parallax78
asked on
Unable to Remote Desktop into Domain controller
The problem I am having is that I can not use Remote desktop to log on to my domain controller (Windows 2003 Enterprise) I was able to a few days ago but now when I connect to it I get the message "To log on to this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote Desktop Users group or another group that has this right, or if the Remote Desktop User group does not have this right, you must be granted this right manually." As far as I know nothing has changed and I am the only person that has access to the server
I have ensured that the computer has remote access allowed, I have made sure that the group policy, domain controller security policy, and domain security policy for logging on through terminal services is allowed, I have verified that the users in questions have the right to log onto remote machines, and I even went as far as adding all of the users to the remote desktop users group to make sure that wasn't the problem (even though the administrator account is part of it by default, I still can't log in with it either), I also set the appropriate permissions in terminal server, and I still can not log on.
I am able to log onto every other computer on the network via remote desktop, and I was able to log onto this one fine until recently. Any ideas would be appreciated, I thought I had been pretty thorough.
I have ensured that the computer has remote access allowed, I have made sure that the group policy, domain controller security policy, and domain security policy for logging on through terminal services is allowed, I have verified that the users in questions have the right to log onto remote machines, and I even went as far as adding all of the users to the remote desktop users group to make sure that wasn't the problem (even though the administrator account is part of it by default, I still can't log in with it either), I also set the appropriate permissions in terminal server, and I still can not log on.
I am able to log onto every other computer on the network via remote desktop, and I was able to log onto this one fine until recently. Any ideas would be appreciated, I thought I had been pretty thorough.
Dave_Simm
have you tried logging on as the domain administrator instead of your own username? Then check who is a member of the remote desktop group?
also try logging onto a console session. ie, when connecting from your PC type "<domaincontrollername> /console"
ASKER
Dave, thanks for the quick response, I have tried using the administrator account to no avail.
I am afraid I am unsure of what you mean by a console session do I type ad-server/console (ad-server is the name of the domain controller) in the computer name text box in the remote desktop logon dialog box? If so then that doesn't seem to work I get a "This computer can't connect to the remote computer" error.
I am afraid I am unsure of what you mean by a console session do I type ad-server/console (ad-server is the name of the domain controller) in the computer name text box in the remote desktop logon dialog box? If so then that doesn't seem to work I get a "This computer can't connect to the remote computer" error.
ASKER
Dave I figured out how to use a console session. Unfortunatley I am still getting the same issue.
In AD users and computers (DSA.msc) make sure that on the Terminal Services tab of the user the tick box at the bottom left "Deny this user permission to logon to any terminal server" isn't ticked.
ASKER
I just went and double checked that and it is unchecked.
I think I may know what needs to happen, though I am not sure how to do it. I just noticed I was getting the same problem on one of our other servers (not a DC. A server running 2003 Web Edition) so I logged onto it with the local administrator went to administrative tools/computer management and added the domain administrator account to the administrators group in "Local Users and Groups", and the problem was solved, so I figured the same thing would work on the DC, but the problem is that under computer management on the DC there is no option for "Local Users and Groups" and I can't figure out how to log onto the DC as the local administrator (not sure if that is possible or if it would make a difference). Any thoughts?
I think I may know what needs to happen, though I am not sure how to do it. I just noticed I was getting the same problem on one of our other servers (not a DC. A server running 2003 Web Edition) so I logged onto it with the local administrator went to administrative tools/computer management and added the domain administrator account to the administrators group in "Local Users and Groups", and the problem was solved, so I figured the same thing would work on the DC, but the problem is that under computer management on the DC there is no option for "Local Users and Groups" and I can't figure out how to log onto the DC as the local administrator (not sure if that is possible or if it would make a difference). Any thoughts?
The local users and groups is not availible on a dc. Only members of the enterprise admins and domain admins have access to logon. Is the user you are using a member of either?
also, have you tried remotely viewing the event logs to look for errors? Or just remotely issuing a shutdown -r command to restart the box then try again. shutdown -m \\hostname -r
ASKER
Yes. I have been using the administrator account for all the tests I have mentioned.
ASKER
Thanks for all oyur effort. I had tried restart several times locally with no effect I just tried a remote shutdown as you suggested also with no effect and I don't see anything in the event logs that would indicate a problem.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I tried, as you suggested to create a test user and adding it to the Enterprise Admin group (I assume that is what you meant by the Enterprise Admin responsibility) and I got the same error when trying to remote in.
As far as I know there have been no changes to anything regarding user permissions (until I started making changes that I thought would fix this problem) is there any way I can verify that nothing changed them (it is almost impossible though I am the only person that knows how to do it and has access to the server)?
I just went and looked and it does appear that Windows Update ran recently. I tried uninstalling the updates but it didn't make any difference. I reallythink it has something to do with the server(s) which are both running 2003 (as I mentioned before I was able to fix the problem on one of them) since they are the only ones that exhibit the problem, I can RD from client to client (all of which are running XP) and from the server to the clients. But really I am at a loss.
As far as I know there have been no changes to anything regarding user permissions (until I started making changes that I thought would fix this problem) is there any way I can verify that nothing changed them (it is almost impossible though I am the only person that knows how to do it and has access to the server)?
I just went and looked and it does appear that Windows Update ran recently. I tried uninstalling the updates but it didn't make any difference. I reallythink it has something to do with the server(s) which are both running 2003 (as I mentioned before I was able to fix the problem on one of them) since they are the only ones that exhibit the problem, I can RD from client to client (all of which are running XP) and from the server to the clients. But really I am at a loss.
ASKER
Thats just lovely. I sign back up thinking someone had (potentially) solved my problem and I find it is some garbage like this.
With the exception of Dave Simm I would like to thank all of you for being so incredibly unhelpful and for wasting thrity of my dollars. You should change the name of this site to "Experts Exchange... nothing"
With the exception of Dave Simm I would like to thank all of you for being so incredibly unhelpful and for wasting thrity of my dollars. You should change the name of this site to "Experts Exchange... nothing"
ASKER
This wasn't actually a solution, but this guy is the only one that took the time to help me and made the expense almost worth it so I wanted to thank him by giving him the points for the solution. This site however needs some serious work.
parallax, is this problem still ongoing? I've found a few links which may be of use to you. It would appear the problem is caused by a deny permission being set, rather than not being allowed, as we were presuming (deny permission always overrides allow) I'll endeavor to help you get this sorted.
http://www.simonsen.bz/blog/Lists/Posts/Post.aspx?ID=12
http://support.microsoft.com/kb/837954/en-us
Cheers
Dave
http://www.simonsen.bz/blog/Lists/Posts/Post.aspx?ID=12
http://support.microsoft.com/kb/837954/en-us
Cheers
Dave
ASKER
Thanks Dave. I have still been working on it with no success. I looked at both of those links but I can't find anywhere that a deny permission is set. I also tried diasbling group policy altogether to see if that made the difference, but the problem persisted, which leads me to believe it is a local setting somewhere, but I just can't figure out what it is. Thanks for your help.
P.S. Sorry if I seemed buligerent earlier, it was just a frustrating series of events...
P.S. Sorry if I seemed buligerent earlier, it was just a frustrating series of events...
has your dc been given the terminal server role?
check this link... http://www.chicagotech.net/RemoteAccess/ts15.htm
check this link... http://www.chicagotech.net/RemoteAccess/ts15.htm
So on a standard installation of a 2003 Terminal Server, you only have to add your users or user groups to the local Remote Desktop Users group on the Terminal Server.
If your TS is also a Domain Controller (not recommended!), then you must do the following:
1. add the users to the built-in domain local Remote Desktop Users group in AD
2. enable the following setting in the Default Domain Controller Policy:
Computer Configuration - Windows Settings - Security Settings - Local Policies - User rights Assignment
"Allow log on through Terminal Services"
and add the Remote Desktop Users group to the list of allowed users
3. add the Remote Desktop Users group to the permission list of the rdp-tcp connection
If your TS is also a Domain Controller (not recommended!), then you must do the following:
1. add the users to the built-in domain local Remote Desktop Users group in AD
2. enable the following setting in the Default Domain Controller Policy:
Computer Configuration - Windows Settings - Security Settings - Local Policies - User rights Assignment
"Allow log on through Terminal Services"
and add the Remote Desktop Users group to the list of allowed users
3. add the Remote Desktop Users group to the permission list of the rdp-tcp connection
ASKER
Dave I think I had tried this process before, but I went back and tried it again just now with no luck. I am pretty much out of ideas at this point.
what about the comment before, can you check if the dc has the terminal server role. (Which it shouldn't)
ASKER
It does not have the terminal server role installed, sorry for not being clearer about that.
