Solved

administrator denied access to terminal services

Posted on 2011-02-19
4
817 Views
Last Modified: 2012-05-11
Hello,

I am not sure what happend here but a user called because they couldn't access terminal services...I am not sure if anyone made any group policy edits or anything but I am suspecting that is the case.

In order to get the person logged in I had to add them to the local terminal server via computer management - remote - and add user. I never had to do that before since the user is a member of the remote desktop users group and the remote desktop users group by default has login rights to terminal servers....another thing that is very wierd now as well is that all 3 of my 2008 servers are denying the administrator access to log in? I can rdp into all of the 2003 servers as the admin but not the 2008 - I suspect that I could log onto them locally and add the administrator manually however I just want to try to get things back to the way they were...ex the administrator can log into all servers remotley....and remote desktop users can log into all of the terminal servers without having to add them locally to the terminal server via computer management - remote - and adding all the users...

If anyone could help me troubleshoot on where to look for why this is happening it would be great...the only thing that I am sure of is that the domain controller had been modified for something last night -

Thanks
0
Comment
Question by:badgermike
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 15

Author Comment

by:badgermike
ID: 34933442
Here is what i see

In the default domain policy - local policies - user rights assignment - allow login through terminal services = not defined

Buitin -Remote desktop users is populated with teh appropriate users

Users in AD are members of the Remote Desktop Users.

Domain Controller Security Policy -local policies - user rights assignment - allow login through terminal services = not defined

No restricted groups.

0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 250 total points
ID: 34937543
Try to run Group Policy Modeling fro those TS servers to check if there is no any GPOs which modified "administrator" permission.
MS article will help you with that GPO Modeling
http://technet.microsoft.com/en-us/library/cc781242%28WS.10%29.aspx
or
http://technet.microsoft.com/en-us/library/cc780305%28WS.10%29.aspx

Regards,
Krzysztof
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 250 total points
ID: 34938736
You have implied that this once workd. On 2003 server, there are known issues with RDP using service pack 2. Here you go, you might want to check this out.

http://www.lan-2-wan.com/2003-SP2.htm 

How does this apply to 2008 server, you might ask. I don't know if the listening port has been fixed in 2008 server. So, you might want to go through the steps to see if the listening port is dynamically assigned for a TS session.
---------------
Also, if the error says something like (can not logon locally) it is a group policy object that will not allow remote sessions to control local features. This group policy prevents remote operators from using terminal services.
--------------
If the error says, (access denied) it is a permissions problem.
-------------
Firewalls often block TS from a remote computer as well.
-------------
Please provide the syntax of the error you are seeing when trying to logon to TS/remote desktop. Providing the error helps when troubleshooting this issue.
0
 
LVL 15

Author Closing Comment

by:badgermike
ID: 35150465
Thanks, sorry so late it was both of your posts that helped me solve the issue.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question