Solved

Windows 2008 R2 Remote Desktop Services Access denied with certain apps

Posted on 2011-03-25
16
2,838 Views
Last Modified: 2012-06-27
Hi all,

I have a windows server 2008 R2 SP1 running remote desktop services. We are having some permission issues that I need to get fixed asap.

For example:

one of my users is a member of "Administrators, Remote Desktop Users and Domain Users"
We are trying to access a program under: C:\windows\system32 and get the following error:

"C:\windows\system32\drivers\dbgv.sys: Access is denied."

We are having other permissions issues, and its strange that the user is part of the administrators group but still having permissions issues.

Ultimately i would like this user to not be part of the administrators group but still run certain accounting applications. What must I do?
0
Comment
Question by:g-techforce
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
16 Comments
 
LVL 3

Expert Comment

by:Hayborne
ID: 35220073
Is the user a member of the local Admin?  If not add them as a local admin then see if they can run the program.
0
 

Author Comment

by:g-techforce
ID: 35220076
I forgot to mention this is happening when users remote into the server via remote desktop connection.
0
 
LVL 1

Expert Comment

by:hallcomis
ID: 35220084
Create a security group, add the users to it and give that group the appropriate NTFS permissions to the folders/files that are giving them the access denied error.  This way you dont have to add them to the local admin group giving them all the permissions that come with it.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Expert Comment

by:mattconroy
ID: 35220111
In your one example you are trying to access an area in which Windows 2008 R2 is protecting. It does not matter if you are a local administrator of this computer. If you locate the command prompt from the Start menu and right click it and choose run as administrator you will not get the access denied error.

Try this, and if you are successful let me know what other permission related problems that you are having.
0
 

Author Comment

by:g-techforce
ID: 35220127
Matt,
You are correct, i do not get access is denied.

However our PSA and accounting software apparently needs access to files in the windows/system32 folder.

The accounting softare works if I remote in as administrator, but if i remote in as a user that has administrative privledges, it doesnt work.
0
 
LVL 6

Expert Comment

by:mattconroy
ID: 35220148
Can they right click the application and choose run as administrator?
0
 

Author Comment

by:g-techforce
ID: 35220305
No it still doesnt work. But let me explain exactly what im trying to accomlish...

We use a PSA software that integrates with Quickbooks.

If I remote into the Terminal Server as "Administrator" i can open up the PSA software, and then integrate successfully with Quickbooks.

If I remote into the Terminal Server as a user that has administrative privelesges, i can open up the PSA softare but the integration with Quickbooks fails.

I contacted the PSA vendor and they say its priveleges issue.
0
 
LVL 6

Expert Comment

by:mattconroy
ID: 35220324
Make the user a member of the local administrators group.
0
 

Author Comment

by:g-techforce
ID: 35220407
I dont recall how to make a user a member of the local administrators group.

But i did check "cacls C:\Windows\System32" and i do see builtin\administrators listed
0
 
LVL 6

Expert Comment

by:mattconroy
ID: 35220444
builtin\administrators is different from being a member of the local administrators group on a specific computer. To make a user a member of the local administrators group on a specific computer, I think in your case the Terminal Server computer, do the following:

The following is from memory so you might have to poke around.
Open Server Manager on the computer where you want to add the user(where the app is)
Under Configuration(expand) you will see local users and groups
expand groups
double click administrators
add the user into that group and Apply
The user might have to logout and log back in for the changes to take effect.
0
 

Author Comment

by:g-techforce
ID: 35220451
That won't work on 2008 R2 in a domain enviroment anymore, They disabled it. Here is a screenshot.
Capture2.JPG
0
 
LVL 6

Expert Comment

by:mattconroy
ID: 35220465
OH, I did not realize that you are running applications on a Domain Controller. That is not what they are for. Member Servers in a Domain are for running applications like the one you are running. The only option that you have to make it work in your situation is to make the user a Domain Administrator. Under administrative tools select Active Directory Users & Computers. Right click the Domain name and choose find. Enter the username in the search box. Next, double click the username that it finds. Choose the Member Of tab and add Domain Admins for this user.
0
 

Author Comment

by:g-techforce
ID: 35220591
The user i am testing has been part of the "Domain Admins" group for quite some time and is experiecing the issue. So it must be something else.
0
 
LVL 6

Expert Comment

by:mattconroy
ID: 35220616
As I said before, Applications like yours are designed to run on member Servers in a Domain, not Domain Controllers. Domain Controllers should have nothing more than DNS Server, DHCP Server, and maybe a CA(which I do not recommend).
0
 

Accepted Solution

by:
g-techforce earned 0 total points
ID: 36044650
I was able to resolve the issue. This fix is for users running Windows Server 2008 R2 SP1 as a Domain Controller AND Terminal Server (remote desktop services)

Please Note: it's not best practice to have Terminal Server running on a Domain controller but some companies can't afford 2 servers, so in that scenario, this change shuold fix any similar problems your experiencing.

The problem: QB integration problems if running Terminal Server on the Domain Controller and logged into the Terminal Server as any user other than Administrator. The problem turned out to be a change in UAC after installing SP1 for Windows Server 2008 R2.

Applies to the following:
Windows Server 2008 R2 SP1
Domain Controller also acting as the Terminal Server

The Fix:
Open the Control Panel and click User Accounts, then click the Change User Account Control setting, dropped to the lowest turn off UAC. Press OK.

0
 

Author Closing Comment

by:g-techforce
ID: 36110465
This change fixed a permission problem on a DC running Terminal Services
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question