Re: AdvancedProblem:RemoteDesktop into Trusted Domain w/GP permission

"SMCook99" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...


Responses in-line...

>
> I have posted this question on quite a few forums and no one has been
> able to answer it to date....

What other forums have you posted this to?

Did you know techarena pulls/pushes all of their posts to the *free* (no
logon or profile required) Microsoft Public technical newsgroups? That's
where I'm reading it.


> I have tried this two ways now. One where the destination domain is a
> child domain of the forest and one where it is a separate forest
> trusting the main domain.
>
> As it stands:
> 1. Domain A is trusted by Domain B.

So DomainB trusts DomainA, meaning that DomainA's security principles can
access DomainB's resources, such as shares, printers, etc.

What functional levels are both DomainA and DomainB set to?


>
> 2. A\shawn is a member of A\Domain Admins, A\Administrators,
> A\Enterprise Admins, A\Remote Desktop Users, B\Remote Desktop Users,
> B\Domain Admins
>
> 3. ServC is a member of Domain B & has RemoteDesktop enabled
>
> 4. GP for Domain B is applied to all resources in the domain B and
> Enforced which specifies that A\shawn B\Domain Admins B\Remote Desktop
> Users are allowed login through terminal services

How did you set this in the GPO? Did you use RestrictedGroups?


> 5. B\Administrator can login remotely to B\ServC
>
> 6. ServC is able to authenticate A\Shawn verified by logining as
> B\Administrator and doing a runas
>
> 7. GPResult /v shows the policy is applied to ServC and A\Shawn is
> permitted remote login.
>
> What can't A\Shawn log in to ServC? I get the standard "To log on to
> this remote computer, you must have Terminal Server User Access
> permissions on this computer...."
>
> A GC server 2008
> B GC server 2008
> ServC = 2003sp2
>
> If I add shawn to the Local Servers Remote Desktop Local in
> System->Properties->Remote he can log in but the goal is to use GP so I
> don't have to do it on 200 servers, just one policy.
>
> I have just replicated the problem with a separate Domain.Forrest
> Trust.
>
> DomainA.Florida.Com and DomainB.Penn.com are trusted forrests.
>
> DomainA\shawn is a member of DomainB\Remote Desktop Users AND in the GP
> for DomainB granted logon permission with a loopback policy forced for
> all DomainB resources.
>
> Domain\Shawn CAN logon to DomainB\GCServer BUT CANNOT LOGON to
> DomainB\anyotherserver
> "To log on to this remote computer, you must have Terminal Server User
> Access permissions on this computer. By default, members of the Remote
> Desktop Users group have these permissions. If you are not a member of
> the Remote Desktop Users group or another group that has these
> permissions, or if the Remote Desktop User group does not have these
> permissions, you must be granted these permissions manually."
>
> The only way I have been able to get DomainA\shawn to logon to
> DomainB\anyserver is by ControlPanel->System-Remote Settings.
> This works for 1 server but is impossible to manage a 200 server
> network as such.
>
> Please Advise.

I assume that A\Shawn is not a domain admin. Is A\Shawn also part of the
B\Domain Users?

For starters, verify that the domainB's Remote Desktop Users group is
actually added to DomainB's member servers groups.

I've seen this in scenarios where previous functional levels prevent domain
local groups to be visible on member servers, wihch is how you have the
groups or settings configured in the GPO. THis is because member servers try
to enumerate the SID of the foreign security principle, and not the DN,
which is what AD uses. Joe Richards I remember wrote something on this quite
awhile ago. I can't find the whole article or the post, but here's one post
he made on it.

ForeignSecurityPrincipals
http://www.servernewsgroups.net/grou...opic16870.aspx

If possible, let's try this:

1. Create a separate Global Group in DomainB, calling it DomainA RDP Admins.
2. Add that global group to one of DomainB's member server local Remote
Desktop Users.
3. Create a separate Global Group in DomainA, calling it DomainB RDP Admins.
4. Add A\shawn to DomainB RDP Admins.
5. Add DomainA\DomainB RDP Admins to DomainB\DomainA RDP Admins
6. Test Shawn's account.


