TakeThisOut@discussions.microsoft.com> wrote
> >> >> on 26 mar 2008 in
> >> >> microsoft.public.windows.terminal_services:
> >> >>
> >> >> > I have two Terminal Servers. Both Windows 2003 Standard.
> >> >> > One is also a DC.
> >> >> >
> >> >> > For a user, she can logon to the Terminal Server (non-DC)
> >> >> > no problem.
> >> >> >
> >> >> > For other TS that is a DC, I have tried to log her on
> >> >> > remotely for the first time, but when the user tries to
> >> >> > access that server they get this error: "you must be
> >> >> > granted the Allow logon through terminal services right.
> >> >> > Members of the remote desktop users have this right." She
> >> >> > is already a member of a domain-wide Security Group called
> >> >> > Remote Users.
> >> >> >
> >> >> > 1. Do I need to log her on 1x locally at the DC Terminal
> >> >> > Serverf?
> >> >> >
> >> >> > 2. Where is the built-in Remote Desktop Users Group on a
> >> >> > DC. It's not listed under Computer Managament, like on the
> >> >> > non-DC Terminal Server. On the non-DC Terminal Server, I
> >> >> > added the domain-wide Remote Users Security group to the
> >> >> > Local built-in Remoter users group.
>

1. OK, that seems a likely scenario, and should work.

2. Yes, that's OK.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

=?Utf-8?B?TWFyYyBT?= <MarcS DeleteThis @discussions.microsoft.com> wrote on 27
mar 2008:

