Managing Active Directory does not always have to be complicated. If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Terminal Server ; remote control (shadowing) ; error 5 access is denied
Posted on 2011-09-19
Hello;
We are seeing a problem on all Server 2008 terminal services (remote desktop services) where in certain situation, we and end users cannot "shadow" another user's terminal server session.
When trying to shadow another TS user's session via either the GUI (Administrative Tools > Terminal Services Manager > Right Click existing Session > Remote Control) or via the SHADOW command-line utility, we get the error 'access is denied'; error 5.
There are many articles out there on this error, but they all point to group policy configurations that we DONT use. I've narrowed it down a bit by OS, it seems. When I RDP into an affected server from a Windows 7 client (32 or 64 bit), the problem occurs. However, when I RDP in from another Windows 2008 server (TO the same server), the problem does NOT happen. Obviously slightly different versions of the RDP client. I suspect its a problem with the RDP client shipped with WIndows 7.
I have also read this article ( http://support.microsoft.com/kb/2273487/en-us ) which does not apply, as all TS's in this case are Server 2008 SP2 (not R2).
Group Policies do not define any TS/RDP specific settings OTHER THAN keep-alive and session time out. I have also tried each of the various group policy settings related to RDP compression, to no avail.
Anyone know of any solutions? Or--at least confirmation that this is a known Microsoft bug that has yet to be fixed? Thank you.
We are seeing a problem on all Server 2008 terminal services (remote desktop services) where in certain situation, we and end users cannot "shadow" another user's terminal server session.
When trying to shadow another TS user's session via either the GUI (Administrative Tools > Terminal Services Manager > Right Click existing Session > Remote Control) or via the SHADOW command-line utility, we get the error 'access is denied'; error 5.
There are many articles out there on this error, but they all point to group policy configurations that we DONT use. I've narrowed it down a bit by OS, it seems. When I RDP into an affected server from a Windows 7 client (32 or 64 bit), the problem occurs. However, when I RDP in from another Windows 2008 server (TO the same server), the problem does NOT happen. Obviously slightly different versions of the RDP client. I suspect its a problem with the RDP client shipped with WIndows 7.
I have also read this article ( http://support.microsoft.com/kb/2273487/en-us ) which does not apply, as all TS's in this case are Server 2008 SP2 (not R2).
Group Policies do not define any TS/RDP specific settings OTHER THAN keep-alive and session time out. I have also tried each of the various group policy settings related to RDP compression, to no avail.
Anyone know of any solutions? Or--at least confirmation that this is a known Microsoft bug that has yet to be fixed? Thank you.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
4
2
6 Comments
If you are not using Group Policy, you need to configure terminal services manually on the server.
Administrative tools, Remote Desktop Services, Remote Desktop Session Host Configuration.
Right click rdp-tcp and select properties.
review all settings.
Changes only apply to new rdp sessions. Any existing connection will have to logout and back in.
Administrative tools, Remote Desktop Services, Remote Desktop Session Host Configuration.
Right click rdp-tcp and select properties.
review all settings.
Changes only apply to new rdp sessions. Any existing connection will have to logout and back in.
I have also seen this happen when there is a kerberos security ticket that exceeds the maximum configured size. Do you have any event log errors (Security or System) ?
Featured Post
Managing Active Directory can get complicated. Often, the native tools for managing AD are just not up to the task. The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
A procedure for exporting installed hotfix details of remote computers using powershell
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention.
Multiple USB devices need t…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month7 days, 9 hours left to enroll
Earn Certification
MCSA Configuring Windows 7 Exam 70-680
$49.00$44.10
632 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.