Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 825
  • Last Modified:

"Access is denied" when trying to manage remote desktop

Good afternoon -

XP Pro SP2 on the desktops -
Using Active Directory Users and Computers 2003 to administer users and desktops

Does anyone have any idea why I sometimes get an Access is Denied error when trying to view a remote desktop using the Computer Management tool.

I have admin rights on our domain
XP SP2 firewall disabled on desktops
I am able to ping machine
Am able to connect to the remote registry on remote machine

Any ideas?

Any help is always appreciated -


0
javajo
Asked:
javajo
  • 6
  • 5
  • 4
  • +2
2 Solutions
 
LazarusCommented:
Do the individaul machines in question have Remote Dektop enabled? (Allow users to connect remotely to this computer) checked?
0
 
Netman66Commented:
Several things could cause this:

1)  File and Print Sharing is not enabled.
2)  The local Group Policy element for Access this computer from the network has been changed from the default.
3)  The DNS entry for the computername is duplicated with conflicting IP addresses - this happens sometime when a computername is changed after it has registered with DNS.  Make sure these suspect computers are registered only once in the Forward Lookup Zone and the corresponding IP address is registered once in the Reverse Lookup Zone for the subnet.
4)  The XP SP2 firewall needs to have File and Print Sharing added as an exception on the local PC that you cannot connect to - if you have the firewall enabled.  In Control Panel, double click Windows Firewall, then select the Exceptions tab, then check the File and Printer Sharing box.
5)  The account you are using or the corresponding group it's in is not in the local Administrators Group on the PC.

Advise.
0
 
joedoe58Commented:
Hi Netman66
Just a question regarding point 5. If the stations are members of a domain and you are a member of an Admin group then that should be enough is it not?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Netman66Commented:
Normally, yes.  When a workstation joins a domain, by default the Domain Admins group gets added the local Administrators group - however, it's not uncommon to see it removed by a savvy end user that has enough rights to be dangerous.  Another thing that can cause the group to be removed is if you implemented Restricted Groups and neglected to include the DA group in the configuration - this would be evident if you purposely were setting them up since you would be aware of any immediate change for the worse.

0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Please see my answer in this post:  http:Q_21316331.htm

That should resolve your problem.

Jeff @
TechSoEasy
0
 
javajoAuthor Commented:
TechSoEasy -

Page not found for your link.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
oops, it dropped the "l" http:Q_21316331.html

0
 
javajoAuthor Commented:
Thanks TechsoEasy

Actually, Im not using terminal services - I'm trying to connect to a remote desktop through the computer management add-in within the MMC.

Any ideas?

Thanks again!


 
0
 
joedoe58Commented:
You have to start the remote registry service if you want to connect remotely to a workstation
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Do you have any routers inside your network topography?  If so, port 3389 needs to be open.  

Try this, just for kicks... Open computer management on one of the PC's, and go to Local User's and Groups.  Expand Groups, and double-click the Remote Desktop User's group.  Add your DOMAIN user name SPECIFICALLY (rather than being part of a group).  Close & log off.

Then try to connect using those credentials... if you can connect then it's something like Netman66 described above... if you still cannot connect, face northward and repeat the following words, "Mercury is in Retrograde -- weird stuff happens".  

We'll keep trying.

Jeff @
TechSoEasy
0
 
javajoAuthor Commented:
Seems like Netman66's suggestions regarding duplicate reverse lookup zone entries was the solution.

I'm noticing many duplicate entries with only one entry containing the current correct ip address.

How do I clean this up aside from going in there and deleting all the old entries?

what will reloading it do?

Thanks again!


0
 
joedoe58Commented:
You can apply scavenging on the DNS zone. You have to apply it in 3 locations though for it to start working. It will delete entries older than the limit you set. You can set in on a verly low value and wait until all is ok then set it back to about 7 days which is default
0
 
Netman66Commented:
Scavenging might help, however if the hostname is the same but with different IP's then Scavenging might still consider them current.

You can enable it and the right click the zone and select Scavenge Now to force and immediate parse - if entries continue to exist, then the best advise is to delete the CONTENTS (note the emphasis) of the Reverse Lookup Zone and all your HOST records from the Forward Zone except the server records.  Restart the Netlogon service on each server to reregister missing records.

The PCs will populate the zones on next boot.

0
 
javajoAuthor Commented:
Thanks guys for all your help -

Netman66 - I saw your resonse on scavenging - I awarded 50 points to joedoe58 being he was first to post the scavenging remark.

Thanks again to everyone for your help!!

0
 
Netman66Commented:
No problem at all.

Glad to help.

0
 
javajoAuthor Commented:
One last follow question -

Why in the heck do I have current host records that have record time stamps a few months old?

Don't all hosts re-register every 24 hours?

Wouldn't registering give a new time stamp?

Thanks again!
0
 
joedoe58Commented:
If i remember right you see the creaton date. if you want to see the actual refresh time stamp you have to enable advanced view
0
 
javajoAuthor Commented:
Thanks joedoe58 -

I can't find that option -

When I right click a host record and click properties, I can only see the record time stamp.

0
 
joedoe58Commented:
I found an article some months ago that explained how to do it, but now I can not find it again
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

  • 6
  • 5
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now