This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I've spent the past 40 hours trying to figure out what's causing this, so far no luck, I've head dozens of articles & different questions of this topic and not a single one has helped with this... Just showing the problem isn't going to help because I've done the same as everyone else, so I'll try to explain what I've done so if maybe I've missed something then someone can point it out.
I make a new Organizational Unit called "Staff" under my forest.
Then I make a security group called "Managers" & add a user under this group called "Ty".
Then I go to the "Group Policy Management" tool (gpmc.msc).
I right click the "Staff" unit, then "Create a GPO in this domain, and link it here" called "Manager Policy".
I click the new GPO, go to the Delegation tab, select advanced, then select "Authenticated Users", I keep read on but remove the tick from "Apply group policy".
Then I add the "Managers" group and check "Apply group policy" for it.
Now I right click the "Manager Policy" and select Edit.
I navigate to "User Rights Assignment" under "Computer Configuration" and define "Access this computer from the network" with "Everyone" & "Allow log on through Remote Desktop Services" with "HORIZONS\Managers".
Once I have added the Policies, I open the command prompt and type "gpupdate /force".
Then I check to see if its applied using "gpresult /r /scope computer" which displays that the GPO has not been applied.
& to double check I try logging into the account in which I receive "The connection was denied because the user account is not authorized for remote login.".
What am I doing wrong or missing? I've spent too long trying to do something that should be so straightforward...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
1,Make sure that the server is in the "Staff" OU you created before.
For example, i want to apply policy to server1, and the server1 is in the OU named "SERVERS"
2,Then i have to link the GPO on the OU "SERVERS" containing the SERVER1.And make sure the permissions delegated rightly.
Okay, so following this, now when I run gpresult it states that it is applied :)
I then remade the user in the "Domain Controllers" that was with the computer, I couldn't add the ALPHA computer into staff since it already exists in Domain Controllers.
I ran gpupdate /force on admin and tried logging in, it still fails to connect to RDP, I don't know what it is, heres what I have so far.
Hi,
I think i figured out why the group policy didn't apply.
Before going further, we’d better confirm the difference between Computer Configuration and User configuration.
Computer Configuration in Group Policy is applied to computers, regardless of who logs on to the computers.
User Configuration in Group Policy is applied to users, regardless of which computer they log on to.
Computer Configuration
http://technet.microsoft.com/en-us/library/cc736413(v=ws.10).aspx
User Configuration
http://technet.microsoft.com/en-us/library/cc781953(v=ws.10).as
As you mentioned above ,the policy "User Rights Assignment" is a "Computer Configuration" it can be only linked to OUs containing computer objects.
But the Organizational Unit called "Staff" contains no computers. So the policy would not apply.
And in the security filter, if you remove the apply permission for the authenticated users , we have to put the computers (not users) into one security group and give it read and apply permission.
Or keep the authenticated users read and apply permission, then you don't need to add any groups into the security filter.
Last ,since it is a computer policy , when you update the policy by command , run the command as administrator ,or restart the computer.
Hope it would be helpful.
Best Regards,
Thankyou for the reply @Fan Fan
So I decided that applying the GPO's to the computer would be easier if not better than applying them to the user groups them selves.
So I started off by making a Security group called "Computers" I added the server thats running "ALPHA" to this group, I then added "Authorized Users" back to the the applied under delegation, removed managers from the delegation & added "Computers" with applied checked to the delegation, I ran gpupdate /force with administrator on the console, ran the gpresult and got the same answer as earlier, also tried logging in which also failed.
Really confused with all this...
you said that you did add the server "ALPHA" as a member of the security group "Computers", but, the gpresult does not reflect this.
Did you restart the server "ALPHA" after adding the group?
Computers don't recheck their group memberships until a reboot...
Users don't recheck their group memberships until a logoff/logon...
Thanks, I'll try this when I reattempt this method :)