Allow log on through Remote Desktop Services Group Policy for Domain Controllers

Similar Messages

• Sign-in through remote Desktop Services

  To sign in remotely you need the right to sign through remote Desktop Services. By Defaults members of the administrators
  Group have this right, if the group you are in doesnot have this right or if the righthas been removed from the
  administrators group you need to be granted this right manually

  Actually, the user needs to be member of "Remote Desktop Users" group to have this right, is not necessary to do this editing the user rights.
  Jesús Peñaranda| MCP,MCT,MCTS,MCITP,MCSA,MCSE

• Server 2012 Win 8.1 GPO Remote Registry Service & Group Policy Trace

  I'm trying to enable the Remote Registry Service via GPO (Computer > Preferences > Control Panel > Services).
  I set the following (and left the other config items at default):
  Startup: Automatic
  Service  name: RemoteRegistry
  Service action: Start service
  This only results in a message in the event log and a message when running "gpupdate /force" both saying
      "Windows failed to apply the Group Policy Services settings. Group Policy Services settings might have its own log file. Please click on the "More information" link."
  HA! When was the last time one of those links helped anyone?
  So I tried to enable "Computer > Policies > Administrative Templates > System > Group Policy > Logging and tracing > Configure Services preference logging and tracing" and set
  Event logging Informational, Warnings and Errors
  Tracing On
  User trace c:\Trace\User.log
  Computer trace c:\Trace\Computer.log
  Planning trace c:\Trace\Planning.log
  Maximum size of trace file (KB) 1024
  I made the C:\Trace folder.
  And NOTHING.
  So the GPO doesn't log anything meaningful to the Event Viewer (and tells you to look somewhere that says it can't help you), The same thing is in the "Operational" GPO log, Group Policy Result and GPRESULT /h <filename> give you the same
  meaningless poop.
  Is there any way to start the flippin' service with the GPO, and is there a way to get any kind of meaningful logging?

  Hi,
  >>
  Is there any way to start the flippin' service with the GPO, and is there a way to get any kind of meaningful logging?
  If we want to get verbose information about group policy processing, we can try to enable logging in the Gpsvc.log file.
  Regarding how to enable logging in the Gpsvc.log file, the following blog can be referred to for more information.
  How to enable GPO logging on windows 7 /2008 r2 ?
  http://blogs.technet.com/b/csstwplatform/archive/2010/11/09/how-to-enable-gpo-logging-on-windows-7-2008-r2.aspx
  In addition, regarding group policy debug logging, the following article can be referred to for more information.
  Group Policy Debug Log Settings
  http://social.technet.microsoft.com/wiki/contents/articles/4506.group-policy-debug-log-settings.aspx
  Best regards,
  Frank Shen

• Windows Server 2008 - Group policy for domain client to start/stop services installed on it

  Hello Experts
  I am a newbie to windows server administration , though did a Google  , but ended up with these question with my requirements
  I have created a new domain and 2 client/computer (A & B namely) to domain . Now A & B has tomcat server running with port 8080 , 9090 which i have installed
  domain ADMIN account .
  && now i am want to start/stop/restart services enabled for domain users  !! How do i achieve this !!
  basic question : How can i access A & B tomcat services on DOMAIN CONTROLLER server to create a GPO and that are on (A & B)
  what is the easiest way to achieve the same , (if not using GPO)???
  similarly I am looking for many features : where I want to control the permission to user on (A & B ) like : If the binaries of tomcat is available on machine say : A , if the user can install (now
  it ask for ADMIN credentials) 
  Thanks
  Mike~Ed

  Controlling services with Group Policy is done under Computer Configuration\Policies\Windows Settings\Security Settings\System Services.
  The limitation is that system services can only see the services the computer running the Group Policy management console. To access other services, you will either need to create the services on your computer (install the software the adds the service)
  or install the remote server administration toolkit (RSAT) on the computer with the service already on it.
  If my answer helped you, check out my blog:
  Deploy Happiness

• Cannot Get Remote Desktop Service to Work

  On Windows 8.1 Pro 64-bit, we went to Remote tab and enabled Remote Desktop.   We entered into the Remote Desktop Users group two users who are local on the box.  One of those is local admin and the other is a standard user.  When we connect
  to this machine by remote desktop and then authenticate, we get a message from Windows that the Remote Desktop Users group needs to be able to login through Remote Desktop Services.    
  I looked in secpol.msc and the Local Policies | User Rights Assignment | Allow logon through Remote Desktop Services already has the Remote Desktop Users included.
  What could be going wrong here that might cause Remote Desktop to disallow authenticated users that match to the Remote Desktop users group?
  Will

