Media Center extender fails when joined to a domain controller
I have a home Windows 2003 Server with an AD domain controller. I also have a Vista Ultimate Media Center with two XBOX 360's MC Extenders hanging off (note: i don't like or play video games -- just use them as MC extenders). Previously, my MC was not a member of my home domain controller, but for obvious reasons, I've wanted to add it. So when I added the MC to the domain, the XBOX 360 extenders could no longer connect to the MC. So I dropped the extenders, and re-added them. When adding the extender, it failed on the 5th checkbox (“connecting to the extender” step). "Extender Did Not Connect" error message. Looking at various internet blogs, during this step the extender is trying to connect to the MC PC with the MACHINE\MCX1 local account – which is a local machine account. Now that the MC PC is part of a domain, apparently connecting with MACHINE\MCX1 fails. So I was stuck.
Great news -- figured out a solution for this. The reason the XBOX extender cannot connect back to the MC is indeed due to it trying to use MACHINE\MCX1 and failing. This is a special account that all extenders will use -- and you can't change it. The reason it fails is RDP. Before joining the domain, I could RDP to the MC with the MCX1 account (or any local machine account), but after joining, I can't. Turns out the extender uses a derivative of RDP to connect to the MC, so that's the problem. On the MC box, MCX1 is added to the remote desktop users list in ControlPanel-->System-->Remote, so that wasn't the problem. The problem is that if you look at the LocalPolicy on the MC box (control panel --> administrative tools --> local security policy --> local policy --> user rights assignment --> allow logon through terminal services), the "allow logon through terminal services" policy doesn't have "Remote Desktop Users" in the list. My AD domain is a basic default domain with no special policies set. However when I joined the MC machine to the domain, it removed "Remote Desktop Users" from this policy, and also disabled the "Add User or Group" button to allow me to re-add it. Without this group in the permission list, MCX1 cannot RDP to the MC box from the XBOX extender.
Solution is to edit the domain policy on the domain controller. I edited the "allow logon through terminal services" policy for both the default domain policy and default domain controller policy. I added "Remote Desktop Users" group to the list on the domain, then I did a "gpupdate /force" on both the domain controller and the MC box. After gpupdate, I logged out of the MC box and logged back in. When back into local policy to see if the "Remote Desktop Users" was in the list -- and it was. Once that shows up in the list, now any user in that group can RDP. The extenders now work again!