> 2 things.
> 1. I think I figured out why there is a 2nd manual "Remote
> Users" Security group. On the TS *non-DC* in the Local Remote
> Desktop Users is added the other Security Group. The consultants
> must have added users to that in AD, and this Security group was
> added to the Remote Desktop Users.
>
> 2. For the RDP-Tcp permissions, Remote Desktop Users is there
> with User Access and Guess Acess only checked. Only
> Administrators and System have Full Control. Is that ok?
>
> "Vera Noest [MVP]" wrote:
>
>> Since you seem to have a non-default installation, it is
>> difficult for me to say what will work for you now.
>>
>> But the default setup is like this:
>> On a Terminal Server which is *not* a DC, you have to make sure
>> that the users are members of the local built-in group Remote
>> Desktop Users, on the server itself. That can be achieved
>> either by putting the individual user accounts into this group,
>> or by putting one or more user groups which contain the user
>> accounts in the local Remote Desktop User group. As an example
>> (but not necessarily a good configuration): if you put the
>> built-in domain user group "Domain Users" (of which all users
>> are a member) into the local built-in Remote Desktop Users
>> group on a member server, then all domain users can connect to
>> the server by rdp.
>>
>> The above assumes that you have not modified the security
>> settings of the rdp-tcp connection, i.e. that the Remote
>> Desktop Users group is still on the permissions list. Check
>> this in Terminal Services Configuration - rdp-tcp connection -
>> properties - security
>>
>> Since one of your Terminal Servers is a DC (again, this is
>> *not* recommended!), the requirements are different. A DC does
>> not have a local built-in Remote Desktop group, so instead you
>> have to make sure that users are members of the domain local
>> built-in group Remote Desktop Users.
>> And since by default only Administrators have the right to
>> logon to a DC, you also have to change the Default Domain
>> Controller Policy:
>>
>> Go to Computer Configuration - Windows Settings - Security
>> Settings - Local Policies - User rights Assignment
>> "Allow log on through Terminal Services"
>>
>> and add the domain local built-in Remote Desktop Users group to
>> the list of allowed users.
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> =?Utf-8?B?TWFyYyBT?= <MarcS DeleteThis @discussions.microsoft.com> wrote on
>> 27 mar 2008 in microsoft.public.windows.terminal_services:
>>
>> > The strange thing is if I add a user to only the manual
>> > Security Group, and not the built-in, the user CAN still
>> > access the TS.
>> >
>> > I notice that most users are in both groups.
>> >
>> > My confusion is that I don't see where the manual Security
>> > Group it being used. Is the Built-in Remote Desktop Group
>> > automatically configured so that if a user is part of that
>> > Built-in Remote Desktop group they can access a TS.
>> > Is there a place on the TS where either of these Security
>> > Groups is added to
>> > allow for access. Or is it just inherited as part of being in
>> > that group
>> >
>> > "Vera Noest [MVP]" wrote:
>> >
>> >> Seems to me you have already answered your own question
>> >> one group is Built-in, the other is manually created.
>> >> I've no idea why someone at your company has created a group
>> >> with a similar name as the built-in group, but it's the
>> >> built-in domain local group you need to use (assuming that
>> >> no other changes have been made to the default configuration
>> >> of your DC and AD).
>> >> _________________________________________________________
>> >> Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server
>> >> TS troubleshooting: http://ts.veranoest.net
>> >> ___ please respond in newsgroup, NOT by private email ___
>> >>
>> >> =?Utf-8?B?TWFyYyBT?= <MarcS DeleteThis @discussions.microsoft.com> wrote
>> >> on 27 mar 2008 in
>> >> microsoft.public.windows.terminal_services:
>> >>
>> >> > HHhmm. This Server is a Disaster Recovery Multi-purpose
>> >> > server, so it's for back purposes.
>> >> >
>> >> > In my AD, I appear to have two separate groups.
>> >> > (1) Under Built-in is the "Remote Desktop Users" group
>> >> > (2) Under another manually created group called Security
>> >> > Groups is "Remote Users" group.
>> >> >
>> >> > I'm not sure why there are two separate groups that have
>> >> > similar names??
>> >> >
>> >> > How can I tell which of these two groups is the security
>> >> > group used for Terminal Services?
>> >> >
>> >> > "Vera Noest [MVP]" wrote:
>> >> >
>> >> >> It is *not* recommended to run TS on a Domain Controller,
>> >> >> both for performance and security reasons!
>> >> >> That said, you will have to enable the following setting
>> >> >> in the Default Domain Controller Policy:
>> >> >> Computer Configuration - Windows Settings - Security
>> >> >> Settings - Local Policies - User rights Assignment
>> >> >> "Allow log on through Terminal Services"
>> >> >> and add the Remote Desktop Users group to the list of
>> >> >> allowed users
>> >> >>
>> >> >> There are no machine-local groups on a DC, only
>> >> >> domain-local.
>> >> >> _________________________________________________________
>> >> >> Vera Noest
>> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server
>> >> >> TS troubleshooting: http://ts.veranoest.net
>> >> >> ___ please respond in newsgroup, NOT by private email ___
>> >> >>
>> >> >> =?Utf-8?B?TWFyYyBT?= <MarcS DeleteThis @discussions.microsoft.com>
>> >> >> wrote on 26 mar 2008 in
>> >> >> microsoft.public.windows.terminal_services:
>> >> >>
>> >> >> > I have two Terminal Servers. Both Windows 2003
>> >> >> > Standard. One is also a DC.
>> >> >> >
>> >> >> > For a user, she can logon to the Terminal Server
>> >> >> > (non-DC) no problem.
>> >> >> >
>> >> >> > For other TS that is a DC, I have tried to log her on
>> >> >> > remotely for the first time, but when the user tries to
>> >> >> > access that server they get this error: "you must be
>> >> >> > granted the Allow logon through terminal services
>> >> >> > right. Members of the remote desktop users have this
>> >> >> > right." She is already a member of a domain-wide
>> >> >> > Security Group called Remote Users.
>> >> >> >
>> >> >> > 1. Do I need to log her on 1x locally at the DC
>> >> >> > Terminal Serverf?
>> >> >> >
>> >> >> > 2. Where is the built-in Remote Desktop Users Group on
>> >> >> > a DC. It's not listed under Computer Managament, like
>> >> >> > on the non-DC Terminal Server. On the non-DC Terminal
>> >> >> > Server, I added the domain-wide Remote Users Security
>> >> >> > group to the Local built-in Remoter users group.