I will retract that last post - this is not a GPO issue. It is a limitation of "Remote Desktop for Administration" mode.
I just found a link that answers this question. For windows 2000 & 2003, you MUST be a member of the administrators group in order to RDP into a server that has Remote Desktop for Administration enabled: "only members of the Administrators group can gain access to the server." Server 2003 kb article: http://support.microsoft.com/kb/814590 Server 2000 kb article: http://support.microsoft.com/kb/306624/ You either have to add them to the admin group, OR change over to TS for Applications, which requires appropriate licensing. Jonathan L. Raper, A+, MCSA, MCSE Technology Coordinator Eagle Physicians & Associates, PA [email protected]<BLOCKED::mailto:%[email protected]> www.eaglemds.com<BLOCKED::http://www.eaglemds.com/> ________________________________ From: Raper, Jonathan - Eagle [mailto:[email protected]] Sent: Wednesday, November 17, 2010 10:03 AM To: NT System Admin Issues Subject: [SPAM] - RE: Wierd one with Login rights, need a sounding board - Domain does not exist Although that may work, that should not be required. GPO should override local policies, so this says to me that something is not right with the GPO or the application of the GPO. Are you sure the GPO is applying successfully to the server? What does gpresult yield? Jonathan L. Raper, A+, MCSA, MCSE Technology Coordinator Eagle Physicians & Associates, PA [email protected]<BLOCKED::mailto:%[email protected]> www.eaglemds.com<BLOCKED::http://www.eaglemds.com/> ________________________________ From: James Rankin [mailto:[email protected]] Sent: Wednesday, November 17, 2010 9:51 AM To: NT System Admin Issues Subject: Re: Wierd one with Login rights, need a sounding board Add them directly to the Remote Desktop tab under System Properties. I know it sounds daft, but that should crack it On 17 November 2010 14:45, Ziots, Edward <[email protected]<mailto:[email protected]>> wrote: I have a GPO that grants the following user rights to a group Lets call this the Datacenter operators group ( and I have made them a Power user on the system) I grant the following via GPO. Right to Logon Locally, Right to Logon via Terminal Services, Right to shutdown the system. ( required by management for support reasons) I put said group in the Remote Desktop Users group on the system accordingly, and I granted the Group Full Control on the RDP connection on the server. I try and login to the server and it claims this account needs administrative rights to login to the server. I login with the account locally from the server console, no issues except it claims it cant reach its profile directory accordingly. SO what am I missing with the allowing the account to login via RDP? If I make the account an local administrator it works, but as a power user it doesn't work. Even though I can login to the server locally? Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected]<mailto:email%[email protected]> Cell:401-639-3505 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ________________________________ Any medical information contained in this electronic message is CONFIDENTIAL and privileged. It is unlawful for unauthorized persons to view, copy, disclose, or disseminate CONFIDENTIAL information. This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and/or entity named as recipients in the message. If you are not an intended recipient of this message, please notify the sender immediately and delete this material from your computer. Do not deliver, distribute or copy this message, and do not disclose its contents or take any action in reliance on the information that it contains. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
