[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3188
  • Last Modified:

Windows 2008 R2 Remote Desktop Services Access denied with certain apps

Hi all,

I have a windows server 2008 R2 SP1 running remote desktop services. We are having some permission issues that I need to get fixed asap.

For example:

one of my users is a member of "Administrators, Remote Desktop Users and Domain Users"
We are trying to access a program under: C:\windows\system32 and get the following error:

"C:\windows\system32\drivers\dbgv.sys: Access is denied."

We are having other permissions issues, and its strange that the user is part of the administrators group but still having permissions issues.

Ultimately i would like this user to not be part of the administrators group but still run certain accounting applications. What must I do?
0
g-techforce
Asked:
g-techforce
1 Solution
 
HayborneCommented:
Is the user a member of the local Admin?  If not add them as a local admin then see if they can run the program.
0
 
g-techforceAuthor Commented:
I forgot to mention this is happening when users remote into the server via remote desktop connection.
0
 
hallcomisCommented:
Create a security group, add the users to it and give that group the appropriate NTFS permissions to the folders/files that are giving them the access denied error.  This way you dont have to add them to the local admin group giving them all the permissions that come with it.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
mattconroyCommented:
In your one example you are trying to access an area in which Windows 2008 R2 is protecting. It does not matter if you are a local administrator of this computer. If you locate the command prompt from the Start menu and right click it and choose run as administrator you will not get the access denied error.

Try this, and if you are successful let me know what other permission related problems that you are having.
0
 
g-techforceAuthor Commented:
Matt,
You are correct, i do not get access is denied.

However our PSA and accounting software apparently needs access to files in the windows/system32 folder.

The accounting softare works if I remote in as administrator, but if i remote in as a user that has administrative privledges, it doesnt work.
0
 
mattconroyCommented:
Can they right click the application and choose run as administrator?
0
 
g-techforceAuthor Commented:
No it still doesnt work. But let me explain exactly what im trying to accomlish...

We use a PSA software that integrates with Quickbooks.

If I remote into the Terminal Server as "Administrator" i can open up the PSA software, and then integrate successfully with Quickbooks.

If I remote into the Terminal Server as a user that has administrative privelesges, i can open up the PSA softare but the integration with Quickbooks fails.

I contacted the PSA vendor and they say its priveleges issue.
0
 
mattconroyCommented:
Make the user a member of the local administrators group.
0
 
g-techforceAuthor Commented:
I dont recall how to make a user a member of the local administrators group.

But i did check "cacls C:\Windows\System32" and i do see builtin\administrators listed
0
 
mattconroyCommented:
builtin\administrators is different from being a member of the local administrators group on a specific computer. To make a user a member of the local administrators group on a specific computer, I think in your case the Terminal Server computer, do the following:

The following is from memory so you might have to poke around.
Open Server Manager on the computer where you want to add the user(where the app is)
Under Configuration(expand) you will see local users and groups
expand groups
double click administrators
add the user into that group and Apply
The user might have to logout and log back in for the changes to take effect.
0
 
g-techforceAuthor Commented:
That won't work on 2008 R2 in a domain enviroment anymore, They disabled it. Here is a screenshot.
Capture2.JPG
0
 
mattconroyCommented:
OH, I did not realize that you are running applications on a Domain Controller. That is not what they are for. Member Servers in a Domain are for running applications like the one you are running. The only option that you have to make it work in your situation is to make the user a Domain Administrator. Under administrative tools select Active Directory Users & Computers. Right click the Domain name and choose find. Enter the username in the search box. Next, double click the username that it finds. Choose the Member Of tab and add Domain Admins for this user.
0
 
g-techforceAuthor Commented:
The user i am testing has been part of the "Domain Admins" group for quite some time and is experiecing the issue. So it must be something else.
0
 
mattconroyCommented:
As I said before, Applications like yours are designed to run on member Servers in a Domain, not Domain Controllers. Domain Controllers should have nothing more than DNS Server, DHCP Server, and maybe a CA(which I do not recommend).
0
 
g-techforceAuthor Commented:
I was able to resolve the issue. This fix is for users running Windows Server 2008 R2 SP1 as a Domain Controller AND Terminal Server (remote desktop services)

Please Note: it's not best practice to have Terminal Server running on a Domain controller but some companies can't afford 2 servers, so in that scenario, this change shuold fix any similar problems your experiencing.

The problem: QB integration problems if running Terminal Server on the Domain Controller and logged into the Terminal Server as any user other than Administrator. The problem turned out to be a change in UAC after installing SP1 for Windows Server 2008 R2.

Applies to the following:
Windows Server 2008 R2 SP1
Domain Controller also acting as the Terminal Server

The Fix:
Open the Control Panel and click User Accounts, then click the Change User Account Control setting, dropped to the lowest turn off UAC. Press OK.

0
 
g-techforceAuthor Commented:
This change fixed a permission problem on a DC running Terminal Services
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now