Solved

Windows 2008 R2 Remote Desktop Services Access denied with certain apps

Posted on 2011-03-25
16
2,624 Views
Last Modified: 2012-06-27
Hi all,

I have a windows server 2008 R2 SP1 running remote desktop services. We are having some permission issues that I need to get fixed asap.

For example:

one of my users is a member of "Administrators, Remote Desktop Users and Domain Users"
We are trying to access a program under: C:\windows\system32 and get the following error:

"C:\windows\system32\drivers\dbgv.sys: Access is denied."

We are having other permissions issues, and its strange that the user is part of the administrators group but still having permissions issues.

Ultimately i would like this user to not be part of the administrators group but still run certain accounting applications. What must I do?
0
Comment
Question by:g-techforce
16 Comments
 
LVL 3

Expert Comment

by:Hayborne
ID: 35220073
Is the user a member of the local Admin?  If not add them as a local admin then see if they can run the program.
0
 

Author Comment

by:g-techforce
ID: 35220076
I forgot to mention this is happening when users remote into the server via remote desktop connection.
0
 
LVL 1

Expert Comment

by:hallcomis
ID: 35220084
Create a security group, add the users to it and give that group the appropriate NTFS permissions to the folders/files that are giving them the access denied error.  This way you dont have to add them to the local admin group giving them all the permissions that come with it.
0
 
LVL 6

Expert Comment

by:mattconroy
ID: 35220111
In your one example you are trying to access an area in which Windows 2008 R2 is protecting. It does not matter if you are a local administrator of this computer. If you locate the command prompt from the Start menu and right click it and choose run as administrator you will not get the access denied error.

Try this, and if you are successful let me know what other permission related problems that you are having.
0
 

Author Comment

by:g-techforce
ID: 35220127
Matt,
You are correct, i do not get access is denied.

However our PSA and accounting software apparently needs access to files in the windows/system32 folder.

The accounting softare works if I remote in as administrator, but if i remote in as a user that has administrative privledges, it doesnt work.
0
 
LVL 6

Expert Comment

by:mattconroy
ID: 35220148
Can they right click the application and choose run as administrator?
0
 

Author Comment

by:g-techforce
ID: 35220305
No it still doesnt work. But let me explain exactly what im trying to accomlish...

We use a PSA software that integrates with Quickbooks.

If I remote into the Terminal Server as "Administrator" i can open up the PSA software, and then integrate successfully with Quickbooks.

If I remote into the Terminal Server as a user that has administrative privelesges, i can open up the PSA softare but the integration with Quickbooks fails.

I contacted the PSA vendor and they say its priveleges issue.
0
 
LVL 6

Expert Comment

by:mattconroy
ID: 35220324
Make the user a member of the local administrators group.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:g-techforce
ID: 35220407
I dont recall how to make a user a member of the local administrators group.

But i did check "cacls C:\Windows\System32" and i do see builtin\administrators listed
0
 
LVL 6

Expert Comment

by:mattconroy
ID: 35220444
builtin\administrators is different from being a member of the local administrators group on a specific computer. To make a user a member of the local administrators group on a specific computer, I think in your case the Terminal Server computer, do the following:

The following is from memory so you might have to poke around.
Open Server Manager on the computer where you want to add the user(where the app is)
Under Configuration(expand) you will see local users and groups
expand groups
double click administrators
add the user into that group and Apply
The user might have to logout and log back in for the changes to take effect.
0
 

Author Comment

by:g-techforce
ID: 35220451
That won't work on 2008 R2 in a domain enviroment anymore, They disabled it. Here is a screenshot.
Capture2.JPG
0
 
LVL 6

Expert Comment

by:mattconroy
ID: 35220465
OH, I did not realize that you are running applications on a Domain Controller. That is not what they are for. Member Servers in a Domain are for running applications like the one you are running. The only option that you have to make it work in your situation is to make the user a Domain Administrator. Under administrative tools select Active Directory Users & Computers. Right click the Domain name and choose find. Enter the username in the search box. Next, double click the username that it finds. Choose the Member Of tab and add Domain Admins for this user.
0
 

Author Comment

by:g-techforce
ID: 35220591
The user i am testing has been part of the "Domain Admins" group for quite some time and is experiecing the issue. So it must be something else.
0
 
LVL 6

Expert Comment

by:mattconroy
ID: 35220616
As I said before, Applications like yours are designed to run on member Servers in a Domain, not Domain Controllers. Domain Controllers should have nothing more than DNS Server, DHCP Server, and maybe a CA(which I do not recommend).
0
 

Accepted Solution

by:
g-techforce earned 0 total points
ID: 36044650
I was able to resolve the issue. This fix is for users running Windows Server 2008 R2 SP1 as a Domain Controller AND Terminal Server (remote desktop services)

Please Note: it's not best practice to have Terminal Server running on a Domain controller but some companies can't afford 2 servers, so in that scenario, this change shuold fix any similar problems your experiencing.

The problem: QB integration problems if running Terminal Server on the Domain Controller and logged into the Terminal Server as any user other than Administrator. The problem turned out to be a change in UAC after installing SP1 for Windows Server 2008 R2.

Applies to the following:
Windows Server 2008 R2 SP1
Domain Controller also acting as the Terminal Server

The Fix:
Open the Control Panel and click User Accounts, then click the Change User Account Control setting, dropped to the lowest turn off UAC. Press OK.

0
 

Author Closing Comment

by:g-techforce
ID: 36110465
This change fixed a permission problem on a DC running Terminal Services
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now