Windows NT new domain admin can't remote desktop DCs

[BFH]

Just added a new administrator to the domain admins group. Unlike the rest
of us, she can't get a remote desktop on our DCs (although she can on our
member servers). When she tries to connect, she gets this error window:

"To log on to this remote computer, you must have Terminal Server User
Access permissions on this computer. By default, members of the Remote
Desktop Users group have these permissions. If you are not a member of the
Remote Desktop Users group or another group that has these permissions, or if
the Remote Desktop User group does not have these permissions, you must be
granted these permissions manually."

Huh?
This is a Win 2003/SP2 domain controller, so there is no local "Remote
Desktop Users" group. All our other domain admins -for instance, me- can log
in still. There has been no change in domain controller security policy or
default domain security policy. If I go to "Select Remote Users" on the
Remote tab and add the user directly, she can log in (but doesn't t, but I
don't want to do that on every DC- and I shouldn't have to, because being in
Domain Admins should be enough (it is for our other admins)!

So, what am I missing here?

 

[Jeff Pitsch]

mmmm, interesting. It almost sounds like the DC's where it's not
working aren't being updated correctly. Are you sure your replication
is functioning 100%? You may want to post in the windows server forums
as well.

Jeff Pitsch
Microsoft MVP - Terminal Services

BFH wrote:
> Just added a new administrator to the domain admins group. Unlike the rest
> of us, she can't get a remote desktop on our DCs (although she can on our
> member servers). When she tries to connect, she gets this error window:
>
> "To log on to this remote computer, you must have Terminal Server User
> Access permissions on this computer. By default, members of the Remote
> Desktop Users group have these permissions. If you are not a member of the
> Remote Desktop Users group or another group that has these permissions, or if
> the Remote Desktop User group does not have these permissions, you must be
> granted these permissions manually."
>
> Huh?
> This is a Win 2003/SP2 domain controller, so there is no local "Remote
> Desktop Users" group. All our other domain admins -for instance, me- can log
> in still. There has been no change in domain controller security policy or
> default domain security policy. If I go to "Select Remote Users" on the
> Remote tab and add the user directly, she can log in (but doesn't t, but I
> don't want to do that on every DC- and I shouldn't have to, because being in
> Domain Admins should be enough (it is for our other admins)!
>
> So, what am I missing here?
>
>
>

 

[BFH]

Good suggestion, but I don't think that's it. I just did replmon and it
showed no errors, everything up to date. Nothing of note showing up in the
event logs. I'll crosspost as you suggest and see if anyone has an idea.

As a workaround, I've added Domain Admins to the domain builtin Remote
Desktop Users group, which is OK as far as it goes, but it doesn't really
make sense to me (as I said below, I didn't have to do that for other admins).

Still looking for suggestions.
BH




"Jeff Pitsch" wrote:

> mmmm, interesting. It almost sounds like the DC's where it's not
> working aren't being updated correctly. Are you sure your replication
> is functioning 100%? You may want to post in the windows server forums
> as well.
>
> Jeff Pitsch
> Microsoft MVP - Terminal Services
>
> BFH wrote:
> > Just added a new administrator to the domain admins group. Unlike the rest
> > of us, she can't get a remote desktop on our DCs (although she can on our
> > member servers). When she tries to connect, she gets this error window:
> >
> > "To log on to this remote computer, you must have Terminal Server User
> > Access permissions on this computer. By default, members of the Remote
> > Desktop Users group have these permissions. If you are not a member of the
> > Remote Desktop Users group or another group that has these permissions, or if
> > the Remote Desktop User group does not have these permissions, you must be
> > granted these permissions manually."
> >
> > Huh?
> > This is a Win 2003/SP2 domain controller, so there is no local "Remote
> > Desktop Users" group. All our other domain admins -for instance, me- can log
> > in still. There has been no change in domain controller security policy or
> > default domain security policy. If I go to "Select Remote Users" on the
> > Remote tab and add the user directly, she can log in (but doesn't t, but I
> > don't want to do that on every DC- and I shouldn't have to, because being in
> > Domain Admins should be enough (it is for our other admins)!
> >
> > So, what am I missing here?
> >
> >
> >
>

 

[Jeff Pitsch]

it'd be interesting to see if it wsa that one account or if it's going
to keep happening as you add admins. Would you be able to create some
dummy accounts and see if you have the same problem?

