Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Domain user remotely access his desktop via RDP

  1. #1
    Senior Member
    Join Date
    Dec 2004
    Posts
    140

    Domain user remotely access his desktop via RDP

    Hi

    How can I let a domain user “John Allen” from his home to access his desktop (WS-A) at work via RDP.

    First he would access his work network ( environment Active Directory 2003
    ) via VPN and then how can I let him to access his desktop at work via RDP ??

    Could someone post step by step how should I configure that ? Is it through server local policy (gpedit.msc) or domain policy (gpmc.msc ) or something else ?

    I tried to google for it by using this key :

    “ add user to remote desktop groups Active Directory “ but I could not get what I am looking for :

    http://www.google.com.au/search?hl=en&q=Active+Directory+specify+users+or+groups+that+have+Remote+Desktop+permissions+&btnG=Search&meta=&aq=f&oq=+Desktop+permissions+&btnG=Search&meta=&aq=f&oq=

    http://www.computing.net/answers/windows-2003/remote-desktop-user-question/5604.html

    Thanks
    Last edited by zillah; December 16th, 2009 at 11:05 AM.

  2. #2
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    There should be a built-in group in AD called 'Remote Desktop Users'. You can make John Allen a member of this group. I think you can assign this at the computer level as well. Which might be better if you do not want him to have access to other machines remotely.

    Because Remote Desktop Users is a built-in local group, adding members to it in ADUC gives Bob remote log-on capability for all domain controllers in the domain. If you want to give him such capability over a member server instead, you can use the System tool in Control Panel on that server. To do it, open System, switch to the Remote tab, and click on Select Remote Users. Then find Bob's account in the directory and add him to the list of users who can remotely log on to the system:
    ^^ Should work for workstations as well as servers.

    from: http://oreilly.com/pub/a/windows/200...e_Desktop.html

    [you can do that manually from the user settings in control panel. You just have to add him to the local group: 'Remote Desktop Users'.]

    You may also have to allow remote access in your system properties. Click 'Start' > right-click 'My Computer' > Click 'Properties'. Click the 'Remote' tab, and make sure that you have the remote options enabled.

    Also, depending on where your firewall is in this setup, you might have to add a rule for port 3389.

    Hope this helps. Clear as mud right?
    Last edited by westin; December 16th, 2009 at 05:31 AM.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  3. #3
    Senior Member
    Join Date
    Dec 2004
    Posts
    140
    Hi westin

    Thanks for your help and pointing me to a good resource

    Should work for workstations as well as servers.
    You can not find the domain user name “John Allen” within local users account at PC (WS-A), therefore you won't be able to add him to get permission to access his workstation WS-A,,,,,,,forget about server I do not like to give him permission to RDP to the server.

    I want to give him RDP to his workstation only (my case it is WS-A)

    On (WS-A) PC ,
    right-click 'My Computer' > Click 'Properties' > Click the 'Remote' tab > 'Select Remote Users' tab ,,,,,I can not find the username "John Allen" because this account is not created locally it is a domain user account,,,,means you can not find his name to add him.

  4. #4
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Hmm... try putting domain\jallen in the field [where, of course, 'domain' is your domain name]. I am at work now, and just tested it on a machine. Worked fine for me. I was able to add a domain user.

    One thing to note, if your domain is domainx.internal, leave off the .internal. Just use the actual domain name.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  5. #5
    Senior Member
    Join Date
    Dec 2004
    Posts
    140
    Hmm... try putting domain\jallen in the field [where, of course, 'domain' is your domain name]. I am at work now, and just tested it on a machine. Worked fine for me. I was able to add a domain user.
    Do you thing because you are doing that locally and I am doing it through VPN ?

    I have to try locally to log in to WS-A as a domain admin not local admin and see if I can add John Allen.

    Meanwhile could you please try to log in as a local admin and then try to use VPN and see if you are facing same my problem

  6. #6
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Quote Originally Posted by zillah View Post
    Do you thing because you are doing that locally and I am doing it through VPN ?

    I have to try locally to log in to WS-A as a domain admin not local admin and see if I can add John Allen.

    Meanwhile could you please try to log in as a local admin and then try to use VPN and see if you are facing same my problem
    I am not sure I follow. If I connect through VPN, and then log into a workstation through RDP as either the local admin, or the domain admin, I still have the option to add users as remote users.

    It doesn't make much of a difference whether I am physically in front of the computer, or in through VPN and RDP.

    The only difference I can see, is that if you try to add a domain account as a remote user on a workstation, while you are logged in as local admin, it will ask you for a login/password for a user with authority on the domain.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  7. #7
    Senior Member
    Join Date
    Dec 2004
    Posts
    140
    It doesn't make much of a difference whether I am physically in front of the computer, or in through VPN and RDP.
    This is what I believe as well.
    Last edited by zillah; December 19th, 2009 at 12:57 PM.

  8. #8
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    660
    In summary;

    1) John Allen creates a VPN to the office and his home computer becomes part of the work network.
    2) Once John is connected to the work network, he can access any resource by any permitted protocol.

    Quite often we will create two shortcuts on a 'users' computer for remote access. The first shortcut is the VPN connection, and the second shortcut is the saved RDP file that connects to the relevant remote computer.

    The user then clicks on shortcut 1. Then once is has 'gone away' they click on shortcut 2. Then they are connected. This is the typical experience of a normal user in this scenario.


    CTO

    Also, the problem described in your post is often a DNS related issue! Either ensure the domain controller is the workstation DNS server, or ensure the name and IP address of the domain controller is entered into the hosts file. See http://www.bleepingcomputer.com/tuto...utorial51.html for a run through.
    Last edited by CybertecOne; December 21st, 2009 at 09:45 AM. Reason: More ideas
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  9. #9
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    660

    Red face

    Quote Originally Posted by westin View Post
    The only difference I can see, is that if you try to add a domain account as a remote user on a workstation, while you are logged in as local admin, it will ask you for a login/password for a user with authority on the domain.
    I'm not being a snoot, but for the sake of learning I am sure that in this case it would not make any difference if you are connected via RDP or at the console.

    If you are logged on the the workstation locally, then any access/changes to a domain resource will require domain creds regardless of RDP or console.

    Peace
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  10. #10
    Senior Member
    Join Date
    Dec 2004
    Posts
    140
    Hi Guys

    What I did to eliminate source of the problem (I am not going to use a VPN connection)

    Within our LAN I logged in to WS-A (the actual name for PC is P3 for the sake of the forum I named it WS-A) as a member (support) of domain controller group.

    For the proof that WS-A joined the domain Please see " System Properties " in the snapshot below

    http://img109.imageshack.us/i/systempropertiesa.jpg/




    For the proof that " Remote Desktop " is ticked

    http://img6.imageshack.us/i/remotedesktop.jpg/





    The funny thing that I can not understated when I log in locally (means not via VPN) as domain controller sometimes I can not see ' Entire Directory ' option for : " Select the location you want to search " and sometimes I can see it

    http://img6.imageshack.us/i/entiredirectory.jpg/



    Now if I am lucky and I am able to see ' Entire Directory ' option for : " Select the location you want to search " and I do perform a search either it will Freeze as below :

    http://img187.imageshack.us/i/searchstuckdonothing.jpg/



    or it will give the error message as below :

    http://img15.imageshack.us/img15/993/erroryr.jpg



    Thanks

Similar Threads

  1. Security help please
    By Adrenalxn_10 in forum Newbie Security Questions
    Replies: 17
    Last Post: April 16th, 2005, 11:09 AM
  2. Create remote only user for Remote Desktop
    By MrT in forum Microsoft Security Discussions
    Replies: 10
    Last Post: February 21st, 2005, 01:54 PM
  3. Logwatch
    By steve.milner in forum IDS & Scanner Discussions
    Replies: 5
    Last Post: August 12th, 2004, 12:23 PM
  4. PCanywhere and security
    By PCuser in forum Newbie Security Questions
    Replies: 6
    Last Post: January 28th, 2004, 02:17 PM
  5. ports
    By hatebreed2000 in forum AntiOnline's General Chit Chat
    Replies: 1
    Last Post: March 14th, 2003, 06:36 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •