"Allow logon to Terminal Server" was unchecked mysteriously

lo_oscar
lo_oscar used Ask the Experts™
on
Experts,

I have an interesting issue going on in our w2k3 AD environment. Some of our IT staff had been mysteriously denied their access to terminal servers. They come in one morning and found they cant log on to any servers. I later found under their user properties, in the terminal server tab, Allow logon to terminal Server was unchecked. It happened to couple of staff and some of them even have domain admin rights.

I wonder if anybody else had the same issue before so we can know what could have triggered this. If not, how can I monitor the change on that particular setting to find out whom or what made the change?

Thanks in advance for your help.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
This attribute usually uncheck by default. Unless someone checked it intentionally or if you have a script somewhere to this to Check.

You can look for the event id 566 and with an approximate time and date to determine who changed it. This event shows you the user account used to make the change as well as showing the Remote Access Infomation etc. Of course, in order to see this event in your security event log, you need to configure enough space to hold the instance when the event occur and assuming that you have turned on auditing.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial