[Samba] Remote Desktop Users Group not working??

Discussion:

(too old to reply)

Martin Juhl

2016-03-02 15:40:02 UTC

Hi

I have setup a Samba AD and connected a Windows 7 machine to the AD...

I'm having problems getting the Remote Desktop Users group to work...

[***@bart private]# samba-tool group addmembers "Remote Desktop Users" mj
ldb_wrap open of secrets.ldb
Added members to group Remote Desktop Users

[***@bart private]# samba-tool group listmembers "Remote Desktop Users"
ldb_wrap open of secrets.ldb
mj

Still I get the

"To log on to this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote Desktop Users group or another group that has this right, or if the Remote Desktop User group does not have this right, you must be granted this right manually."

If I add the user to the Domain Admins group, I have no problem logging on through Remote Desktop....

I have also connected a Linux machine to the Domain through SSSD and the AD connector... And it cannot see the Remote Desktop Users group...

It seems like this is a problem with the Builtin groups???

[***@lisa shared]# id mj
uid=1141201110(mj) gid=1141200513(domain users) grupper=1141200513(domain users)

Any ideas???

Regards

Martin

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

L.P.H. van Belle

2016-03-02 16:00:02 UTC

Permalink

Hai,

You must have mist something..

I did it as followed in the GPO settings.

I created a "DOMAIN\Allow-RDP" group in the AD. Added users to this group.

In the GPO, i used "default computer"
Policies - Windows settings - security settings - Restricted groups.
Here add your DOMAIN\Allow-RDP to the Remote Desktop Users.
And
- Windows settings - security settings - Systemservices,
Remote Desktop Services, set to Automatic startup.

Administrative Templates -
Windows components/Remote desktop services/Host external dekstop session/ connection.
"Allow users to connect to Remote Desktop."

Reboot the PC.

Try again, this should work.

This : samba-tool group addmembers "Remote Desktop Users" mj
wil not work, so yes, this is correct.

This might work:
samba-tool group addmembers "BUILDIN\Remote Desktop Users" "DOMAIN\mj"
or
samba-tool group addmembers "BUILDIN\Remote Desktop Users" "mj"
or
samba-tool group addmembers "BUILDIN\Remote Desktop Users" "***@YOUR.DOM.TLD"

Keep notice of "BUILDIN" and "DOMAIN ( YOUR.DOM.TLD )"
The are very different things..

Ow and one extra thing.

In samba set:
winbind expand groups = 4
The number is the depth of the groups, the higher the number the slower the auth check.

Greetz,

Louis

-----Oorspronkelijk bericht-----
Verzonden: woensdag 2 maart 2016 16:30
Aan: samba
Onderwerp: [Samba] Remote Desktop Users Group not working??
Hi
I have setup a Samba AD and connected a Windows 7 machine to the AD...
I'm having problems getting the Remote Desktop Users group to work...
ldb_wrap open of secrets.ldb
Added members to group Remote Desktop Users
ldb_wrap open of secrets.ldb
mj
Still I get the
"To log on to this remote computer, you must be granted the Allow log on
through Terminal Services right. By default, members of the Remote Desktop
Users group have this right. If you are not a member of the Remote Desktop
Users group or another group that has this right, or if the Remote Desktop
User group does not have this right, you must be granted this right
manually."
If I add the user to the Domain Admins group, I have no problem logging on
through Remote Desktop....
I have also connected a Linux machine to the Domain through SSSD and the
AD connector... And it cannot see the Remote Desktop Users group...
It seems like this is a problem with the Builtin groups???
uid=1141201110(mj) gid=1141200513(domain users) grupper=1141200513(domain users)
Any ideas???
Regards
Martin
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Martin Juhl

2016-03-02 16:40:02 UTC

Permalink

Hi

My next try is to create the group myself, but the point here was that the Builtin group created by the provisioning of Samba, doesn't work...

/Martin

----- Original meddelelse -----
Fra: "L.P.H. van Belle" <***@bazuin.nl>
Til: "samba" <***@lists.samba.org>
Sendt: onsdag, 2. marts 2016 16:55:41
Emne: Re: [Samba] Remote Desktop Users Group not working??

Hai,

You must have mist something..

I did it as followed in the GPO settings.

I created a "DOMAIN\Allow-RDP" group in the AD. Added users to this group.

In the GPO, i used "default computer"
Policies - Windows settings - security settings - Restricted groups.
Here add your DOMAIN\Allow-RDP to the Remote Desktop Users.
And
- Windows settings - security settings - Systemservices,
Remote Desktop Services, set to Automatic startup.

Administrative Templates -
Windows components/Remote desktop services/Host external dekstop session/ connection.
"Allow users to connect to Remote Desktop."

Reboot the PC.

Try again, this should work.

This : samba-tool group addmembers "Remote Desktop Users" mj
wil not work, so yes, this is correct.

This might work:
samba-tool group addmembers "BUILDIN\Remote Desktop Users" "DOMAIN\mj"
or
samba-tool group addmembers "BUILDIN\Remote Desktop Users" "mj"
or
samba-tool group addmembers "BUILDIN\Remote Desktop Users" "***@YOUR.DOM.TLD"

Keep notice of "BUILDIN" and "DOMAIN ( YOUR.DOM.TLD )"
The are very different things..

Ow and one extra thing.

In samba set:
winbind expand groups = 4
The number is the depth of the groups, the higher the number the slower the auth check.

Greetz,

Louis

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Sébastien Le Ray

2016-03-02 16:40:02 UTC

Permalink

Hi,

If I'm not mistaken, the Remote Desktop Users is a local group. Si as
Said Louis, you'll have to create a domain group that will be added to
the local group on each machin through GPO

Regards,

Post by Martin Juhl
Hi
My next try is to create the group myself, but the point here was that the Builtin group created by the provisioning of Samba, doesn't work...
/Martin
----- Original meddelelse -----
Sendt: onsdag, 2. marts 2016 16:55:41
Emne: Re: [Samba] Remote Desktop Users Group not working??
Hai,
You must have mist something..
I did it as followed in the GPO settings.
I created a "DOMAIN\Allow-RDP" group in the AD. Added users to this group.
In the GPO, i used "default computer"
Policies - Windows settings - security settings - Restricted groups.
Here add your DOMAIN\Allow-RDP to the Remote Desktop Users.
And
- Windows settings - security settings - Systemservices,
Remote Desktop Services, set to Automatic startup.
Administrative Templates -
Windows components/Remote desktop services/Host external dekstop session/ connection.
"Allow users to connect to Remote Desktop."
Reboot the PC.
Try again, this should work.
This : samba-tool group addmembers "Remote Desktop Users" mj
wil not work, so yes, this is correct.
samba-tool group addmembers "BUILDIN\Remote Desktop Users" "DOMAIN\mj"
or
samba-tool group addmembers "BUILDIN\Remote Desktop Users" "mj"
or
Keep notice of "BUILDIN" and "DOMAIN ( YOUR.DOM.TLD )"
The are very different things..
Ow and one extra thing.
winbind expand groups = 4
The number is the depth of the groups, the higher the number the slower the auth check.
Greetz,
Louis

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Marc Muehlfeld

2016-03-02 17:00:01 UTC

Permalink

Post by SÃ©bastien Le Ray
If I'm not mistaken, the Remote Desktop Users is a local group. Si as
Said Louis, you'll have to create a domain group that will be added to
the local group on each machin through GPO

That's right. And if you're looking for an easy way to put your domain
group to some/all workstations local Remote Desktop Users group:
https://wiki.samba.org/index.php/Managing_local_groups_on_domain_members_via_GPO_restricted_groups

Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Sébastien Le Ray

2016-03-02 17:10:02 UTC

Permalink

I quickly read the wiki page but cannot find the mention, so let's
explicitely state it : please note that local group names are localized,
so you'll have to have an entry per OS language in your company
(needless to say but better when said)

Regards

Post by Marc Muehlfeld

That's right. And if you're looking for an easy way to put your domain
https://wiki.samba.org/index.php/Managing_local_groups_on_domain_members_via_GPO_restricted_groups
Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba