Home / server / Questions / 71406
Accepted
Tom Duckering
Asked: 2009-10-06 08:17:45 +0800 CST

How do I debug a problem with GPO not allowing RDP sessions?

  • 772

I have a Windows 2008 SP2 VM and I am attempting to configure it to allow people to log into it using MSTSC client. As far as I understand you can set this up locally enabling RDP and adding users to the list of those allowed.

However I would like to set things up using AD and GPOs. As per KB954369 I have my machine sat in an OU, against which I have applied policy to enable RDP and another to define restricted users. I have tried to double check these things but as far as I can see, it looks to be correct.

Edit: The domain administrator user can login via RDP. Therefore I'm ruling out any lower level network issues.

I'm a Windows admin novice and am beginning to tear my hair out and wonder if anyone can shed any light or suggest any schoolboy mistakes that I might have made. Specific pointers would of course be appreciated, but I would also be happy to be directed to more general principles, tools or techniques for debugging these things.

windows-server-2008

4 Answers

  1. Best Answer

    The best summary of how your GPOs are being applied is through Microsoft's Group Policy Management Console. This was a download for Windows Server 2003 domains, but I'm guessing it's built in to Windows Server 2008 domain controllers.

    Run the "GPO Results Wizard" or whatver its 2008 equivalent is, and check especially for any errors applying GPOs.

    • 1

  2. Is the built-in firewall configured to allow RDP connections, and if so from which networks?

    • 0

  3. The newer RDP clients support a higher, certificate-based level of security around RDP connections. Is your server configured to refuse any RDP connection not using the latest-and-greatest security level?

    • 0

  4. I think I have the same problem you are describing here AND I think you have the solution... But not 100% sure. (I am following http://technet.microsoft.com/en-us/library/cc776790(WS.10).aspx)

    You stated:

    I looked again at the instructions for allowing RDP and when adding restricted users, you must link initially to the BUILTIN\Remote Desktop Users group and then add groups to this.

    OK - I can buy all of that and I did it... But this is where you kinda lost me -

    I didn't realize but this BUILTIN group won't contain the same members across different users of it.

    This is where things get fuzzy.... can you try and explain that one again.

    • 0