| Author | Messages | |
waynemcgowan
Posts:1
 | | 02/12/2010 4:49 PM |
|
Hi,.
Hope someone can help me with this issue. I need to add all domian users to the remote desktop users on all the network computers (just the desktop computers). I am using restricted groups and was able to get the local administrator and Power user to work.
Thanks
Wayne
_________________________________________________________________
Introducing Windows® phone.
http://go.microsoft.com/?linkid=9708122
| | | |
| DarraghOShaughnessy
Posts:161
| | 02/12/2010 4:51 PM |
| This should be very straightforward.
1) Just create a restricted group called 'Domain Users' and add the
'Remote Desktop Users' to it's 'memberof' field. Apply that GPO to only
desktop machines.
or
2) Alternatively, do the reverse and created a restricted group
called 'Remote Desktop Users' and specify all the group you want to be
members in the 'Members' field
Warning: Do not apply these policies to Domain Controllers or you will
have unexpected result. Also, do not specify both the
'members'/'memberof' in the same gpo. You can specify them in different
gpos though
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: xxxxxxxxxxxxxxxx
<mailto:xxxxxxxxxxxxxxxx>
Ext: 2562
Direct Dial In: 01-7994028
Web Site: www.vhi.ie
Help the environment. If you need to print this email consider using Eco
Font to save ink: http://www.ecofont.eu/ecofont_en.html
<http://www.ecofont.eu/ecofont_en.html>
This e-mail and any files transmitted with it contain information which
may be confidential and which may also be privileged and is intended
solely for the use of the individual or entity to whom it is addressed.
Unless you are the intended recipient you may not copy or use it, or
disclose it to anyone else. Any opinions expressed are that of the
individual and not necessarily that of Vhi Healthcare. If you have
received this e-mail in error please notify the sender by return. This
footnote also confirms that this e-mail message has been Swept for the
presence of computer viruses.
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of wayne mcgowan
Sent: 11 February 2010 01:03
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Restricted Groups
Hi,.
Hope someone can help me with this issue. I need to add all domian users
to the remote desktop users on all the network computers (just the
desktop computers). I am using restricted groups and was able to get the
local administrator and Power user to work.
Thanks
Wayne
________________________________
All your Hotmail contacts on your phone. Try it now.
<http://go.microsoft.com/?linkid=9708118>
| | | |
| jsclmedave
Posts:67
| | 02/12/2010 4:51 PM |
| What exactly did you do to fix your issue?
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
Microsoft Certified IT Professional
Blog - Http://timbolton.net/
On Thu, Feb 11, 2010 at 11:00 AM, wayne mcgowan <xxxxxxxxxxxxxxxx>wrote:
> Thanks i found my setup problem, it works fine now. Do you know of a
> different value i can use for local power users? It seems to work fine on
> English OS, but doesnt work on French OS. The local admin and remote desktop
> users work fine on both.
>
> Thanks
> Wayne
>
> ------------------------------
> Date: Thu, 11 Feb 2010 15:33:05 +0000
>
> From: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Restricted Groups
> To: xxxxxxxxxxxxxxxx
>
> What group is ‘remote users’ ??
>
>
>
> Is that a domain group you must prefix it with the down-level domain name.
> Local group nesting is not allowed
>
>
>
> Regards,
>
>
>
> Darragh O'Shaughnessy
>
> IT Services Department
>
>
>
> E-Mail: xxxxxxxxxxxxxxxx
>
>
>
> Ext: 2562
>
> Direct Dial In: 01-7994028
>
>
>
> Web Site: www.vhi.ie
>
>
>
> Help the environment. If you need to print this email consider using Eco
> Font to save ink: http://www.ecofont.eu/ecofont_en.html
>
>
>
>
>
> This e-mail and any files transmitted with it contain information which may
> be confidential and which may also be privileged and is intended solely for
> the use of the individual or entity to whom it is addressed. Unless you are
> the intended recipient you may not copy or use it, or disclose it to anyone
> else. Any opinions expressed are that of the individual and not necessarily
> that of Vhi Healthcare. If you have received this e-mail in error please
> notify the sender by return. This footnote also confirms that this e-mail
> message has been Swept for the presence of computer viruses.
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *wayne mcgowan
> *Sent:* 11 February 2010 15:31
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* RE: [gptalk] Restricted Groups
>
>
>
> I know this should be simple, i have done it many times in the past on
> different networks. But the issues i see using windows 2003 r2 and winxp
> clients.