  Hi,
  Please check whether two machines are in the same network environment. And make sure if
  Remote Desktop Services is running, you can follow these steps:
  Press Windows + R keys simultaneously, type services.msc then press
  Enter.
  Check the status of Remote Desktop Services.
  Roger Lu
  TechNet Community Support

• Qos DSCP value 46 gone, after enabling Remote Desktop Services on Windows 2012 R2 Standard

  Hi,
  After installing a clean Windows Server 2012 R2 with
  all Windows updates I have setup Policy-Based QoS for tagging defined traffic,
  in the test case all traffic to one specific ip address. Whireshark logging
  displays the correct configured (46) dscp value so the group policy is
  working fine. After installing Remote Desktop Services the Policy-Based QoS is
  still in place but Wireshark results that the value is 0.
  Can somebody explain why this happens and how to solve
  it?
  Regards, Edward

  Hi Edward,
  Thank you for posting in Windows Server Forum.
  Did you find any related error for your case?
  By default, Windows traffic has a DSCP value of 0. Network routers use the DSCP value to classify network packets and to queue them appropriately. The number of queues and their prioritization behavior needs to be designed as part of your organization's QoS
  strategy. For example, your organization may choose to have five queues: latency-sensitive traffic, control traffic, business critical traffic, best effort traffic, and bulk data transfer traffic.
  More information, please see:
  Policy-based Quality of Service (QoS)
  http://technet.microsoft.com/en-us/library/dd919203(v=ws.10).aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• How to enable users to access windows 2012 through remote desktop client on windows XP SP3

  Hi I have just installed Windows Server 2012 and trying to give access to the users. The users are on windows XP Pro SP3 remote desktop client (Shell and control version 6.1.7600 with Remote Desktop Protocol 7.0 support). 
  I have enabled the windows server 2012 remote desktop users through "control panel -> systems and security ->  Remote access" for the users. When I try to connect to the windows server as administrator, it is getting connected.
  But when I try to connect as other users I get the following message.
  "To sign in remotely, you need the right to sign in through Remote Desktop Services. By default members of the Administrators group have this right. If the group you're in does not have the right, or  if the right has been removed from the Administrators
  group, you need to be granted the right manually."
  Is there any other setting to be done to eanble the Remote Desktop for the users.

  Hi I have just installed Windows Server 2012 and trying to give access to the users. The users are on windows XP Pro SP3 remote desktop client (Shell and control version 6.1.7600 with Remote Desktop Protocol 7.0 support). 
  I have enabled the windows server 2012 remote desktop users through "control panel -> systems and security ->  Remote access" for the users. When I try to connect to the windows server as administrator, it is getting connected.
  But when I try to connect as other users I get the following message.
  "To sign in remotely, you need the right to sign in through Remote Desktop Services. By default members of the Administrators group have this right. If the group you're in does not have the right, or  if the right has been removed from the Administrators
  group, you need to be granted the right manually."
  Is there any other setting to be done to eanble the Remote Desktop for the users.
  Have you tried adding those users to the "Remote Desktop Users" group? It's in Active Directory Users and Computers and it's a Built-In group. Might want to give that a try ...
  - JJ

• Remote Desktop Services Manager Hangs / Crashes

  Hi,
  I have windows server 2008 R2 based remote desktop environment. When i access remote desktop services manager to manage domain users session, it hangs / crashes. I am not unable to add any other computer to manage as well. Same was working fine in Windows
  server 2003.
  Any valuable suggestion????
  Regards
  Rox_Star

  Hi,
  As a test, please create a new domain admin user account, log on to the server with it, and then open RDS Manager.  Do you see the same issue with the new account?
  Thanks.
  -TP

• Allow connection to RDS applicatoins and restrict RDP connection for domain users

  I have configured RDS setup, with the following Roles: RD Web Access, RD Gate Way, RD Connection Broker, RD Session Host and RD Licensing.
  the problem is that the domain users can't run the published applications unless I add the "Domain Users" group into the remote desktop users on the RDS servers, but now all domain users can connect RDP to the RDS servers.
  so we need domain users to connect to the RDS published applications and restricting them from connecting RDP to the RDS servers, in addition I can see that internal servers are accessible from outside through the RD gateway server.
  any ideas ? 

  Hi,
  Thank you for posting in Windows Server Forum.
  For a test you can create one group, assign the specified user under that group. Add that group under “Remote Desktop User” local group. For getting access to published Remote Application you can simply assign\add the group under collection properties of the
  application and that user can get access.
  For restricting user to server remotely, you can add that group of user under “Deny logon through remote desktop service” under User Rights assignment. Also you can check “Deny
  New User Logons to an RD Session Host Server” settings.
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• Can't log on with administrator user by finding the message "The task you are trying to do can't be completed because Remote Desktop Services is currently busy. Please try again in a few minutes. Other users should still be able to log on.

  Hi,
  Now, my Windows 2008 R2 Enterprise server are running in the domain. It have problem about some one in my team have remote my server with the user administrator while I'm remote it now. It make my session loss. I tried to remote it again but I found
  the message at the log on screen about "The task you are trying to do can't be completed because Remote Desktop Services is currently busy. Please try again in a few minutes. Other users should still be able to log on."
  Now, nobody can't remote with administrator user into this server. I have check the application log. I found the error message like this.
  ++++++++++++++++++++++++++++
  Source: Desktop Window Manager
  Event ID: 9003
  Detail: None The Desktop Window Manager was unable to start because a composited theme is not in use
  ++++++++++++++++++++++++++++
  Source: Microsoft-Windows-Winsrv
  Event ID:10002 
  Detail: The following application was terminated because it was hung: mmc.exe.
  ++++++++++++++++++++++++++++
  Source: Microsoft-Windows-Winsrv
  Event ID:10002 
  Detail: The following application was terminated because it was hung: javaw.exe.
  ++++++++++++++++++++++++++++
  Source: Microsoft-Windows-Winsrv
  Event ID:10002 
  Detail: The following application was terminated because it was hung: Explorer.exe.
  ++++++++++++++++++++++++++++
  Source:Desktop Window Manager
  Event ID:9009
  Detail:The Desktop Window Manager has exited with code (0x40010004)
   ++++++++++++++++++++++++++++
  Source:Microsoft-Windows-Winlogon
  Event ID:6005
  Detail:The winlogon notification subscriber <Sens> is taking long time to handle the notification event (Logoff).
  ++++++++++++++++++++++++++++
  In addition, I can log on this server with other user but I can't log off by it's showing the message "please wait for the system Event Notification service". Normally, the problem can solve by reboot the server. But how can be solve this problem
  by we do not reboot the server?

  Hi,
  The cause of unable to remote back to the server seems to be services hung, please try to reset session as the article below guides to see if it works:
  Windows Server: Remote Desktop Error: The task you are trying to do can't be completed because Remote Desktop Services is currently busy
  http://social.technet.microsoft.com/wiki/contents/articles/28636.windows-server-remote-desktop-error-the-task-you-are-trying-to-do-can-t-be-completed-because-remote-desktop-services-is-currently-busy.aspx
  If the issue can always be re-produced, then I would suggest you fully patch the system.
  More information for you:
  The task you are trying to do can't be completed because Remote Desktop Services is currently busy. Please try again in a few minutes. Other users should still be able to log on
  https://social.technet.microsoft.com/Forums/windows/en-US/c58bfbd5-1d63-47e3-a489-6d8c8778b76b/the-task-you-are-trying-to-do-cant-be-completed-because-remote-desktop-services-is-currently-busy?forum=winserverTS
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Accessing ASDM through MS Remote Desktop Services session based system

  I am setting up a MS Remote Desktop Services system for a client.  This is being configured as a jump server so everyone at the client will go through this system (aka jump server) to access systems via ssh, https, etc that are in a restricted part of the network.  I am running into a problem getting ASDM to work.  I can bring up the initial web page directly on the server via Internet Explorer, so that tells me I can get to the ASA.  I have installed Java 1.7.10 as this is the recommended version on looking at the Java site for Windows 2012.  When I try to install the dm_launcher, it says that Java isnt installed..
  Has anyone been able to get this to work ?
  Ron

  I've used ASDM fine from an RDS platform. I used Java 7 update 45. How are you trying to install the launcher?
  Sent from Cisco Technical Support iPad App

• Windows Server 2008R2 running Remote Desktop Services reports printer process does not exist when installing PDF printer

   Windows Server 2008R2 running Remote Desktop Services reports printer process does not exist when installing PDF printer, And when Installing network printers from the domain controller it reports it cannot connect to printer.  I can ping all
  network devices. I can connect to the internet.
  On boot I get a netlogon 5719 error followed by service control manager errors 7023,7001 and a group policy error 1129.
  Clients can connect to the remote application and RDP operates to connect to the server internally and externally.
  The domain controller is another server 2008r2 box. I have scoured the internet but have not found any solutions that work yet.

  Hi,
  After referring to your post, it can be identified that the issue which you are facing is mostly due to some network issue in your environment. Please recheck your network connection issue between computer and domain controller. 
  Can you able to ping with IP address and also with fully qualified name of a domain controller in the users' and computers' domain. If it fails states that name resolution issue with computer and domain controller. Are you using MS DHCP Relay agent then there’s
  available Hotfix for the particular Event ID. Please go through this KB 2459530 to fix the error event ID.
  As per the net logon error 5719 which you are facing states that the client component of Netlogon was unable to locate a DC for the domain it was trying to perform an operation against. Below is one of the reason. If this is being logged on a DC and the event
  refers to the DC's own domain, something might be preventing the client component of Netlogon from starting a network session (to itself or to another DC in the domain). The following event 7001 & 7023 states start & stop operation service. Please
  go through beneath article for more details.
  1.  Event ID 5719 is logged when you start a computer
  2.  Netlogon 5719 and the Disappearing Domain [Controller]
  3.  Event ID 1129 — Microsoft-Windows-GroupPolicy
  Hope it helps!
  Regards.

• Terminal Services (TS) or Remote Desktop Services (RDS) scenario clarifications

  Dear Support,
  Question:
  Do I still need to purchase RDS CALS license? or can use MSDN CALs in the Terminal Server?
  Due to MSDN subscribers are End users, do not use Production Data and have to demo their developed applications to other End users group.
  Scenario:
  1. Use only Remote Desktop Session.
  2. End users are MSDN Subscribers.  (Although stated by Microsoft End users are non MSDN subscribers)
  3. End users demo applications to End users.
  4. End users develop their applications and have to demo to other End users group.
  From MSDN link:
  Client Access Licenses for Terminal Services
  With an MSDN subscription, you are allowed to provide end users access to Internet demonstrations of your programs via Terminal Services (Windows Server 2003 or Windows Server 2008) or Remote Desktop Services (Windows Server 2008 R2). Up to 200 anonymous
  users can simultaneously access your demonstration this way. Your demonstration must not use production data. MSDN subscribers are licensed to demonstrate their applications to end users,
  but Terminal Services (TS) or Remote Desktop Services (RDS) is the only scenario where end users without an MSDN subscription can interact with the demonstration application while the software is licensed through MSDN subscriptions.
  Accessing CALs            
  MSDN subscribers can access CALs for demonstration purposes through the
  Product keys page of MSDN Subscriber Downloads. Please access the documentation resources online for assistance with the
  Terminal Server activation process. If you have any questions, please visit the Microsoft
  Terminal Services forum.
  Mary Lee

  Hi
  Please call the licensing to be sure. In the USA (866) 230-0560 or
  [email protected]
  Regards, Philippe
  Don't forget to mark as answer or vote as helpful to help identify good information. ( linkedin endorsement never hurt too :o) )
  Answer an interesting question ? Create a
  wiki article about it!

• Audio service hangs on Windows Server 2008R2 with Remote Desktop Services

  Hello! 
  I have some terminal servers on Windows Server 2008R2. Users have the ability to use web browsers (IE, Firefox) with the included Flash Player, IM clients / Internet
  telephony (Skype, ICQ), Windows Media Player, Office, and a specific internal software (works with MS SQL). I have the following problem: the Windows audio service hangs up that leads to hangup of all programs which use it, such as: any sites in Internet with
  a flash content (in all browsers), ICQ, Skype.Even logging out the session hung when tried to lose a sound. It's impossible to stop or restart service from the services.msc the service just hang with status "restarting". To stop service I terminate svchost
  process. As soon as the audio service is stopped - all programs start to work correctly (certainly without a sound). This problem appeared not suddenly - periodic hangups of programs on servers were marked long ago (more than half a year), but not directly
  were connected to audio service, especially there were they rather rare (on the average once a week - two) and were corrected by server reset. The error message: 
  Error container , type 0 
  Event name: AppHangXProcB1 
  Reply: No data 
  Ident CAB: 0 
  Problem signature: 
  P1: iexplore.exe 
  P2: 9.0.8112.16446 
  P3: 4fb57c8f 
  P4: 77c1 
  P5: 131200 
  P6: svchost.exe:AudioClientRpc 
  P7: 0.0.0.0 
  P8: 
  P9: 
  P10: 
  shall suggest an idea about a sound service, but in Event Viewer has no Windows Audio events. 
  Recently I updated Skype to the last version 6.0.66.120. Before was 4.2.35.155 because versions 5хх on Windows2008R2 with the Remote Desctop Services actually don't
  work, if users at the server more than one or two. We checked the sixth version by the test machine with the terminal environment and very were delighted to its normal working capacity. However after installation of this client on production servers it appeared
  that hangups of programs on servers began to occur on the average time at an o'clock in case of an average daily load (about 20 users on one server). If you have worked one or two users, problems weren't watched. Internet search led me to the support page
  Skype, where the Windows 7 x64 user faced a similar problem in the fifth version of the program. But the solutions proposed by the support team does not help me. In addition, I found the advice to disable enhancements in the properties of the playback device,
  but it is impossible for the "Remote Audio" device. 
  At the moment, on servers where I updated the Skype, I disabled the audio service. If within a reasonable time, I do not find a solution, I will have to revert
  to an older version of Skype, but I would like to solve the problem completely. 

