I wanted to enabled remote desktop access for a domain security group so I search and followed the instruction here to get to the setting which was shown as "Not Defined" then I change the setting to add the security group, but it didn't work still. The same "..Allow Logon.." error message still occurs. So I decided to give up and revert the GPO settings to Not Defined.
I then tried to RDP with the Administrator account that had always worked, but to my horror it is not working anymore and the same "..Allow Logon.." error is shown.
I tried to gpupdate /force but still nothing works. The document says by default for Windows Server 2008, the RDP access is enabled for Administrators, so I assume if Not Defined, my Administrator account should still log in after the GPO changes? What else do I need to do to reset the setting?
Best Answer
Log on to the server locally and check the RDP settings.
Start>Administrative Tools>Remote Desktop Services>Remote Desktop Session Host Configuration.(This might be called
Terminal Servicesinstead ofRemote Desktop Services).In the middle of the screen in the Connections list, right-click RDP-Tcp, choose Properties. Choose the Security tab. This is the access control list of groups that have been granted or denied access to the terminal server. The GPO may have removed some groups from this list.
On my machine right now I have
SYSTEM,LOCAL SERVICE,NETWORK SERVICE,Administrators,Remote Desktop UsersandINTERACTIVE.I think the important ones for you are going to be
Administrators(who should have Full Control, User Access and Guest Access) andRemote Desktop Users(who should have User Access and Guest Access). If those groups are not in the list then add them.Of course, check the membership of those groups. Hopefully all of your administrative staff are in the local
Administratorsgroup (probably via membership ofDOMAIN\Domain Admins).