Can you go into your event logs, right click them (one by one) and choose save log file as. Then upload them to this page. Just need, application/security/syste
ASKER
Thanks Dave. I can post the system log (thought I had to change the exteension to .txt before the site would allow me to upload it), but the others are much to large to upload here ( 32 meg for security, 16 meg for application) presumably from the different things I have been trying in order to make this work, is there some other way I can post them/send them to you, or something specific I should look for in them?
system.txt
system.txt
ok, clear the security and apps logs, then try to rdp to recreate the problem, then export them. they should be much smaller then with only a few minutes worth on info in them.
ASKER
Done. They are attached.
system.txt
system.txt
ASKER
This is the security log
security.txt
security.txt
ASKER
This is the application log
application.txt
application.txt
Ok, as a start, it looks like your dc has a few pending windows updates, get these installed, and reboot until all outstanding updates are installed. Also what is your IP addressing setup? Do you have a DHCP server? I noticed the following a few times in your system log.
Your computer has automatically configured the IP address for the Network Card with network address 000C6E997FBA. The IP address being used is 169.254.252.217.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Your computer has automatically configured the IP address for the Network Card with network address 000C6E997FBA. The IP address being used is 169.254.252.217.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
ASKER
I am using a DHCP server role on the DC. The DC has a static IP of course and as far as I know all of the clients are using DHCP addresses, but the address range is 10.142.x.x I don't know where the 169.254.252.217 address comes from (though it looks like an APIPA address).
I ran windows update this morning. and installed several updates I am running it again right now to make sure something didn't get overlooked. There is one update (An update for XML Core Services 4.0 I think is the descrption) that it always shows but never installs for some reason.
I ran windows update this morning. and installed several updates I am running it again right now to make sure something didn't get overlooked. There is one update (An update for XML Core Services 4.0 I think is the descrption) that it always shows but never installs for some reason.
ASKER
The only update it found was the one I mentioned, which it said it installed successfully, but it always says that and is always there the next time I check for updates.
ASKER
I noticed something new just now. I wanted to verify (for the like 100th time) that the system itself was allowing remote desktop connections so I rgiht clicked on my computer and went to properties and then the remote tab. "Allow users to connect remotley to this computer" was checked and grayed out, so I then clicked select remote users to verify everyone that belonged in there was allowed access and they were so I clicked Ok, then when I clicked Ok on the remote tab I got the following message "Remote connections are not supported when offline files are in use. Please disable offline file support first."
Of course I checked to make sure offline files were not enabled by policy and they weren't but I still get that error message (which I never got before). This is probably related somehow isn't it?
Of course I checked to make sure offline files were not enabled by policy and they weren't but I still get that error message (which I never got before). This is probably related somehow isn't it?
I kow this is old. But it sound like you have either a dual port network card or 2 network cards installed. One is connected adn the other is not. The one that's not connected is getting the 169 ip address. Windows does not like a dc with more than one IP address and it may be causing you issue. If so, disable the unused nic in network connections.
I had the same problem. It was resolved as below:
Go to Terminal Services Configuration - Connection - Double click RDP-Tcp - Permissions - Add domain Admin Group. and give the desired permission.
Go to Terminal Services Configuration - Connection - Double click RDP-Tcp - Permissions - Add domain Admin Group. and give the desired permission.
I'm having the same exact issue.
Not able to log into a domain controller (used to be able to) but have not in a while and have tried numerous things - creating new accounts, re-enabling RDP via registry and the properties screen and have given up now. Perhaps time to use VNC.
Not able to log into a domain controller (used to be able to) but have not in a while and have tried numerous things - creating new accounts, re-enabling RDP via registry and the properties screen and have given up now. Perhaps time to use VNC.
I was having the exact same issue and it took me few hours to resolve this issue. This is look like a extra step but it fixed the problem.
1.Open Domain Controller Security Settings and Open Local Policies Settings.
2.In the console tree, click User Rights Assignment.
Where?
Security Settings/Local Policies/User Rights Assignments
3.In the details pane, double-click the user right you want to change which is "Allow log on through Terminal Services".
4.In UserRight Properties, click Add User or Group "Administrators".
5.Add the user or group and click OK.
It should work.
Good LUCK!
1.Open Domain Controller Security Settings and Open Local Policies Settings.
2.In the console tree, click User Rights Assignment.
Where?
Security Settings/Local Policies/User Rights Assignments
3.In the details pane, double-click the user right you want to change which is "Allow log on through Terminal Services".
4.In UserRight Properties, click Add User or Group "Administrators".
5.Add the user or group and click OK.
It should work.
Good LUCK!