  Enable the Allow audio and video playback redirection Group Policy setting
  To allow audio and video playback when connecting to a computer running Windows Server 2008 R2, you must enable the Allow audio and video playback redirection Group Policy setting. The Allow audio and video playback redirection Group Policy setting is located
  in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection and can be configured by using either Local Group Policy Editor or the Group Policy Management
  Console (GPMC).
  For more information about Group Policy settings for Remote Desktop Services, see the Remote Desktop Services Technical Reference (http://go.microsoft.com/fwlink/?LinkId=138134).
  Is this policy applied? Refer:
  http://technet.microsoft.com/en-us/library/dd759165.aspx
  Also, have you tried update the audio device driver for this terminal server?

• How do I remote control a user in remote desktop services in Windows Server 2012?

  Hello,
  we currently operate in a 2008 R2 environment with the majority of clients connecting to our terminal servers.  We use the remote control feature in terminal services manager to connect to a users session when a user phones our helpdesk with
  a question / issue.
  Just today I've installed 2012 server on a hyper-v virtual machine to have a play with it.  I've installed the Remote Desktop Services and noticed this remote control feature is gone.  I can still log off or send a message to a user, but I can
  no longer remote control their session.
  I've seen one or two other posts stating this feature has been removed completely.
  So, a couple of questions:
  1. How on earth do I "shadow" or connect to a users session now?
  2. If I have to go third party to get this functionality back, what's the best software on the market for this and does it support remote connecting of users who have their RDP session span multiple monitors? (2008 R2 doesn't)
  3. Will Microsoft ever bring this feature back? as at this stage I doubt we would move to 2012.  This is the one feature that is crucial to the day-to-day running of our helpdesk.
  Cheers.

  A large percentage of our IT support business is through remote management. Most of our large enterprise customers are Terminal Server environment (now called Remote Desktop - why does Microsoft have to change EVERYTHING - how would they feel if I changed
  the colour of the sky from blue to red just because I could?).
  Last week, after much expense to the customer (and realising that there WOULD be some cosmetic headaches to contend with Server Management) we installed a new "Remote Desktop Server" for them and shifting them from 2003 - a big leap so we discovered.
  During deployment it came as a HORRIFIC surprise that we could not remote control user's sessions!
  Yes, we ARE to blame for not fully realising the cock-up Microsoft has made for us. We should have fully researched every detail of what changes they made and what they have robbed us of.
  Firstly, the removal of the ability to fully manage user's sessions came as a HUGE blow!
  The remaining multiple issues that followed (including the hugely cumbersome and SLOW way of accessing user's sessions and the false information that the console was reporting users logged in when they had already logged out) suddenly resulted in us decommissioning
  the new 2012 installation in favour of a 2008 R2 installation.
  Some may ask; Why not use "Third Party" apps to counteract the issue? Firstly; why spend MORE and why use a third party app that "is as" cumbersome to use just because of a freaking feature that Microsoft deemed a "security risk" - for G.D sake!
  We have now been directed by management to convince customers that a move to 2012 is NOT recommended - good choice boss, I love you!
  The question is; will Microsoft re-implement this feature and fix Server Management performance/accessibility in a future release before 2008 R2 is no longer available? Probably not - it looks like their stubbornness to forge ahead with their craze mind-set
  of transforming their products into something that is now annoying millions (including their bloody push towards everything-cloud which NONE of our customers want anything to do with).
  Microsoft! Get us back on to your side and take a step back, take a deep breath and listen to consumers!