Solved

Windows 2008 R2 Remote Desktop Services Access denied with certain apps

Posted on 2011-03-25
16
2,774 Views
Last Modified: 2012-06-27
Hi all,

I have a windows server 2008 R2 SP1 running remote desktop services. We are having some permission issues that I need to get fixed asap.

For example:

one of my users is a member of "Administrators, Remote Desktop Users and Domain Users"
We are trying to access a program under: C:\windows\system32 and get the following error:

"C:\windows\system32\drivers\dbgv.sys: Access is denied."

We are having other permissions issues, and its strange that the user is part of the administrators group but still having permissions issues.

Ultimately i would like this user to not be part of the administrators group but still run certain accounting applications. What must I do?
0
Comment
Question by:g-techforce
16 Comments
 
LVL 3

Expert Comment

by:Hayborne
ID: 35220073
Is the user a member of the local Admin?  If not add them as a local admin then see if they can run the program.
0
 

Author Comment

by:g-techforce
ID: 35220076
I forgot to mention this is happening when users remote into the server via remote desktop connection.
0
 
LVL 1

Expert Comment

by:hallcomis
ID: 35220084
Create a security group, add the users to it and give that group the appropriate NTFS permissions to the folders/files that are giving them the access denied error.  This way you dont have to add them to the local admin group giving them all the permissions that come with it.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 6

Expert Comment

by:mattconroy
ID: 35220111
In your one example you are trying to access an area in which Windows 2008 R2 is protecting. It does not matter if you are a local administrator of this computer. If you locate the command prompt from the Start menu and right click it and choose run as administrator you will not get the access denied error.

Try this, and if you are successful let me know what other permission related problems that you are having.
0
 

Author Comment

by:g-techforce
ID: 35220127
Matt,
You are correct, i do not get access is denied.

However our PSA and accounting software apparently needs access to files in the windows/system32 folder.

The accounting softare works if I remote in as administrator, but if i remote in as a user that has administrative privledges, it doesnt work.
0
 
LVL 6

Expert Comment

by:mattconroy
ID: 35220148
Can they right click the application and choose run as administrator?
0
 

Author Comment

by:g-techforce
ID: 35220305
No it still doesnt work. But let me explain exactly what im trying to accomlish...

We use a PSA software that integrates with Quickbooks.

If I remote into the Terminal Server as "Administrator" i can open up the PSA software, and then integrate successfully with Quickbooks.

If I remote into the Terminal Server as a user that has administrative privelesges, i can open up the PSA softare but the integration with Quickbooks fails.

I contacted the PSA vendor and they say its priveleges issue.
0
 
LVL 6

Expert Comment

by:mattconroy
ID: 35220324
Make the user a member of the local administrators group.
0
 

Author Comment

by:g-techforce
ID: 35220407
I dont recall how to make a user a member of the local administrators group.

But i did check "cacls C:\Windows\System32" and i do see builtin\administrators listed
0
 
LVL 6

Expert Comment

by:mattconroy
ID: 35220444
builtin\administrators is different from being a member of the local administrators group on a specific computer. To make a user a member of the local administrators group on a specific computer, I think in your case the Terminal Server computer, do the following:

The following is from memory so you might have to poke around.
Open Server Manager on the computer where you want to add the user(where the app is)
Under Configuration(expand) you will see local users and groups
expand groups
double click administrators
add the user into that group and Apply
The user might have to logout and log back in for the changes to take effect.
0
 

Author Comment

by:g-techforce
ID: 35220451
That won't work on 2008 R2 in a domain enviroment anymore, They disabled it. Here is a screenshot.
Capture2.JPG
0
 
LVL 6

Expert Comment

by:mattconroy
ID: 35220465
OH, I did not realize that you are running applications on a Domain Controller. That is not what they are for. Member Servers in a Domain are for running applications like the one you are running. The only option that you have to make it work in your situation is to make the user a Domain Administrator. Under administrative tools select Active Directory Users & Computers. Right click the Domain name and choose find. Enter the username in the search box. Next, double click the username that it finds. Choose the Member Of tab and add Domain Admins for this user.
0
 

Author Comment

by:g-techforce
ID: 35220591
The user i am testing has been part of the "Domain Admins" group for quite some time and is experiecing the issue. So it must be something else.
0
 
LVL 6

Expert Comment

by:mattconroy
ID: 35220616
As I said before, Applications like yours are designed to run on member Servers in a Domain, not Domain Controllers. Domain Controllers should have nothing more than DNS Server, DHCP Server, and maybe a CA(which I do not recommend).
0
 

Accepted Solution

by:
g-techforce earned 0 total points
ID: 36044650
I was able to resolve the issue. This fix is for users running Windows Server 2008 R2 SP1 as a Domain Controller AND Terminal Server (remote desktop services)

Please Note: it's not best practice to have Terminal Server running on a Domain controller but some companies can't afford 2 servers, so in that scenario, this change shuold fix any similar problems your experiencing.

The problem: QB integration problems if running Terminal Server on the Domain Controller and logged into the Terminal Server as any user other than Administrator. The problem turned out to be a change in UAC after installing SP1 for Windows Server 2008 R2.

Applies to the following:
Windows Server 2008 R2 SP1
Domain Controller also acting as the Terminal Server

The Fix:
Open the Control Panel and click User Accounts, then click the Change User Account Control setting, dropped to the lowest turn off UAC. Press OK.

0
 

Author Closing Comment

by:g-techforce
ID: 36110465
This change fixed a permission problem on a DC running Terminal Services
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question