Solved

Suddenly can't RDP into Windows 2008 or 2003R2 servers

Posted on 2010-08-19
17
856 Views
Last Modified: 2013-11-21
Suddenly today I can't log in as the domain administrator using Remote Desktop into any of my Windows 2008 or Windows 2003 R2 servers  - what could have happened?  When I log in (using domain administrator credentials), I get the message:
To log onto theis remote computer, you must be granted the Allow log on through Terminal Services right.  By default, members of the Remote Desktop Users group have this right.  If you are not a member of the Remote Desktop Users group or another group that has this right, or if the Remote Destktop User group does not have this right, you must be granted this right manually.
0
Comment
Question by:tolenmay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 5
  • 2
  • +1
17 Comments
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 33478656
Someone set a domain wide policy that removed this right?

Cláudio Rodrigues
Microsoft MVP - Remote Desktop Services
Citrix CTP
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33478679
Is the domain admin part of the Remote Desktop Group? Is the Remote Desktop Group have the Allow log on through Terminal server right
0
 

Author Comment

by:tolenmay
ID: 33478857
In the Local Security Policy, the only members of the Allow Logon to RDP is the <mydomain>/everyone group and the "Add Users or Group" is grayed out.
0
Turn Insights into Action

Communication across every corner of your business is essential to increase the velocity of your application delivery and support pipeline. Automate, standardize, and contextualize your communication processes with xMatters.

 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 33478888
If it is grayed out that means you either do not have rights to change or someone did indeed set a policy to do this.

Cláudio Rodrigues
Microsoft MVP - Remote Desktop Services
Citrix CTP
0
 

Author Comment

by:tolenmay
ID: 33478932
There are only three of us in IT and no one says they set a policy on it so I don't know why it's grayed out.  I'm logged in as the domain admin... maybe I need to log in as a local user to change it. I went to the domain policy and RDP wasn't configured.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33478981
Are running this on a DC?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33479000
If you are running on a DC you must go through the Domain Controller Policy
0
 

Author Comment

by:tolenmay
ID: 33479173
This server isn't a domain controller but remember it's happening on ALL our 2003 R2 and 2008 servers, but not the 2003 non R2 (such as our Domain Controllers).  
By the way, I logged on locally to the server and it still won't let me add users or groups to the Allow to log on through RDP.
I've gone into the Domain policy as well as the Domain Controllers Policy and added domain admins and the administrator account explicity to Allow Login through RDP and I still can't log on with the domain administrator account.

I'm not onlyl wanting to know how to fix this - I'm curious as to WHY it happened overnight and only to the administrator account?  Could it be a new Microsoft update?  The only thing I know I did yesterday on the network was install Windows Server Update Services, which required adding some roles to the server (like application server. ASP, etc...) but no updates were configured yet.
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
ID: 33479217
Someone had to remove or apply a GPO that caused the issue this just doesn't happen seems to be a GPO causing the problem.

Create a OU put server in OU and a user in the test ou logon see if you have the option to add a user or group?
0
 

Author Comment

by:tolenmay
ID: 33479462
By the way, I just found out that no one can log into Citrix now and no one EXTERNAL can get to our website - we can get in internally.
I created an OU called "Test server" and moved one of the servers in question into that OU; I then logged into the server and the "Add users and groups" was no longer grayed out in the local security policy, Allow Logon through RDP.  I added the administrator and remote users group and now I can log into that server.  I'm not sure if it was moving into an OU with no GPOs or giving those users the rights that made it work, though.
0
 

Author Comment

by:tolenmay
ID: 33479493
OK - forget the web issue - that was a completely different issue with the web CoLo.
0
 
LVL 15

Expert Comment

by:roylong
ID: 33479509
Did you have any new patches get applied the night before this started happening?  I had something similar after new security patches were applied and had all sorts of problems identifying which patch broke it and subsequently unistalling...
0
 

Author Comment

by:tolenmay
ID: 33479544
The issue with Citrix could be that I had gone into the Domain level policy and changed the Allow Logon through Terminal Services from Unconfigured to Enabled and added domain admins etc, but not everyone.  Now I've added the everyone group, but should I just put it back to Unconfigured?
0
 

Author Comment

by:tolenmay
ID: 33479819
I installed patches on Sunday but haven't had this issue until today (Thursday).

I've moved the Citrix server into the empty OU and was able to Citrix in.  Any idea what kind of policy might do this?
0
 

Author Comment

by:tolenmay
ID: 33479995
Our other network admin disabled the link to the Servers GPO.  She thinks it hasn't been inheriting the policies til now for some reason and now it's picking up something restrictive but the server policy GPO hasn't been updated since July 17th.  So, it's working now, but I'm not sure what specifically has caused this so suddenly.
0
 

Author Comment

by:tolenmay
ID: 33480019
Just to clarify that - her email to me said "The Server OU was set to not inherit policies" and now it is set to inherit policies and that seems to work.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33480310
So, everything is working now?
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question