Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Can't logon to Domain Controller through Terminal Services

Posted on 2009-05-04
5
Medium Priority
?
1,138 Views
Last Modified: 2013-11-21
hi,

because of a pending hardware maintenance on one of our domain controller i edit the "Default Domain Controller Security Policy" so that the Group Server Operators can log on through Terminal Services.
After the Maintenance successfully finished i reseted the Policy Right and set the Log on through Terminal Services Policy to the original state (not defined).

Now no one can log on through terminal services to all Domain Controllers. Even the Domain Administrators can.
Gpupdate doesn't help. I have taken this change 4 hours ago.

Thanks for your assistence.
0
Comment
Question by:hcds
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 6

Expert Comment

by:DanielWillmott
ID: 24295079
Exactly which section of the policy were you modifying?
0
 

Author Comment

by:hcds
ID: 24295155
Under
Default Domain Controller Security Policy --> Security Settings --> Local Policies --> User Rights Assignment --> Allow log on through Terminal Services
I added the Group "Server Operators"

Now I switched back to "Not Defined"
0
 
LVL 18

Expert Comment

by:Americom
ID: 24295184
Double check on this:
For domain controller, by default, the "Domain Policy" and the "Domain Controller Policy" of the "allow log on trhough Terminal Services" are set to "Not Defined" which means only Administrator can logon remotely.
Also,  by default the local policy of the Domain Controllers(if ran gpedit.msc) of the "Allow log on through Terminal Services" is open to the "Administrators" and "Domain Admins" group.

If you find any of the setting that is different then the default, then someone must have changed, either intentionally or not fully understand the different between a Domain Controller when compare to the member server.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24296952
User rights assigment settings tattoo. That is, if you apply a setting via a GPO, then set that GPO to 'Not Defined' (as you have), the setting actually still stays on the machine's local policy. It's doesn't revert back to a default. This isn't how it is for all policy settings but it is true for User Rights Assignments. In addition, these rights are defined locally on the DC, not via group policy (at least not by default)
Did you by any chance just add the one group into the policy? This would make ONLY that group able to log in remotely, overwriting the local policy. Now the GPO setting is not defined, the usual Domain Admins, and Administrators groups are still absent. If you want to add a group to these settings via a GPO, you have to be careful that you also include the groups/users given the right locally.
Like Americom has said, if an RSoP (rsop.msc) query tells you that no GPO is setting this policy on the machines (I think by default they shouldn't be - this is usually a local setting out of the box), then edit the local policy (gpedit.msc). Add your groups back into the policy and you should be good to go. If the RSoP shows that a GPO is defining the settings, edit this GPO.
 
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 1000 total points
ID: 24296988
Thinking about it, if you want to tattoo back the local settings to allow you remote access, define this policy in the Default Domain Controller Policy, adding 'DOMAIN\Domain Admins' and 'Administrators'. Then force a refresh on all of your DCs, then you can set the policy back to not defined and the policies will again be locally defined.
That would save you editing local policy on each DC.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question