Hello,

I'm using these groups:

• in domain.tld is a local group "RDP-Users" wich allows access to the RDP-Server and the RDP-GW (both server are in this domain too)
• in sub.domain.tld is a global group "Department A"

I can connect to the RDP-Server directly with a user from sub.domain.tld. This works as expected. But if I try to use the RDP-GW, I get an error that the user has no permission to use it. If I convert the scope of "RDP-Users" to universal it works. The same happens, if I add the users from sub.domain.tld directly to the group "RDP-Users".

Why can't the RDP-GW handle the permission if the group scope is local?

Regards,
Dennis

Hi everyone!  I should start by saying that I've found a number of threads which are semi-related to this topic, but they just don't seem to address my particular complaint.  I'm not sure if this is a bug, a configuration error on my part, or if it is expected behavior (which would be unfortunate for my intended use cases).

The issue is that I need to provide two separate collections of RemoteApps, and I only want the collection appropriate to the logged-in user to be displayed in Web Access (or in the feed, for that matter).  One collection includes an expansive set of RemoteApps, and the other collection includes a limited subset of those published in the first.

Now, I know that a SH can only belong to one session collection.  That makes sense, and in my case, I wouldn't want it any other way.  It offers better separation between the user environment intended for use by employees, and the user environment intended for use by non-employees, which is a bit more restrictive.  (Those are the actual purposes of the two collections described earlier.)  So far, so good.  Now, it seems to me like every other role beside the SH role should be able to do its job for all collections.  What other purpose could the concept of a "Collection" possibly serve, after all?  If I had to stand-up Connection Broker, Web Access, Gateway, and Session Host for every collection of RemoteApps, then there wouldn't need to exist any concept in RDS 2012 R2 called "Collections".  So, I figured that Connection Broker, Web Access, and Gateway could serve all collections, and Session Host is of course limited to serving one single collection.  And, I guess, that's largely the way it works, with one exception.

My issue is that in Web Access, all RemoteApps from all published RemoteApp collections are presented to every user who has access to one collection OR the other, despite my best intentions of having provisioned each collection with seprate user group assignments using two separate AD groups.  I don't want to advertise all RemoteApps from all collections in the Web Access namespace!  To me, the presence of "User Group" configuration at both the Collection level and at the RemoteApp level implies that there is some user group filtering going on, but so far that's looking like a false assumption.  Why would the RemoteApp list in one collection bleed into the RemoteApp list in the second collection?  Why would I want the users of one collection to see the applications of the other, even when they're not going to be able to launch them anyway?

Does anyone have anything to add to the equation?  Is there something I'm missing?  Thanks ahead of time.

Hi,

Have some problems with manager. It used to work, but suddenly I can't connect to local server.

Get this error:

"The RD Gateway Managment snap-in console cannot connect to the server. To connect to this server, you must be a memeber of the local administrators group on the server."

The user account that i'm using is a member of the local administrator group.

Any ideas?

The RDS server is a Win2012 server. The AD server is a win 2008 R2 server.

Thanks

\Kent

Using 2012 Remote Desktop Web access to gain access to published applications. The workstation was a Windows 8.1 (home) upgraded to Windows 8.1 Pro with the Media Center add on. Launching the url to the login page for the RDW works fine. When the app is clicked on to launch the Remote App crashes. How do I get it to properly connect. Other Windows 8.1 pro workstations work. Although none were upgraded from the 8.1 (home) Here is the event.

Faulting application name: mstsc.exe, version: 6.3.9600.16384, time stamp: 0x5215e2b5
Faulting module name: ntdll.dll, version: 6.3.9600.17031, time stamp: 0x530895af
Exception code: 0xc0000005
Fault offset: 0x0000000000065e8e
Faulting process id: 0xab4
Faulting application start time: 0x01cf5f2ed029e83f
Faulting application path: C:\Windows\System32\mstsc.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 21a471d6-cb22-11e3-8263-a0886933dd25
Faulting package full name:
Faulting package-relative application ID:

Hello Everyone,

I have a RDS implementation working with 2012r2 in a domain A.
Users from domain B (With an external two-way non-transitive trust with A) can access, log-in, use remoteapps, rds sessions, etc..

The problem is when I enable the RDWeb password reset feature. For example, taking 2 users with the "User must change password at next logon" option enabled:
If the user is from domain A, I get prompted to change the password and it works great.
If the user is from domain B, I get prompted to change the password, but after writing the new password it says that the user name or password is not valid.

Any clues?

I found this issue that I don't know if it's somehow related
http://social.technet.microsoft.com/Forums/en-US/cf14fc3e-2a4a-4f4e-8dd6-fed2ecdf7d7b/cross-forest-password-reset?forum=ilm2

Thanks

I have windows server 2008r2 remote desktop environment. All my users stuck at Applying User Setting after login. I disabled remote desktop network interface for some time, then enabled and all fine. Checked logs in detail and nothing unusual found.

Could anyone assist to avoid recurrence of issue.

Rox_Star

Hello we are experiencing a strange problem and let me explain in detail:

Problem:

We have a remote desktop connection from a PC (PC1) to remotely login and control PC2 which in turn has some hardware devices connected via COM Port of PC2. We observed that the Serial communication between the Hardware devices and the PC2 drops on some occasions when we make a remote desktop connection to PC2 from another PC. Could  anyone share some of your experiences? Has it been noticed before?

I will also take a look at the possible port conflicts but is there any other obvious reason for this to happen?

System Information:

OS: Windows 7 Professional

Regards

Sesha

I have a user who is having RemoteApp Access Issues for a certain application.

All other users within the domain have access to the server with this application and do not have the same issues.

The server where the application is located is using Windows Server 2008 R2 Standard and the user who has issues is using a Windows 7 Professional workstation.

The user has the correct access properties on the domain controller, but I still cannot figure out why they cannot get access.

The company that makes the application stated that it has something to do with the user's profile (local on workstation), but the user has been recreated twice.

Hi,

I'm currently investigating an issue with Microsoft AX Client running on a Remote Desktop Session Host Server 2012.

The issue doesn't happen to all users (or at least hasn't yet). But what appears to happen is we get the application hot-keys open stay on persistently. I've not been able to understand from the users yet if they are doing anything in particular to cause this, but it appears to just come on randomly. Then sort it'self out.

Client computers are fully patched Windows 7 clients.

Just wondered if anyone had seen this behaviour before?

Regards,

Denis Cooper

MCITP EA - MCT

Help keep the forums tidy, if this has helped please mark it as an answer

Hello, we are using Server 2008 SP1. Some of our users are having a problem using the RDP shortcut icons for our software. When trying to connect using the icons, they get a "Cannot quit visual fox pro" error, which is what the software we use is based on. We tested the icons by creating a remote app for Calculator on one of the servers. After successfully logging in with the shortcut, the app just crashes and disappears.  Almost all of out icons are having this problem. However, we are able to have users successfully log into the server itself and run the software from there with not issues so far. Really looking for some help on why the RDP icons are crashing. Hotfix, uninstall update, anything.

Thanks

Hello,

I installed a RDS farm in Windows 2012 R2 with 1 server acting as RDS Broker and WebApp, and 3 RDS Hosts. When we access the webapp site using the alias rds.company.com there is no warning with the certificate (internal CA). When we access a desktop by clicking in the collection name, there is a first warning like this:

And then one like this:

How do I make this messages disappear? Why is not trusting the certificate if it is trusting it for the web site?

Thanks in advance

Regards

IT Support / Administrator

I am trying to print a document to a redirected printer using remote desktop over a vpn.  The server is running Win server 2008 R2.  The pirint failed and the following error message was in it's event log.

Anny ideas why this has happened and how do I fix it.

The document Microsoft Word - 201106202009 - D23 - xxxxxxxxxxx, owned by xxxx, failed to print on printer HP LaserJet 1200 Series PCL 6 on PERRY (redirected 4). Try to print the document again, or restart the print spooler.
Data type: RAW. Size of the spool file in bytes: 4549. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client computer:\\MYSERVER1. Win32 error code returned by the print processor: 5. Access is denied.

Hello experts,
I am trying to create a batch file that I can use to install MS Office 2013 and another software on Windows Server 2003 R2, Windows Server 2008 R2, and Windows Server 2012 terminal servers (Remote Desktop Services) via GPO. The installation files are NOT "msi" files.  Can you please tell me how I can use command line in a batch or script file to determine if a machine is a terminal server or not? I tried the Change user /query command on a Windows Server 2008 R2 terminal server and a Windows 7 machine and both machines returned the following status

Application EXECUTE mode is enabled.

which will be a problem because the installation batch file would treat the Windows 7 machines as a terminal server when it's not really a terminal server.

Basically, I want the batch file to check to determine if the machine is a terminal server. If it is a terminal server, then it would run change user /install, install the software, reboot server, then run change user / execute.  Your help will be greatly appreciated.

I've set up an RDS 2012 R2 host farm, but have problems.

When I try to log on from an outside client, then I get this error...

"An authentication error has occurred (Code: 0x607)"

I've tried google it, but without any result.

Any idea how to fix this?

I have to say that this is probably the most frustrating thing I have ever worked on. I cannot remember having spent so much time over something that (in my opinion) should be easy.

As of now, i have Server1 which is the RD Broker, Web Access and Licensing server. Server2 is the RD Session host. More session hosts will be added in the future.

What i basically want is a session collection to which users can connect to, either by RDP directly or launch their Remote Apps that are either published on computer clients in the domain by Group policy, or via RD Web Access.

As i have understood, the redirection to the session collection is a bit different in 2012. In stead of creating a DNS zone for the session collection farm name with all the session hosts in it, you put the broker into the zone and then let it handle all the redirection to the different hosts. Ok, that sounds all nice, easy and dandy.

So through Server Manager on Server1 i create my session collection, set my public certificate that matches the farm and dns name and add my session host. Does it work? No.