>
> So i move all the computers to a new OU, then from there i do the
> restricted group thing as below. It works some what for local admins and
> power users. But for remote desktop users it doesnt work at all.
>
> Here is the errors from winlogon from the clients:
>
> Configure remote users.
> Error 1332: No mapping between account names and security IDs was done.
> No system mapping was found for remote users.
> Configure Power Users.
> Aliases cannot be members of other groups.
> Configure Administrators.
> Aliases cannot be members of other groups.
> Group Membership configuration was completed with one or more errors.
>
> Thanks
> Wayne
>
> ------------------------------
>
> Date: Thu, 11 Feb 2010 08:37:46 +0000
> From: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Restricted Groups
> To: xxxxxxxxxxxxxxxx
>
> This should be very straightforward.
>
>
>
> 1) Just create a restricted group called ‘Domain Users’ and add the
> ‘Remote Desktop Users’ to it’s ‘memberof’ field. Apply that GPO to only
> desktop machines.
>
> or
>
> 2) Alternatively, do the reverse and created a restricted group
> called ‘Remote Desktop Users’ and specify all the group you want to be
> members in the ‘Members’ field
>
>
>
>
>
> Warning: Do not apply these policies to Domain Controllers or you will have
> unexpected result. Also, do not specify both the ‘members’/’memberof’ in the
> *same* gpo. You can specify them in different gpos though
>
>
>
> Regards,
>
>
>
> Darragh O'Shaughnessy
>
> IT Services Department
>
>
>
> E-Mail: xxxxxxxxxxxxxxxx
>
>
>
> Ext: 2562
>
> Direct Dial In: 01-7994028
>
>
>
> Web Site: www.vhi.ie
>
>
>
> Help the environment. If you need to print this email consider using Eco
> Font to save ink: http://www.ecofont.eu/ecofont_en.html
>
>
>
>
>
> This e-mail and any files transmitted with it contain information which may
> be confidential and which may also be privileged and is intended solely for
> the use of the individual or entity to whom it is addressed. Unless you are
> the intended recipient you may not copy or use it, or disclose it to anyone
> else. Any opinions expressed are that of the individual and not necessarily
> that of Vhi Healthcare. If you have received this e-mail in error please
> notify the sender by return. This footnote also confirms that this e-mail
> message has been Swept for the presence of computer viruses.
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *wayne mcgowan
> *Sent:* 11 February 2010 01:03
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] Restricted Groups
>
>
>
>
> Hi,.
>
> Hope someone can help me with this issue. I need to add all domian users to
> the remote desktop users on all the network computers (just the desktop
> computers). I am using restricted groups and was able to get the local
> administrator and Power user to work.
>
> Thanks
>
> Wayne
> ------------------------------
>
> All your Hotmail contacts on your phone. Try it now.<http://go.microsoft.com/?linkid=9708118>
>
>
> ------------------------------
>
> All your Hotmail contacts on your phone. Try it now.<http://go.microsoft.com/?linkid=9708118>
>
> ------------------------------
> Live connected with Hotmail on your phone. Learn more.<http://go.microsoft.com/?linkid=9708117>
>
| |
Tim Bolton | |
| CraigBuonora
Posts:9
| | 02/12/2010 4:54 PM |
| In reference to the restricted groups question, is there a configuration
that allows you to add groups with this policy but not remove any already
present in the given local group. this used to be an issue but I have not
looked in to it recently.
Thanks.
On Thu, Feb 11, 2010 at 12:00 PM, wayne mcgowan <xxxxxxxxxxxxxxxx>wrote:
> Thanks i found my setup problem, it works fine now. Do you know of a
> different value i can use for local power users? It seems to work fine on
> English OS, but doesnt work on French OS. The local admin and remote desktop
> users work fine on both.
>
> Thanks
> Wayne
>
> ------------------------------
> Date: Thu, 11 Feb 2010 15:33:05 +0000
>
> From: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Restricted Groups
> To: xxxxxxxxxxxxxxxx
>
> What group is ‘remote users’ ??
>
>
>
> Is that a domain group you must prefix it with the down-level domain name.