Also as an FYI, if both forests only have one domain, all DCs in each domain
should be GCs. Of course if there are mroe than one domain in a forest, the
IM role cannot be on a GC.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

"SMCook99" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> ---------------------------------------------------------------
> Resolved by you!
> I didn't try your suggested steps, as soon as you mentioned restricted
> groups I created one and viola it worked! I will now return to all the
> other forums (included social.technet.microsoft.com) and update my
> threads with the solution, thank you very much! I have a few closing
> questions if I may...


I'm glad I was able to help. :-)


> 1.Is restricted groups the proper solution or should I not have to use
> them in this scenario and I'm still missing something?

That's what I would use. It's consistent and no one can change it, which
offers security.


> 2.What command should I have used to verify if the GlobalGroup was part
> of the local group? Please expand on "
> For starters, verify that the domainB's Remote Desktop Users group is
> actually added to DomainB's member servers groups."

You simply open up the local group's properties on the member servers and
view the membership.

The Foreign Securities link I gave you should give you more info on this.

>
> I know I can use "net localgroup" to list members of local groups and
> "net group" to list members of the domain group which I just now
> realized that everything in the "Builtin" folder is a "localgroup" and
> every security group in "Users" is a domain group. However this is the
> first I've ever heard there being a distinction. Can you expand on
> this? What is the effective difference on member servers of
> Administrators vs Domain Admins <as set on the DC in Domain Users and
> Computers?

Non-domain controllers Local groups are stored in the SAM database of the
members (or standalone) machine. It has nothing to do with Domain Local
Groups, which are specific to a Domain.

This comes down to basic understanding of the AGUDLP method. Add users to a
Global Group, add the Global Group to a Universal Group, add the Universal
Group to a Domain Local group that you've added to a resource such as a
share or printer, then apply permissions to the Domain Local Group. By the
mere fact that the Domain local Group has the permissions to the resource,
the user accounts will get those permissions from the nesting.

In the case of a Right (the ability to do something on a local machine such
as logon, change the time, change permissions on objects, etc), such as the
Right to logon in using terminal services, you have to use the machine's
local group (which has nothing to do with the domain's local group). In this
case, you have to add the Universal or Global group to the machine's local
group.

Read more on groups:
Active Directory Users, Computers, and GroupsYou can make foreign security
principals members of domain local groups ... also briefly described to
clarify the difference between the two group types. ...
http://technet.microsoft.com/en-us/l.../bb727067.aspx

> Again, thank you very much!

You are welcom!

Ace





>
> 'Ace Fekay [MVP-DS, MCT Wrote:
>> ;4763032']"SMCook99" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>
>> Responses in-line...
>>
>> >
>> > I have posted this question on quite a few forums and no one has
>> been
>> > able to answer it to date....
>>
>> What other forums have you posted this to?
>>
>> Did you know techarena pulls/pushes all of their posts to the *free*
>> (no
>> logon or profile required) Microsoft Public technical newsgroups?
>> That's
>> where I'm reading it.
>>
>>
>> > I have tried this two ways now. One where the destination domain is
>> a
>> > child domain of the forest and one where it is a separate forest
>> > trusting the main domain.
>> >
>> > As it stands:
>> > 1. Domain A is trusted by Domain B.
>>
>> So DomainB trusts DomainA, meaning that DomainA's security principles
>> can
>> access DomainB's resources, such as shares, printers, etc.
>>
>> What functional levels are both DomainA and DomainB set to?
>>
>>
>> >
>> > 2. A\shawn is a member of A\Domain Admins, A\Administrators,
>> > A\Enterprise Admins, A\Remote Desktop Users, B\Remote Desktop Users,
>> > B\Domain Admins
>> >
>> > 3. ServC is a member of Domain B & has RemoteDesktop enabled
>> >
>> > 4. GP for Domain B is applied to all resources in the domain B and
>> > Enforced which specifies that A\shawn B\Domain Admins B\Remote
>> Desktop
>> > Users are allowed login through terminal services
>>
>> How did you set this in the GPO? Did you use RestrictedGroups?
>>
>>
>> > 5. B\Administrator can login remotely to B\ServC
>> >
>> > 6. ServC is able to authenticate A\Shawn verified by logining as
>> > B\Administrator and doing a runas
>> >
>> > 7. GPResult /v shows the policy is applied to ServC and A\Shawn is
>> > permitted remote login.
>> >
>> > What can't A\Shawn log in to ServC? I get the standard "To log on to
>> > this remote computer, you must have Terminal Server User Access
>> > permissions on this computer...."
>> >
>> > A GC server 2008
>> > B GC server 2008
>> > ServC = 2003sp2
>> >
>> > If I add shawn to the Local Servers Remote Desktop Local in
>> > System->Properties->Remote he can log in but the goal is to use GP so
>> I
>> > don't have to do it on 200 servers, just one policy.
>> >
>> > I have just replicated the problem with a separate Domain.Forrest
>> > Trust.
>> >
>> > DomainA.Florida.Com and DomainB.Penn.com are trusted forrests.
>> >
>> > DomainA\shawn is a member of DomainB\Remote Desktop Users AND in the
>> GP
>> > for DomainB granted logon permission with a loopback policy forced
>> for
>> > all DomainB resources.
>> >
>> > Domain\Shawn CAN logon to DomainB\GCServer BUT CANNOT LOGON to
>> > DomainB\anyotherserver
>> > "To log on to this remote computer, you must have Terminal Server
>> User
>> > Access permissions on this computer. By default, members of the
>> Remote
>> > Desktop Users group have these permissions. If you are not a member
>> of
>> > the Remote Desktop Users group or another group that has these
>> > permissions, or if the Remote Desktop User group does not have these
>> > permissions, you must be granted these permissions manually."
>> >
>> > The only way I have been able to get DomainA\shawn to logon to
>> > DomainB\anyserver is by ControlPanel->System-Remote Settings.
>> > This works for 1 server but is impossible to manage a 200 server
>> > network as such.
>> >
>> > Please Advise.
>>
>> I assume that A\Shawn is not a domain admin. Is A\Shawn also part of
>> the
>> B\Domain Users?
>>
>> For starters, verify that the domainB's Remote Desktop Users group is
>> actually added to DomainB's member servers groups.
>>
>> I've seen this in scenarios where previous functional levels prevent
>> domain
>> local groups to be visible on member servers, wihch is how you have
>> the
>> groups or settings configured in the GPO. THis is because member
>> servers try
>> to enumerate the SID of the foreign security principle, and not the
>> DN,
>> which is what AD uses. Joe Richards I remember wrote something on this
>> quite
>> awhile ago. I can't find the whole article or the post, but here's one
>> post
>> he made on it.
>>
>> ForeignSecurityPrincipals
>> http://www.servernewsgroups.net/grou...opic16870.aspx
>>
>> If possible, let's try this:
>>
>> 1. Create a separate Global Group in DomainB, calling it DomainA RDP
>> Admins.
>> 2. Add that global group to one of DomainB's member server local
>> Remote
>> Desktop Users.
>> 3. Create a separate Global Group in DomainA, calling it DomainB RDP
>> Admins.
>> 4. Add A\shawn to DomainB RDP Admins.
>> 5. Add DomainA\DomainB RDP Admins to DomainB\DomainA RDP Admins
>> 6. Test Shawn's account.
>>
>>
>> Also as an FYI, if both forests only have one domain, all DCs in each
>> domain
>> should be GCs. Of course if there are mroe than one domain in a forest,
>> the
>> IM role cannot be on a GC.
>>
>> --
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Please reply back to the newsgroup or forum for collaboration benefit
>> among
>> responding engineers, and to help others benefit from your resolution.
>>
>> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE
>> &
>> MCSA 2003/2000, MCSA Messaging 2003
>> Microsoft Certified Trainer
>> Microsoft MVP - Directory Services
>>
>> If you feel this is an urgent issue and require immediate assistance,
>> please
>> contact Microsoft PSS directly. Please check
>> http://support.microsoft.com
>> for regional support phone numbers.
>
>
> --
> SMCook99
> ------------------------------------------------------------------------
> SMCook99's Profile: http://forums.techarena.in/members/172507.htm
> View this thread: http://forums.techarena.in/server-ne...ng/1291664.htm
>
> http://forums.techarena.in
>