Jeff Pitsch
Microsoft MVP - Terminal Services

BFH wrote:
> Good suggestion, but I don't think that's it. I just did replmon and it
> showed no errors, everything up to date. Nothing of note showing up in the
> event logs. I'll crosspost as you suggest and see if anyone has an idea.
>
> As a workaround, I've added Domain Admins to the domain builtin Remote
> Desktop Users group, which is OK as far as it goes, but it doesn't really
> make sense to me (as I said below, I didn't have to do that for other admins).
>
> Still looking for suggestions.
> BH
>
>
>
>
> "Jeff Pitsch" wrote:
>
>> mmmm, interesting. It almost sounds like the DC's where it's not
>> working aren't being updated correctly. Are you sure your replication
>> is functioning 100%? You may want to post in the windows server forums
>> as well.
>>
>> Jeff Pitsch
>> Microsoft MVP - Terminal Services
>>
>> BFH wrote:
>>> Just added a new administrator to the domain admins group. Unlike the rest
>>> of us, she can't get a remote desktop on our DCs (although she can on our
>>> member servers). When she tries to connect, she gets this error window:
>>>
>>> "To log on to this remote computer, you must have Terminal Server User
>>> Access permissions on this computer. By default, members of the Remote
>>> Desktop Users group have these permissions. If you are not a member of the
>>> Remote Desktop Users group or another group that has these permissions, or if
>>> the Remote Desktop User group does not have these permissions, you must be
>>> granted these permissions manually."
>>>
>>> Huh?
>>> This is a Win 2003/SP2 domain controller, so there is no local "Remote
>>> Desktop Users" group. All our other domain admins -for instance, me- can log
>>> in still. There has been no change in domain controller security policy or
>>> default domain security policy. If I go to "Select Remote Users" on the
>>> Remote tab and add the user directly, she can log in (but doesn't t, but I
>>> don't want to do that on every DC- and I shouldn't have to, because being in
>>> Domain Admins should be enough (it is for our other admins)!
>>>
>>> So, what am I missing here?
>>>
>>>
>>>

 

[BFH]

Yes, I created a dummy and it had the same problem. I haven't had much time
to work on this today, so I guess I'll bang my head against the wall Monday.
Thanks for your help.

"Jeff Pitsch" wrote:

> it'd be interesting to see if it wsa that one account or if it's going
> to keep happening as you add admins. Would you be able to create some
> dummy accounts and see if you have the same problem?
>
> Jeff Pitsch
> Microsoft MVP - Terminal Services
>
> BFH wrote:
> > Good suggestion, but I don't think that's it. I just did replmon and it
> > showed no errors, everything up to date. Nothing of note showing up in the
> > event logs. I'll crosspost as you suggest and see if anyone has an idea.
> >
> > As a workaround, I've added Domain Admins to the domain builtin Remote
> > Desktop Users group, which is OK as far as it goes, but it doesn't really
> > make sense to me (as I said below, I didn't have to do that for other admins).
> >
> > Still looking for suggestions.
> > BH
> >
> >
> >
> >
> > "Jeff Pitsch" wrote:
> >
> >> mmmm, interesting. It almost sounds like the DC's where it's not
> >> working aren't being updated correctly. Are you sure your replication
> >> is functioning 100%? You may want to post in the windows server forums
> >> as well.
> >>
> >> Jeff Pitsch
> >> Microsoft MVP - Terminal Services
> >>
> >> BFH wrote:
> >>> Just added a new administrator to the domain admins group. Unlike the rest
> >>> of us, she can't get a remote desktop on our DCs (although she can on our
> >>> member servers). When she tries to connect, she gets this error window:
> >>>
> >>> "To log on to this remote computer, you must have Terminal Server User
> >>> Access permissions on this computer. By default, members of the Remote
> >>> Desktop Users group have these permissions. If you are not a member of the
> >>> Remote Desktop Users group or another group that has these permissions, or if
> >>> the Remote Desktop User group does not have these permissions, you must be
> >>> granted these permissions manually."
> >>>
> >>> Huh?
> >>> This is a Win 2003/SP2 domain controller, so there is no local "Remote
> >>> Desktop Users" group. All our other domain admins -for instance, me- can log
> >>> in still. There has been no change in domain controller security policy or
> >>> default domain security policy. If I go to "Select Remote Users" on the
> >>> Remote tab and add the user directly, she can log in (but doesn't t, but I
> >>> don't want to do that on every DC- and I shouldn't have to, because being in
> >>> Domain Admins should be enough (it is for our other admins)!
> >>>
> >>> So, what am I missing here?
> >>>
> >>>
> >>>
>