I guess Microsoft failed to mention that you have to modify the registry on the broker to tell the RDP client to which session collection it should be redirected to, or else it will just try to connect directly to the broker. Or am i just not good enough when it comes to searching in Microsoft's seemingly endless maze of links to different topics on technet? Anyway, i did that and redirection worked with the RDP-client. 

And this is where my first problem came up. When connecting to the session collection with an RDP-client, i get the infamous certificate error, because of missmatch between the names of the session collection and the host name of Server2, my session host. But why? Is it not supposed to take care of this for me when i add my session host to the session collection via Server Manager on Server1? Well, if so - it doesn't. So i have to log on to my session host, import the public certificate for my session collection and set it on the RDP-Tcp listener. NOW, redirection to my session collection works without any certificate errors. Great.

Next i added my first Remote App through the Server Manager on Server1. The application itself is actually on Server2. And this is where my real headache starts.

Upon launching the Remote App i get a certificate error because of the mismatch between  the session collection name and the host name of my session host, Server2. But..i set the certificate on the listener, right? Yes, but the path to the Remote App is \\Server1\c$\foldername\software.exe - so when launching the remote app it still uses the host name of Server2, but since i have changed the RDP-Tcp listener, i now get a certificate missmatch again. This time, only when launching remote apps. An easy way to do this would be to change the path to the remote app to \\dns-name-of-session-collection\c$\foldername\software.exe". But i cannot do that, because my broker is the only one supposed to respond to that name since it is the one handling all the redirection.

I won't bother telling what i have tried, but i have lost track of the hours and days i have spent on this problem. But i can mention that through the entire process, SSO on the RD Web Access has not worked either, no matter what i have tried. What i am doing wrong?

The way i see it, i only have two options into solving the problem with the remote apps now. 

1. Create a secondary RDP-Tcp listener on the session host on a different port, and the publish my remote apps on this port. Is this possible in 2012 R2 by the way? Can i set custom ports on the remote apps within a session collection?

2. Probably the most viable solution. Buy a new, public wildcard certificate for the domain and set it on the listeners for all the involved servers. And then an additional DNS zone for my session hosts, so i can set a "common" path for the Remote Apps to avoid the certificate error.

I have a coupe of VMs created an listed in Hyper-V manager, one sysprepped, one not, however, when I go to create a new virtual desktop collection in RD Services, when I get to 'Specify the virtual desktop template' no templates are listed.

Following advice from other similar problems I've seen, I've removed and re-installed both the RD Virtualisation Host role and the entire RD Services function a couple of times with no success. All other aspects of RD seem to work fine, I have a session collection already up and running and the two VMs work fine from Hyper-V Manager.

Server 2012R2, all the roles are installed on a single server which is also the network DC, no obvious (to me!) problems in the event logs.

Any ideas of how to fault-find this problem?

Scenario:

Windows 7 laptop in a Windows Domain environment is attempting a straight RDP session to a non-Domain Windows server 2008 R2. Laptop (System A) gets rejected every time using correct local Administrator account and verified correct password on non-Domain Windows 2008 R2 server (System B)

Any ideas or scenarios that may cause this kind of behavior (other than bad password which has been totally eliminated as a variable)???

Facts:

I can remotely log in to (System B) using LogMeIn and the Administrator account and password referenced above. I can also log in to (System B) from another non-Domain (System C) server using same credentials as above, without any problems. (System B) has NO GPO's applied (verified by GPRESULTS) but I cannot speak to (System A). Owner of (System A won't help out anymore so I need some possible ideas or things thatmay cause this kind of behavior)

User who has problem claims to also be able to log in to (System B) from a non-Domain Linux and Mac OSX box.

Error message seen in Windows Event Log:

When I log into an RDS server from a thin client I'm receiving the following error message:

System log generated
Warning Event 1130 on server2012-rds

For more information see http://www.eventid.net/display.asp?eventid=1130&source=Microsoft-Windows-TerminalServices-RemoteConnectionManager

Log: System
Type: Warning
Event: 1130
Alert Time: 2014-04-23 14:23:28Z

Event Time: 09:22:02 PM 23-Apr-2014 UTC
Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager
Category: None
Username: N/A
Computer: RDS-2012.bretthauer.local
Description: The Remote Desktop Session Host server does not have a Remote
Desktop license server specified. To specify a license server for the Remote
Desktop Session Host server, use the Remote Desktop Session Host Configuration
tool.

I have the License Server set up and running, shows correct license information.  The Remote Desktop Session Host Configuration tool is not installed on the RDS server.  

What do I need to do here?

I have a couple of 2012 and 2012 R2 servers where I have enabled remote desktop.

The question is how do I control the settings for these servers? I want to for example set the idle timeout and what to do with disconnected sessions.

I have seen several posts saying that you should do it via powershell but the only applies if you have installed the rds server role on the computer. And I don't want that role on the server. I only want the administrators to be able to connect and administer the server.

I tried to set up a group policy in active directory ("Computer -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Session time limits") and set session limits but those does not seem to apply when the role isn't installed on server 2012.

I have not tested setting these options on the user part. Because I don't want to use group policy loopback if it is not absolutely required.