Solved

administrator denied access to terminal services

Posted on 2011-02-19
4
818 Views
Last Modified: 2012-05-11
Hello,

I am not sure what happend here but a user called because they couldn't access terminal services...I am not sure if anyone made any group policy edits or anything but I am suspecting that is the case.

In order to get the person logged in I had to add them to the local terminal server via computer management - remote - and add user. I never had to do that before since the user is a member of the remote desktop users group and the remote desktop users group by default has login rights to terminal servers....another thing that is very wierd now as well is that all 3 of my 2008 servers are denying the administrator access to log in? I can rdp into all of the 2003 servers as the admin but not the 2008 - I suspect that I could log onto them locally and add the administrator manually however I just want to try to get things back to the way they were...ex the administrator can log into all servers remotley....and remote desktop users can log into all of the terminal servers without having to add them locally to the terminal server via computer management - remote - and adding all the users...

If anyone could help me troubleshoot on where to look for why this is happening it would be great...the only thing that I am sure of is that the domain controller had been modified for something last night -

Thanks
0
Comment
Question by:badgermike
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 15

Author Comment

by:badgermike
ID: 34933442
Here is what i see

In the default domain policy - local policies - user rights assignment - allow login through terminal services = not defined

Buitin -Remote desktop users is populated with teh appropriate users

Users in AD are members of the Remote Desktop Users.

Domain Controller Security Policy -local policies - user rights assignment - allow login through terminal services = not defined

No restricted groups.

0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 250 total points
ID: 34937543
Try to run Group Policy Modeling fro those TS servers to check if there is no any GPOs which modified "administrator" permission.
MS article will help you with that GPO Modeling
http://technet.microsoft.com/en-us/library/cc781242%28WS.10%29.aspx
or
http://technet.microsoft.com/en-us/library/cc780305%28WS.10%29.aspx

Regards,
Krzysztof
0
 
LVL 39

Assisted Solution

by:ChiefIT
ChiefIT earned 250 total points
ID: 34938736
You have implied that this once workd. On 2003 server, there are known issues with RDP using service pack 2. Here you go, you might want to check this out.

http://www.lan-2-wan.com/2003-SP2.htm 

How does this apply to 2008 server, you might ask. I don't know if the listening port has been fixed in 2008 server. So, you might want to go through the steps to see if the listening port is dynamically assigned for a TS session.
---------------
Also, if the error says something like (can not logon locally) it is a group policy object that will not allow remote sessions to control local features. This group policy prevents remote operators from using terminal services.
--------------
If the error says, (access denied) it is a permissions problem.
-------------
Firewalls often block TS from a remote computer as well.
-------------
Please provide the syntax of the error you are seeing when trying to logon to TS/remote desktop. Providing the error helps when troubleshooting this issue.
0
 
LVL 15

Author Closing Comment

by:badgermike
ID: 35150465
Thanks, sorry so late it was both of your posts that helped me solve the issue.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question