Solved

Suddenly can't RDP into Windows 2008 or 2003R2 servers

Posted on 2010-08-19
17
835 Views
Last Modified: 2013-11-21
Suddenly today I can't log in as the domain administrator using Remote Desktop into any of my Windows 2008 or Windows 2003 R2 servers  - what could have happened?  When I log in (using domain administrator credentials), I get the message:
To log onto theis remote computer, you must be granted the Allow log on through Terminal Services right.  By default, members of the Remote Desktop Users group have this right.  If you are not a member of the Remote Desktop Users group or another group that has this right, or if the Remote Destktop User group does not have this right, you must be granted this right manually.
0
Comment
Question by:tolenmay
  • 9
  • 5
  • 2
  • +1
17 Comments
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
Comment Utility
Someone set a domain wide policy that removed this right?

Cláudio Rodrigues
Microsoft MVP - Remote Desktop Services
Citrix CTP
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Is the domain admin part of the Remote Desktop Group? Is the Remote Desktop Group have the Allow log on through Terminal server right
0
 

Author Comment

by:tolenmay
Comment Utility
In the Local Security Policy, the only members of the Allow Logon to RDP is the <mydomain>/everyone group and the "Add Users or Group" is grayed out.
0
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
Comment Utility
If it is grayed out that means you either do not have rights to change or someone did indeed set a policy to do this.

Cláudio Rodrigues
Microsoft MVP - Remote Desktop Services
Citrix CTP
0
 

Author Comment

by:tolenmay
Comment Utility
There are only three of us in IT and no one says they set a policy on it so I don't know why it's grayed out.  I'm logged in as the domain admin... maybe I need to log in as a local user to change it. I went to the domain policy and RDP wasn't configured.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Are running this on a DC?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
If you are running on a DC you must go through the Domain Controller Policy
0
 

Author Comment

by:tolenmay
Comment Utility
This server isn't a domain controller but remember it's happening on ALL our 2003 R2 and 2008 servers, but not the 2003 non R2 (such as our Domain Controllers).  
By the way, I logged on locally to the server and it still won't let me add users or groups to the Allow to log on through RDP.
I've gone into the Domain policy as well as the Domain Controllers Policy and added domain admins and the administrator account explicity to Allow Login through RDP and I still can't log on with the domain administrator account.

I'm not onlyl wanting to know how to fix this - I'm curious as to WHY it happened overnight and only to the administrator account?  Could it be a new Microsoft update?  The only thing I know I did yesterday on the network was install Windows Server Update Services, which required adding some roles to the server (like application server. ASP, etc...) but no updates were configured yet.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
Comment Utility
Someone had to remove or apply a GPO that caused the issue this just doesn't happen seems to be a GPO causing the problem.

Create a OU put server in OU and a user in the test ou logon see if you have the option to add a user or group?
0
 

Author Comment

by:tolenmay
Comment Utility
By the way, I just found out that no one can log into Citrix now and no one EXTERNAL can get to our website - we can get in internally.
I created an OU called "Test server" and moved one of the servers in question into that OU; I then logged into the server and the "Add users and groups" was no longer grayed out in the local security policy, Allow Logon through RDP.  I added the administrator and remote users group and now I can log into that server.  I'm not sure if it was moving into an OU with no GPOs or giving those users the rights that made it work, though.
0
 

Author Comment

by:tolenmay
Comment Utility
OK - forget the web issue - that was a completely different issue with the web CoLo.
0
 
LVL 15

Expert Comment

by:roylong
Comment Utility
Did you have any new patches get applied the night before this started happening?  I had something similar after new security patches were applied and had all sorts of problems identifying which patch broke it and subsequently unistalling...
0
 

Author Comment

by:tolenmay
Comment Utility
The issue with Citrix could be that I had gone into the Domain level policy and changed the Allow Logon through Terminal Services from Unconfigured to Enabled and added domain admins etc, but not everyone.  Now I've added the everyone group, but should I just put it back to Unconfigured?
0
 

Author Comment

by:tolenmay
Comment Utility
I installed patches on Sunday but haven't had this issue until today (Thursday).

I've moved the Citrix server into the empty OU and was able to Citrix in.  Any idea what kind of policy might do this?
0
 

Author Comment

by:tolenmay
Comment Utility
Our other network admin disabled the link to the Servers GPO.  She thinks it hasn't been inheriting the policies til now for some reason and now it's picking up something restrictive but the server policy GPO hasn't been updated since July 17th.  So, it's working now, but I'm not sure what specifically has caused this so suddenly.
0
 

Author Comment

by:tolenmay
Comment Utility
Just to clarify that - her email to me said "The Server OU was set to not inherit policies" and now it is set to inherit policies and that seems to work.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
So, everything is working now?
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

In our personal lives, we have well-designed consumer apps to delight us and make even the most complex transactions simple. Many enterprise applications, however, are a bit behind the times. For an enterprise app to be successful in today's tech wo…
These days socially coordinated efforts have turned into a critical requirement for enterprises.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now