> Local group nesting is not allowed
>
>
>
> Regards,
>
>
>
> Darragh O'Shaughnessy
>
> IT Services Department
>
>
>
> E-Mail: xxxxxxxxxxxxxxxx
>
>
>
> Ext: 2562
>
> Direct Dial In: 01-7994028
>
>
>
> Web Site: www.vhi.ie
>
>
>
> Help the environment. If you need to print this email consider using Eco
> Font to save ink: http://www.ecofont.eu/ecofont_en.html
>
>
>
>
>
> This e-mail and any files transmitted with it contain information which may
> be confidential and which may also be privileged and is intended solely for
> the use of the individual or entity to whom it is addressed. Unless you are
> the intended recipient you may not copy or use it, or disclose it to anyone
> else. Any opinions expressed are that of the individual and not necessarily
> that of Vhi Healthcare. If you have received this e-mail in error please
> notify the sender by return. This footnote also confirms that this e-mail
> message has been Swept for the presence of computer viruses.
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *wayne mcgowan
> *Sent:* 11 February 2010 15:31
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* RE: [gptalk] Restricted Groups
>
>
>
> I know this should be simple, i have done it many times in the past on
> different networks. But the issues i see using windows 2003 r2 and winxp
> clients.
>
> So i move all the computers to a new OU, then from there i do the
> restricted group thing as below. It works some what for local admins and
> power users. But for remote desktop users it doesnt work at all.
>
> Here is the errors from winlogon from the clients:
>
> Configure remote users.
> Error 1332: No mapping between account names and security IDs was done.
> No system mapping was found for remote users.
> Configure Power Users.
> Aliases cannot be members of other groups.
> Configure Administrators.
> Aliases cannot be members of other groups.
> Group Membership configuration was completed with one or more errors.
>
> Thanks
> Wayne
>
> ------------------------------
>
> Date: Thu, 11 Feb 2010 08:37:46 +0000
> From: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Restricted Groups
> To: xxxxxxxxxxxxxxxx
>
> This should be very straightforward.
>
>
>
> 1) Just create a restricted group called ‘Domain Users’ and add the
> ‘Remote Desktop Users’ to it’s ‘memberof’ field. Apply that GPO to only
> desktop machines.
>
> or
>
> 2) Alternatively, do the reverse and created a restricted group
> called ‘Remote Desktop Users’ and specify all the group you want to be
> members in the ‘Members’ field
>
>
>
>
>
> Warning: Do not apply these policies to Domain Controllers or you will have
> unexpected result. Also, do not specify both the ‘members’/’memberof’ in the
> *same* gpo. You can specify them in different gpos though
>
>
>
> Regards,
>
>
>
> Darragh O'Shaughnessy
>
> IT Services Department
>
>
>
> E-Mail: xxxxxxxxxxxxxxxx
>
>
>
> Ext: 2562
>
> Direct Dial In: 01-7994028
>
>
>
> Web Site: www.vhi.ie
>
>
>
> Help the environment. If you need to print this email consider using Eco
> Font to save ink: http://www.ecofont.eu/ecofont_en.html
>
>
>
>
>
> This e-mail and any files transmitted with it contain information which may
> be confidential and which may also be privileged and is intended solely for
> the use of the individual or entity to whom it is addressed. Unless you are
> the intended recipient you may not copy or use it, or disclose it to anyone
> else. Any opinions expressed are that of the individual and not necessarily
> that of Vhi Healthcare. If you have received this e-mail in error please
> notify the sender by return. This footnote also confirms that this e-mail
> message has been Swept for the presence of computer viruses.
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *wayne mcgowan
> *Sent:* 11 February 2010 01:03
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] Restricted Groups
>
>
>
>
> Hi,.
>
> Hope someone can help me with this issue. I need to add all domian users to
> the remote desktop users on all the network computers (just the desktop
> computers). I am using restricted groups and was able to get the local
> administrator and Power user to work.
>
> Thanks
>
> Wayne
> ------------------------------
>
> All your Hotmail contacts on your phone. Try it now.<http://go.microsoft.com/?linkid=9708118>
>
>
> ------------------------------
>
> All your Hotmail contacts on your phone. Try it now.<http://go.microsoft.com/?linkid=9708118>
>
> ------------------------------
> Live connected with Hotmail on your phone. Learn more.<http://go.microsoft.com/?linkid=9708117>
>
--
Regards,
Craig M. Buonora
SABIC Innovative Plastics
CompuCom Systems, Inc.
Senior Networking Specialist
Operational Leader - Datacenter Team
1 Plastics Avenue
Building 59
Pittsfield, MA 01201
T 413.448.6902
D *838-6902
E xxxxxxxxxxxxxxxx
www.sabic-ip.com
| | | |
|
|