Results 1 to 2 of 2
2012-05-25, 10:22 #1
- Join Date
- May 2012
- Thanked 0 Times in 0 Posts
Adding user group to Remote Desktop Users list (locally)
We have pushed a GP to all of our machines to add <domain>\Domain Users in the Remote Desktop Users list of every corporate machine.
Unfortunately - every once in a while (and I mean 2-3 times per day for me) I run across a machine that will not allow any kind of remote desktop connection.
THis morning, I did some digging and discovered that the 'Remote Desktop Users' list did not contain the entry for Domain Users. I was not able to talk an end user through adding the Domain Users to the list of valid Remote Desktop users.
I do not have any control of Group Policy, so I am looking for a local fix. Is there a way to programmatically add users to the Remote Desktop Users group?
2012-05-25, 14:29 #2
- Join Date
- Dec 2009
- Milwaukee, WI
- Thanked 63 Times in 51 Posts
It sounds like your users have admin access (which is scary for me to think about!)? GPO overrides this component of the local security policy so setting it there is not an option. The only work around I can think of would be a Net Use command in a batch file or adding the group via a VB script.
However, it would be far better to find out what is really happening. There is a reason the policy is not being applied. GPOs often fail for two main reasons; DNS issues, or permissions. Verify that the workstation in question has the right DNS settings. Check its IP address. From another workstation type "nslookup pcname" at a command prompt. It should respond with the correct IP. Type "nslookup ipaddress". It should respond with the correct name. If both are right, DNS is not the issue. More likely than not, your GPOs are being applied by OU (organizational unit). Verify that the PC is in an OU that the policy is linked to.
Open cmd.exe and type "gpresult /r". The output will be in two sections, Computer and User. The GPOs applied and denied will be listed in each block. In this case, you want to concentrate on the Computer section. The trick is when a GPO is being filtered out to identify the reason. That is a little deeper and will require help from someone with access to GPO. At least you'll be armed with something you can take to your GPO admin.
EDIT: BTW, Welcome to the lounge!
Last edited by Doc Brown; 2012-05-25 at 14:34.Chuck