Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

administrator denied access to terminal services

Posted on 2011-02-19
4
Medium Priority
?
822 Views
Last Modified: 2012-05-11
Hello,

I am not sure what happend here but a user called because they couldn't access terminal services...I am not sure if anyone made any group policy edits or anything but I am suspecting that is the case.

In order to get the person logged in I had to add them to the local terminal server via computer management - remote - and add user. I never had to do that before since the user is a member of the remote desktop users group and the remote desktop users group by default has login rights to terminal servers....another thing that is very wierd now as well is that all 3 of my 2008 servers are denying the administrator access to log in? I can rdp into all of the 2003 servers as the admin but not the 2008 - I suspect that I could log onto them locally and add the administrator manually however I just want to try to get things back to the way they were...ex the administrator can log into all servers remotley....and remote desktop users can log into all of the terminal servers without having to add them locally to the terminal server via computer management - remote - and adding all the users...

If anyone could help me troubleshoot on where to look for why this is happening it would be great...the only thing that I am sure of is that the domain controller had been modified for something last night -

Thanks
0
Comment
Question by:badgermike
  • 2
4 Comments
 
LVL 15

Author Comment

by:badgermike
ID: 34933442
Here is what i see

In the default domain policy - local policies - user rights assignment - allow login through terminal services = not defined

Buitin -Remote desktop users is populated with teh appropriate users

Users in AD are members of the Remote Desktop Users.

Domain Controller Security Policy -local policies - user rights assignment - allow login through terminal services = not defined

No restricted groups.

0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 1000 total points
ID: 34937543
Try to run Group Policy Modeling fro those TS servers to check if there is no any GPOs which modified "administrator" permission.
MS article will help you with that GPO Modeling
http://technet.microsoft.com/en-us/library/cc781242%28WS.10%29.aspx
or
http://technet.microsoft.com/en-us/library/cc780305%28WS.10%29.aspx

Regards,
Krzysztof
0
 
LVL 39

Assisted Solution

by:ChiefIT
ChiefIT earned 1000 total points
ID: 34938736
You have implied that this once workd. On 2003 server, there are known issues with RDP using service pack 2. Here you go, you might want to check this out.

http://www.lan-2-wan.com/2003-SP2.htm 

How does this apply to 2008 server, you might ask. I don't know if the listening port has been fixed in 2008 server. So, you might want to go through the steps to see if the listening port is dynamically assigned for a TS session.
---------------
Also, if the error says something like (can not logon locally) it is a group policy object that will not allow remote sessions to control local features. This group policy prevents remote operators from using terminal services.
--------------
If the error says, (access denied) it is a permissions problem.
-------------
Firewalls often block TS from a remote computer as well.
-------------
Please provide the syntax of the error you are seeing when trying to logon to TS/remote desktop. Providing the error helps when troubleshooting this issue.
0
 
LVL 15

Author Closing Comment

by:badgermike
ID: 35150465
Thanks, sorry so late it was both of your posts that helped me solve the issue.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question