Win 7 32 bit Remote Desktop "Access is Denied"
Hello all thanks for looking,
I am standing up a secure environment. I have 4 (Virtual) Win 2008 64 bit servers and multiple (physical) win 7 pro 32 bit clients. I originally stood everything up and installed all software on all systems. I was able to remote desktop from any machine to any machine with no issues. I started to lock the systems down via GPO I know this has to do with GPO because I have rolled back machines and am able to tell exactly where the issue began. Unfortunately I cannot pin point exactly what value is my culprit. When I disable the GPO the problem persists. I can only RDP in when I disable the GPO and sys restore the physical machine, then as soon as I re enable the GPO I get " Access is Denied " on a blue windows login screen with nthe OS displayed. Error logs on both machines give no hints the only event logged is on the destination machine under application logs / microsoft / windows / TerminalServicesRemoteConn
Listener RDP-tcp recieved a connection
then
Remote Desktop Services : User authentication Succeeded:
User : USERX
Domain: DOMAINX
Source Network Address : my.net.add.x
then
Terminal Server role is not installed
then
The Remote Connection Manager selected Kernel mode RDP protocol Stack
then
Listener RDP-Tcp has started listening
Over and over. This is a Win 7 pro to win 7 pro attempt- its the same from any source to any destination. The user name I am using is an Admin, Domain admin, local admin, remote desktop user and overall every role possible. There are alot of permissions re-assignments etc but I am sure this is due to the policy
here is a policy printout
Security Settings
Account Policies/Password Policy
Policy Setting
Enforce password history 24 passwords remembered
Maximum password age 42 days
Minimum password age 1 days
Minimum password length 14 characters
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Disabled
Account Policies/Account Lockout Policy
Policy Setting
Account lockout duration 0 minutes
Account lockout threshold 3 invalid logon attempts
Reset account lockout counter after 60 minutes
Account Policies/Kerberos Policy
Policy Setting
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 7 days
Maximum tolerance for computer clock synchronization 5 minutes
Local Policies/Audit Policy
Policy Setting
Audit account logon events Success, Failure
Audit logon events Success, Failure
Audit object access No auditing
Audit policy change Success, Failure
Audit privilege use Failure
Audit process tracking No auditing
Audit system events No auditing
Local Policies/User Rights Assignment
Policy Setting
Access Credential Manager as a trusted caller
Access this computer from the network NT AUTHORITY\Authenticated Users, BUILTIN\Administrators
Act as part of the operating system
Add workstations to domain BUILTIN\Administrators
Adjust memory quotas for a process NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Allow log on locally Domain Admins, BUILTIN\Administrators
Allow log on through Terminal Services BUILTIN\Administrators
Back up files and directories BUILTIN\Administrators
Bypass traverse checking NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\Authenticated Users, BUILTIN\Administrators
Change the system time NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Change the time zone NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Create a pagefile BUILTIN\Administrators
Create a token object
Create global objects NT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Create permanent shared objects
Create symbolic links BUILTIN\Administrators
Debug programs
Deny access to this computer from the network BUILTIN\Guests
Deny log on as a batch job BUILTIN\Guests
Deny log on as a service
Deny log on locally BUILTIN\Guests
Deny log on through Terminal Services BUILTIN\Guests
Enable computer and user accounts to be trusted for delegation BUILTIN\Administrators
Force shutdown from a remote system BUILTIN\Administrators
Generate security audits NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Impersonate a client after authentication NT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Increase a process working set NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Increase scheduling priority BUILTIN\Administrators
Load and unload device drivers BUILTIN\Administrators
Lock pages in memory
Log on as a batch job BUILTIN\Administrators
Manage auditing and security log PMP\Auditor Group
Modify an object label BUILTIN\Administrators
Modify firmware environment values BUILTIN\Administrators
Perform volume maintenance tasks BUILTIN\Administrators
Profile single process BUILTIN\Administrators
Profile system performance BUILTIN\Administrators
Remove computer from docking station BUILTIN\Administrators
Replace a process level token NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Restore files and directories BUILTIN\Administrators
Shut down the system BUILTIN\Administrators
Synchronize directory service data
Take ownership of files or other objects BUILTIN\Administrators
Local Policies/Security Options
Accounts
Policy Setting
Accounts: Administrator account status Enabled
Accounts: Guest account status Disabled
Accounts: Limit local account use of blank passwords to console logon only Enabled
Accounts: Rename administrator account "DELETED"
Accounts: Rename guest account "DELETED"
Audit
Policy Setting
Audit: Audit the access of global system objects Disabled
Audit: Audit the use of Backup and Restore privilege Disabled
Audit: Shut down system immediately if unable to log security audits Disabled
Devices
Policy Setting
Devices: Allow undock without having to log on Disabled
Devices: Allowed to format and eject removable media Administrators
Devices: Prevent users from installing printer drivers Enabled
Devices: Restrict CD-ROM access to locally logged-on user only Disabled
Domain Member
Policy Setting
Domain member: Digitally encrypt or sign secure channel data (always) Enabled
Domain member: Digitally encrypt secure channel data (when possible) Enabled
Domain member: Digitally sign secure channel data (when possible) Enabled
Domain member: Disable machine account password changes Disabled
Domain member: Maximum machine account password age 30 days
Domain member: Require strong (Windows 2000 or later) session key Enabled
DELETED
Interactive logon: Number of previous logons to cache (in case domain controller is not available) 1 logons
Interactive logon: Prompt user to change password before expiration 14 days
Interactive logon: Require Domain Controller authentication to unlock workstation Disabled
Interactive logon: Require smart card Disabled
Interactive logon: Smart card removal behavior Lock Workstation
Microsoft Network Client
Policy Setting
Microsoft network client: Digitally sign communications (always) Enabled
Microsoft network client: Digitally sign communications (if server agrees) Enabled
Microsoft network client: Send unencrypted password to third-party SMB servers Disabled
Microsoft Network Server
Policy Setting
Microsoft network server: Amount of idle time required before suspending session 15 minutes
Microsoft network server: Digitally sign communications (always) Enabled
Microsoft network server: Digitally sign communications (if client agrees) Enabled
Microsoft network server: Disconnect clients when logon hours expire Enabled
Network Access
Policy Setting
Network access: Allow anonymous SID/Name translation Disabled
Network access: Do not allow anonymous enumeration of SAM accounts Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled
Network access: Do not allow storage of credentials or .NET Passports for network authentication Enabled
Network access: Let Everyone permissions apply to anonymous users Disabled
DELETED
Network Security
Policy Setting
Network security: Do not store LAN Manager hash value on next password change Enabled
Network security: Force logoff when logon hours expire Disabled
Network security: LAN Manager authentication level Send NTLMv2 response only. Refuse LM & NTLM
Network security: LDAP client signing requirements Negotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Enabled
Require NTLMv2 session security Enabled
Require 128-bit encryption Enabled
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Enabled
Require NTLMv2 session security Enabled
Require 128-bit encryption Enabled
Recovery Console
Policy Setting
Recovery console: Allow automatic administrative logon Disabled
Recovery console: Allow floppy copy and access to all drives and all folders Disabled
Shutdown
Policy Setting
Shutdown: Allow system to be shut down without having to log on Disabled
Shutdown: Clear virtual memory pagefile Disabled
System Cryptography
Policy Setting
System cryptography: Force strong key protection for user keys stored on the computer User must enter a password each time they use a key
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Disabled
System Objects
Policy Setting
System objects: Require case insensitivity for non-Windows subsystems Enabled
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) Enabled
System Settings
Policy Setting
System settings: Optional subsystems
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies Enabled
User Account Control
Policy Setting
User Account Control: Admin Approval Mode for the Built-in Administrator account Enabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Prompt for credentials
User Account Control: Behavior of the elevation prompt for standard users Automatically deny elevation requests
User Account Control: Detect application installations and prompt for elevation Enabled
User Account Control: Only elevate executables that are signed and validated Disabled
User Account Control: Run all administrators in Admin Approval Mode Enabled
User Account Control: Switch to the secure desktop when prompting for elevation Enabled
User Account Control: Virtualize file and registry write failures to per-user locations Enabled
Other
Policy Setting
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Enabled
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Highest protection, source routing is completely disabled
MSS: (NtfsDisable8dot3NameCreat
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Enabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations Enabled
Event Log
Policy Setting
Maximum application log size 16384 kilobytes
Maximum security log size 1000064 kilobytes
Maximum system log size 16384 kilobytes
Prevent local guests group from accessing application log Enabled
Prevent local guests group from accessing security log Enabled
Prevent local guests group from accessing system log Enabled
Retention method for application log As needed
Retention method for security log Manually
Retention method for system log As needed
Restricted Groups
Group Members Member of
BUILTIN\Remote Desktop Users Administrators
DELETED
Firewall is disabled completely and I have undid every setting having to do with encryption and RDP I can find. I have picked through the registry and restored keys with default keys. This Domain will have no internet or outside connection what so ever. I cannot get RDP to work.
I am standing up a secure environment. I have 4 (Virtual) Win 2008 64 bit servers and multiple (physical) win 7 pro 32 bit clients. I originally stood everything up and installed all software on all systems. I was able to remote desktop from any machine to any machine with no issues. I started to lock the systems down via GPO I know this has to do with GPO because I have rolled back machines and am able to tell exactly where the issue began. Unfortunately I cannot pin point exactly what value is my culprit. When I disable the GPO the problem persists. I can only RDP in when I disable the GPO and sys restore the physical machine, then as soon as I re enable the GPO I get " Access is Denied " on a blue windows login screen with nthe OS displayed. Error logs on both machines give no hints the only event logged is on the destination machine under application logs / microsoft / windows / TerminalServicesRemoteConn
Listener RDP-tcp recieved a connection
then
Remote Desktop Services : User authentication Succeeded:
User : USERX
Domain: DOMAINX
Source Network Address : my.net.add.x
then
Terminal Server role is not installed
then
The Remote Connection Manager selected Kernel mode RDP protocol Stack
then
Listener RDP-Tcp has started listening
Over and over. This is a Win 7 pro to win 7 pro attempt- its the same from any source to any destination. The user name I am using is an Admin, Domain admin, local admin, remote desktop user and overall every role possible. There are alot of permissions re-assignments etc but I am sure this is due to the policy
here is a policy printout
Security Settings
Account Policies/Password Policy
Policy Setting
Enforce password history 24 passwords remembered
Maximum password age 42 days
Minimum password age 1 days
Minimum password length 14 characters
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Disabled
Account Policies/Account Lockout Policy
Policy Setting
Account lockout duration 0 minutes
Account lockout threshold 3 invalid logon attempts
Reset account lockout counter after 60 minutes
Account Policies/Kerberos Policy
Policy Setting
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 7 days
Maximum tolerance for computer clock synchronization 5 minutes
Local Policies/Audit Policy
Policy Setting
Audit account logon events Success, Failure
Audit logon events Success, Failure
Audit object access No auditing
Audit policy change Success, Failure
Audit privilege use Failure
Audit process tracking No auditing
Audit system events No auditing
Local Policies/User Rights Assignment
Policy Setting
Access Credential Manager as a trusted caller
Access this computer from the network NT AUTHORITY\Authenticated Users, BUILTIN\Administrators
Act as part of the operating system
Add workstations to domain BUILTIN\Administrators
Adjust memory quotas for a process NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Allow log on locally Domain Admins, BUILTIN\Administrators
Allow log on through Terminal Services BUILTIN\Administrators
Back up files and directories BUILTIN\Administrators
Bypass traverse checking NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\Authenticated Users, BUILTIN\Administrators
Change the system time NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Change the time zone NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Create a pagefile BUILTIN\Administrators
Create a token object
Create global objects NT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Create permanent shared objects
Create symbolic links BUILTIN\Administrators
Debug programs
Deny access to this computer from the network BUILTIN\Guests
Deny log on as a batch job BUILTIN\Guests
Deny log on as a service
Deny log on locally BUILTIN\Guests
Deny log on through Terminal Services BUILTIN\Guests
Enable computer and user accounts to be trusted for delegation BUILTIN\Administrators
Force shutdown from a remote system BUILTIN\Administrators
Generate security audits NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Impersonate a client after authentication NT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Increase a process working set NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Increase scheduling priority BUILTIN\Administrators
Load and unload device drivers BUILTIN\Administrators
Lock pages in memory
Log on as a batch job BUILTIN\Administrators
Manage auditing and security log PMP\Auditor Group
Modify an object label BUILTIN\Administrators
Modify firmware environment values BUILTIN\Administrators
Perform volume maintenance tasks BUILTIN\Administrators
Profile single process BUILTIN\Administrators
Profile system performance BUILTIN\Administrators
Remove computer from docking station BUILTIN\Administrators
Replace a process level token NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Restore files and directories BUILTIN\Administrators
Shut down the system BUILTIN\Administrators
Synchronize directory service data
Take ownership of files or other objects BUILTIN\Administrators
Local Policies/Security Options
Accounts
Policy Setting
Accounts: Administrator account status Enabled
Accounts: Guest account status Disabled
Accounts: Limit local account use of blank passwords to console logon only Enabled
Accounts: Rename administrator account "DELETED"
Accounts: Rename guest account "DELETED"
Audit
Policy Setting
Audit: Audit the access of global system objects Disabled
Audit: Audit the use of Backup and Restore privilege Disabled
Audit: Shut down system immediately if unable to log security audits Disabled
Devices
Policy Setting
Devices: Allow undock without having to log on Disabled
Devices: Allowed to format and eject removable media Administrators
Devices: Prevent users from installing printer drivers Enabled
Devices: Restrict CD-ROM access to locally logged-on user only Disabled
Domain Member
Policy Setting
Domain member: Digitally encrypt or sign secure channel data (always) Enabled
Domain member: Digitally encrypt secure channel data (when possible) Enabled
Domain member: Digitally sign secure channel data (when possible) Enabled
Domain member: Disable machine account password changes Disabled
Domain member: Maximum machine account password age 30 days
Domain member: Require strong (Windows 2000 or later) session key Enabled
DELETED
Interactive logon: Number of previous logons to cache (in case domain controller is not available) 1 logons
Interactive logon: Prompt user to change password before expiration 14 days
Interactive logon: Require Domain Controller authentication to unlock workstation Disabled
Interactive logon: Require smart card Disabled
Interactive logon: Smart card removal behavior Lock Workstation
Microsoft Network Client
Policy Setting
Microsoft network client: Digitally sign communications (always) Enabled
Microsoft network client: Digitally sign communications (if server agrees) Enabled
Microsoft network client: Send unencrypted password to third-party SMB servers Disabled
Microsoft Network Server
Policy Setting
Microsoft network server: Amount of idle time required before suspending session 15 minutes
Microsoft network server: Digitally sign communications (always) Enabled
Microsoft network server: Digitally sign communications (if client agrees) Enabled
Microsoft network server: Disconnect clients when logon hours expire Enabled
Network Access
Policy Setting
Network access: Allow anonymous SID/Name translation Disabled
Network access: Do not allow anonymous enumeration of SAM accounts Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled
Network access: Do not allow storage of credentials or .NET Passports for network authentication Enabled
Network access: Let Everyone permissions apply to anonymous users Disabled
DELETED
Network Security
Policy Setting
Network security: Do not store LAN Manager hash value on next password change Enabled
Network security: Force logoff when logon hours expire Disabled
Network security: LAN Manager authentication level Send NTLMv2 response only. Refuse LM & NTLM
Network security: LDAP client signing requirements Negotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Enabled
Require NTLMv2 session security Enabled
Require 128-bit encryption Enabled
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Enabled
Require NTLMv2 session security Enabled
Require 128-bit encryption Enabled
Recovery Console
Policy Setting
Recovery console: Allow automatic administrative logon Disabled
Recovery console: Allow floppy copy and access to all drives and all folders Disabled
Shutdown
Policy Setting
Shutdown: Allow system to be shut down without having to log on Disabled
Shutdown: Clear virtual memory pagefile Disabled
System Cryptography
Policy Setting
System cryptography: Force strong key protection for user keys stored on the computer User must enter a password each time they use a key
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Disabled
System Objects
Policy Setting
System objects: Require case insensitivity for non-Windows subsystems Enabled
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) Enabled
System Settings
Policy Setting
System settings: Optional subsystems
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies Enabled
User Account Control
Policy Setting
User Account Control: Admin Approval Mode for the Built-in Administrator account Enabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Prompt for credentials
User Account Control: Behavior of the elevation prompt for standard users Automatically deny elevation requests
User Account Control: Detect application installations and prompt for elevation Enabled
User Account Control: Only elevate executables that are signed and validated Disabled
User Account Control: Run all administrators in Admin Approval Mode Enabled
User Account Control: Switch to the secure desktop when prompting for elevation Enabled
User Account Control: Virtualize file and registry write failures to per-user locations Enabled
Other
Policy Setting
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Enabled
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Highest protection, source routing is completely disabled
MSS: (NtfsDisable8dot3NameCreat
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Enabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations Enabled
Event Log
Policy Setting
Maximum application log size 16384 kilobytes
Maximum security log size 1000064 kilobytes
Maximum system log size 16384 kilobytes
Prevent local guests group from accessing application log Enabled
Prevent local guests group from accessing security log Enabled
Prevent local guests group from accessing system log Enabled
Retention method for application log As needed
Retention method for security log Manually
Retention method for system log As needed
Restricted Groups
Group Members Member of
BUILTIN\Remote Desktop Users Administrators
DELETED
Firewall is disabled completely and I have undid every setting having to do with encryption and RDP I can find. I have picked through the registry and restored keys with default keys. This Domain will have no internet or outside connection what so ever. I cannot get RDP to work.
Last Comment
madhatter5501
I would first try checking the logon hours
ASKER
no hours defined
ASKER
I just verified 24/7 access on all RDP users including the username I am using
I am presuming you get the access denied after you try login, in other words rdp is firing up ok?. launch tsconfig.msc from the 2008 machine. right-click on rdp-tcp and select properties. go to the security settings tab and review the ACL (make sure that there are no deny ACEs - by default, there are none).
ASKER
Yes your assumption is correct. I launch MSTSC from within the domain (on win 7 client) use the IP address of another win7 client, authenticate with an admin acct, it completes the connection, screen goes black, then a blue login screen appears but it only says 'Access is denied" and Windows 7 Professional at the bottom.
per your suggestion, I logged onto the Domain Controller and there were no denys but network service and local service have only these special permissions set for allow, Query Information, Message, and Virtual channels. Is this correct? Admins have full control, Remote Desktop users have user access, and Interactive has only query info allowed.
I am attempting to connect from the win 7 pro to another win 7 pro
per your suggestion, I logged onto the Domain Controller and there were no denys but network service and local service have only these special permissions set for allow, Query Information, Message, and Virtual channels. Is this correct? Admins have full control, Remote Desktop users have user access, and Interactive has only query info allowed.
I am attempting to connect from the win 7 pro to another win 7 pro
ASKER
I also verified the same permissions on another Server 08 machine
I've been always thought that RDP users require Interactive permission.
ASKER
not the case, Before the policy configuration I was able to remote in with no issues and no interaction at the destination machine either way no dialog box currently comes up at the destination machine.
Allow log on through Terminal Services BUILTIN\Administrators
if you rdp from one win7 to another workstation you need to be authorized to login via remote to that station locally. add the domain admin account to the local users group at the local machine level. lusrmgr.msc at the machine, add domain admin to Remote Desktop Users Group
press Windows Key + Pause at local machine and make sure Remote Desktop is configured to allow incoming connections (you can add users there too).
if this works then you can deploy these changes via GPO
if you rdp from one win7 to another workstation you need to be authorized to login via remote to that station locally. add the domain admin account to the local users group at the local machine level. lusrmgr.msc at the machine, add domain admin to Remote Desktop Users Group
press Windows Key + Pause at local machine and make sure Remote Desktop is configured to allow incoming connections (you can add users there too).
if this works then you can deploy these changes via GPO
ASKER
windows key + pause? I added remote desktop users and authenticated uses to all User rights assignments in GPO and am still having the issue
ASKER
When I press Win+Pause it launches system properties, from there i goto remote settings and yes it is set to accept and I am in the ACL (user already has access)
If you get the access denied error and in the same time do not get the audit failures in Security log on terminal server - it means that access is denied somewhere on the object level (file system, registry).
Try to include Domain Users group to local Administrators on TS, then (if connected RDP ok) try local Power Users group.
Finally, compare the filesystem/registry permissions for local Administrators/Power Users and Users.
BTW the situation is very similar to that where Domain Users members can't print on a printer shared by workstation.
Try to include Domain Users group to local Administrators on TS, then (if connected RDP ok) try local Power Users group.
Finally, compare the filesystem/registry permissions for local Administrators/Power Users and Users.
BTW the situation is very similar to that where Domain Users members can't print on a printer shared by workstation.
ASKER
this would not explain why I can disable the GPO, roll-back the machine and the remote desktop will work, If I enable the GPO then GPUPDATE /FORCE then I get the access is denied, I am currently going through the GPO one item at a time and disabling or enabling every single object I will examine file permissions next
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
scraby:
that's a slow process but definitely the next logical step, are you getting anywhere?---NO
so you enable and force gpo and rdp from one workstation to the next stops working and then when you disable gpo and restore both workstations back to prior to gpo, rdp starts to work again?......some have mentioned terminal server in this thread but that has nothing to do with your scenario since you are rdp from one ws to another and not to a ts correct? Kinda have this backwards. After I disable GPO and roll back the machines (Factory Default NO GPO) I can RDP just fine. After I enable my GPO and force then I cannot connect
I have attached a screen shot, i know the screenshot is server 08, it was just easier to get. I am attempting this on 2 win 7 machines, but get the errors on all machines regardless of the combination of source and destination/ OS
AcceSSisDenied.jpg
that's a slow process but definitely the next logical step, are you getting anywhere?---NO
so you enable and force gpo and rdp from one workstation to the next stops working and then when you disable gpo and restore both workstations back to prior to gpo, rdp starts to work again?......some have mentioned terminal server in this thread but that has nothing to do with your scenario since you are rdp from one ws to another and not to a ts correct? Kinda have this backwards. After I disable GPO and roll back the machines (Factory Default NO GPO) I can RDP just fine. After I enable my GPO and force then I cannot connect
I have attached a screen shot, i know the screenshot is server 08, it was just easier to get. I am attempting this on 2 win 7 machines, but get the errors on all machines regardless of the combination of source and destination/ OS
AcceSSisDenied.jpg
ASKER
Applications and services\microsoft\windows
Log Name: Microsoft-Windows-Terminal
Source: Microsoft-Windows-Terminal
Date: 10/11/2011 8:18:43 AM
Event ID: 1155
Task Category: None
Level: Information
Keywords:
User: NETWORK SERVICE
Computer: DESTINATION COMPUTER NAME
Description:
The Remote Connection Manager selected Kernel mode RDP protocol stack.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Te
<EventID>1155</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x10000000000000
<TimeCreated SystemTime="2011-10-11T12:
<EventRecordID>1649</Event
<Correlation />
<Execution ProcessID="1216" ThreadID="1172" />
<Channel>Microsoft-Windows
<Computer>DESTINATION COMPUTER NAME</Computer>
<Security UserID="REMOVED" />
</System>
<EventData>
</EventData>
</Event>
Log Name: Microsoft-Windows-Terminal
Source: Microsoft-Windows-Terminal
Date: 10/11/2011 8:18:44 AM
Event ID: 258
Task Category: None
Level: Information
Keywords:
User: NETWORK SERVICE
Computer: DESTINATION COMPUTER NAME
Description:
Listener RDP-Tcp has started listening
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Te
<EventID>258</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x10000000000000
<TimeCreated SystemTime="2011-10-11T12:
<EventRecordID>1650</Event
<Correlation ActivityID="{00000000-08C4
<Execution ProcessID="1216" ThreadID="1236" />
<Channel>Microsoft-Windows
<Computer>DESTINATION COMPUTER NAME</Computer>
<Security UserID="REMOVED" />
</System>
<UserData>
<EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
<listenerName>RDP-Tcp</lis
</EventXML>
</UserData>
</Event>
Log Name: Microsoft-Windows-Terminal
Source: Microsoft-Windows-Terminal
Date: 10/11/2011 8:24:05 AM
Event ID: 261
Task Category: None
Level: Information
Keywords:
User: NETWORK SERVICE
Computer: DESTINATION COMPUTER NAME
Description:
Listener RDP-Tcp received a connection
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Te
<EventID>261</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x10000000000000
<TimeCreated SystemTime="2011-10-11T12:
<EventRecordID>1651</Event
<Correlation />
<Execution ProcessID="1216" ThreadID="2452" />
<Channel>Microsoft-Windows
<Computer>DESTINATION COMPUTER NAME</Computer>
<Security UserID="REMOVED" />
</System>
<UserData>
<EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
<listenerName>RDP-Tcp</lis
</EventXML>
</UserData>
</Event>
Log Name: Microsoft-Windows-Terminal
Source: Microsoft-Windows-Terminal
Date: 10/11/2011 8:24:10 AM
Event ID: 1149
Task Category: None
Level: Information
Keywords:
User: NETWORK SERVICE
Computer: DESTINATION COMPUTER NAME
Description:
Remote Desktop Services: User authentication succeeded:
User: MYADMINACCOUNT
Domain: MYDOMAINNAME
Source Network Address: SOURCE IP ADDRESS
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Te
<EventID>1149</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x10000000000000
<TimeCreated SystemTime="2011-10-11T12:
<EventRecordID>1653</Event
<Correlation />
<Execution ProcessID="1216" ThreadID="5256" />
<Channel>Microsoft-Windows
<Computer>DESTINATION COMPUTER NAME</Computer>
<Security UserID="REMOVED" />
</System>
<UserData>
<EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
<Param1>MY ADMIN ACCOUNT</Param1>
<Param2>MYDOMAINNAME</Para
<Param3>SOURCE IP ADDRESS</Param3>
</EventXML>
</UserData>
</Event>
Log Name: Microsoft-Windows-Terminal
Source: Microsoft-Windows-Terminal
Date: 10/11/2011 8:24:18 AM
Event ID: 261
Task Category: None
Level: Information
Keywords:
User: NETWORK SERVICE
Computer: DESTINATION COMPUTER NAME
Description:
Listener RDP-Tcp received a connection
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Te
<EventID>261</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x10000000000000
<TimeCreated SystemTime="2011-10-11T12:
<EventRecordID>1654</Event
<Correlation />
<Execution ProcessID="1216" ThreadID="2452" />
<Channel>Microsoft-Windows
<Computer>DESTINATION COMPUTER NAME</Computer>
<Security UserID="REMOVED" />
</System>
<UserData>
<EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
<listenerName>RDP-Tcp</lis
</EventXML>
</UserData>
</Event>
Log Name: Microsoft-Windows-Terminal
Source: Microsoft-Windows-Terminal
Date: 10/11/2011 8:25:16 AM
Event ID: 1136
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: DESTINATION COMPUTER NAME
Description:
Terminal Server role is not installed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Te
<EventID>1136</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x10000000000000
<TimeCreated SystemTime="2011-10-11T12:
<EventRecordID>1655</Event
<Correlation />
<Execution ProcessID="972" ThreadID="1404" />
<Channel>Microsoft-Windows
<Computer>DESTINATION COMPUTER NAME</Computer>
<Security UserID="REMOVED" />
</System>
<EventData>
</EventData>
</Event>
Log Name: Microsoft-Windows-Terminal
Source: Microsoft-Windows-Terminal
Date: 10/11/2011 8:25:16 AM
Event ID: 1155
Task Category: None
Level: Information
Keywords:
User: NETWORK SERVICE
Computer: DESTINATION COMPUTER NAME
Description:
The Remote Connection Manager selected Kernel mode RDP protocol stack.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Te
<EventID>1155</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x10000000000000
<TimeCreated SystemTime="2011-10-11T12:
<EventRecordID>1656</Event
<Correlation />
<Execution ProcessID="1244" ThreadID="1260" />
<Channel>Microsoft-Windows
<Computer>DESTINATION COMPUTER NAME</Computer>
<Security UserID="REMOVED" />
</System>
<EventData>
</EventData>
</Event>
Log Name: Microsoft-Windows-Terminal
Source: Microsoft-Windows-Terminal
Date: 10/11/2011 8:25:23 AM
Event ID: 258
Task Category: None
Level: Information
Keywords:
User: NETWORK SERVICE
Computer: DESTINATION COMPUTER NAME
Description:
Listener RDP-Tcp has started listening
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Te
<EventID>258</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x10000000000000
<TimeCreated SystemTime="2011-10-11T12:
<EventRecordID>1657</Event
<Correlation ActivityID="{8590674C-6FC3
<Execution ProcessID="1244" ThreadID="1260" />
<Channel>Microsoft-Windows
<Computer>DESTINATION COMPUTER NAME</Computer>
<Security UserID="REMOVED" />
</System>
<UserData>
<EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
<listenerName>RDP-Tcp</lis
</EventXML>
</UserData>
</Event>
That was the Event log dump of the events. This is the only thing RDP related in all of the event logs, it gets ready for a connection receives a connection authenticates successfully and that's it..but I get a Access is denied... here is the only error in the log I can find that may be related, this message comes up every 15 minutes while I am trying to RDP in but goes back to every 4 - 6 hrs when I am not attempting to RDP
Log Name: System
Source: Service Control Manager
Date: 10/11/2011 8:28:12 AM
Event ID: 7000
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: SOURCE COMPUTER NAME
Description:
The Diagnostic Service Host service failed to start due to the following error:
The account specified for this service is different from the account specified for other services running in the same process.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="49152">7000</E
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2011-10-11T12:
<EventRecordID>121306</Eve
<Correlation />
<Execution ProcessID="512" ThreadID="4016" />
<Channel>System</Channel>
<Computer>SOURCE COMPUTER NAME</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">Diagnostic Service Host</Data>
<Data Name="param2">%%1079</Data
</EventData>
</Event>
Log Name: Microsoft-Windows-Terminal
Source: Microsoft-Windows-Terminal
Date: 10/11/2011 8:18:43 AM
Event ID: 1155
Task Category: None
Level: Information
Keywords:
User: NETWORK SERVICE
Computer: DESTINATION COMPUTER NAME
Description:
The Remote Connection Manager selected Kernel mode RDP protocol stack.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Te
<EventID>1155</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x10000000000000
<TimeCreated SystemTime="2011-10-11T12:
<EventRecordID>1649</Event
<Correlation />
<Execution ProcessID="1216" ThreadID="1172" />
<Channel>Microsoft-Windows
<Computer>DESTINATION COMPUTER NAME</Computer>
<Security UserID="REMOVED" />
</System>
<EventData>
</EventData>
</Event>
Log Name: Microsoft-Windows-Terminal
Source: Microsoft-Windows-Terminal
Date: 10/11/2011 8:18:44 AM
Event ID: 258
Task Category: None
Level: Information
Keywords:
User: NETWORK SERVICE
Computer: DESTINATION COMPUTER NAME
Description:
Listener RDP-Tcp has started listening
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Te
<EventID>258</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x10000000000000
<TimeCreated SystemTime="2011-10-11T12:
<EventRecordID>1650</Event
<Correlation ActivityID="{00000000-08C4
<Execution ProcessID="1216" ThreadID="1236" />
<Channel>Microsoft-Windows
<Computer>DESTINATION COMPUTER NAME</Computer>
<Security UserID="REMOVED" />
</System>
<UserData>
<EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
<listenerName>RDP-Tcp</lis
</EventXML>
</UserData>
</Event>
Log Name: Microsoft-Windows-Terminal
Source: Microsoft-Windows-Terminal
Date: 10/11/2011 8:24:05 AM
Event ID: 261
Task Category: None
Level: Information
Keywords:
User: NETWORK SERVICE
Computer: DESTINATION COMPUTER NAME
Description:
Listener RDP-Tcp received a connection
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Te
<EventID>261</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x10000000000000
<TimeCreated SystemTime="2011-10-11T12:
<EventRecordID>1651</Event
<Correlation />
<Execution ProcessID="1216" ThreadID="2452" />
<Channel>Microsoft-Windows
<Computer>DESTINATION COMPUTER NAME</Computer>
<Security UserID="REMOVED" />
</System>
<UserData>
<EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
<listenerName>RDP-Tcp</lis
</EventXML>
</UserData>
</Event>
Log Name: Microsoft-Windows-Terminal
Source: Microsoft-Windows-Terminal
Date: 10/11/2011 8:24:10 AM
Event ID: 1149
Task Category: None
Level: Information
Keywords:
User: NETWORK SERVICE
Computer: DESTINATION COMPUTER NAME
Description:
Remote Desktop Services: User authentication succeeded:
User: MYADMINACCOUNT
Domain: MYDOMAINNAME
Source Network Address: SOURCE IP ADDRESS
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Te
<EventID>1149</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x10000000000000
<TimeCreated SystemTime="2011-10-11T12:
<EventRecordID>1653</Event
<Correlation />
<Execution ProcessID="1216" ThreadID="5256" />
<Channel>Microsoft-Windows
<Computer>DESTINATION COMPUTER NAME</Computer>
<Security UserID="REMOVED" />
</System>
<UserData>
<EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
<Param1>MY ADMIN ACCOUNT</Param1>
<Param2>MYDOMAINNAME</Para
<Param3>SOURCE IP ADDRESS</Param3>
</EventXML>
</UserData>
</Event>
Log Name: Microsoft-Windows-Terminal
Source: Microsoft-Windows-Terminal
Date: 10/11/2011 8:24:18 AM
Event ID: 261
Task Category: None
Level: Information
Keywords:
User: NETWORK SERVICE
Computer: DESTINATION COMPUTER NAME
Description:
Listener RDP-Tcp received a connection
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Te
<EventID>261</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x10000000000000
<TimeCreated SystemTime="2011-10-11T12:
<EventRecordID>1654</Event
<Correlation />
<Execution ProcessID="1216" ThreadID="2452" />
<Channel>Microsoft-Windows
<Computer>DESTINATION COMPUTER NAME</Computer>
<Security UserID="REMOVED" />
</System>
<UserData>
<EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
<listenerName>RDP-Tcp</lis
</EventXML>
</UserData>
</Event>
Log Name: Microsoft-Windows-Terminal
Source: Microsoft-Windows-Terminal
Date: 10/11/2011 8:25:16 AM
Event ID: 1136
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: DESTINATION COMPUTER NAME
Description:
Terminal Server role is not installed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Te
<EventID>1136</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x10000000000000
<TimeCreated SystemTime="2011-10-11T12:
<EventRecordID>1655</Event
<Correlation />
<Execution ProcessID="972" ThreadID="1404" />
<Channel>Microsoft-Windows
<Computer>DESTINATION COMPUTER NAME</Computer>
<Security UserID="REMOVED" />
</System>
<EventData>
</EventData>
</Event>
Log Name: Microsoft-Windows-Terminal
Source: Microsoft-Windows-Terminal
Date: 10/11/2011 8:25:16 AM
Event ID: 1155
Task Category: None
Level: Information
Keywords:
User: NETWORK SERVICE
Computer: DESTINATION COMPUTER NAME
Description:
The Remote Connection Manager selected Kernel mode RDP protocol stack.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Te
<EventID>1155</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x10000000000000
<TimeCreated SystemTime="2011-10-11T12:
<EventRecordID>1656</Event
<Correlation />
<Execution ProcessID="1244" ThreadID="1260" />
<Channel>Microsoft-Windows
<Computer>DESTINATION COMPUTER NAME</Computer>
<Security UserID="REMOVED" />
</System>
<EventData>
</EventData>
</Event>
Log Name: Microsoft-Windows-Terminal
Source: Microsoft-Windows-Terminal
Date: 10/11/2011 8:25:23 AM
Event ID: 258
Task Category: None
Level: Information
Keywords:
User: NETWORK SERVICE
Computer: DESTINATION COMPUTER NAME
Description:
Listener RDP-Tcp has started listening
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Te
<EventID>258</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x10000000000000
<TimeCreated SystemTime="2011-10-11T12:
<EventRecordID>1657</Event
<Correlation ActivityID="{8590674C-6FC3
<Execution ProcessID="1244" ThreadID="1260" />
<Channel>Microsoft-Windows
<Computer>DESTINATION COMPUTER NAME</Computer>
<Security UserID="REMOVED" />
</System>
<UserData>
<EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
<listenerName>RDP-Tcp</lis
</EventXML>
</UserData>
</Event>
That was the Event log dump of the events. This is the only thing RDP related in all of the event logs, it gets ready for a connection receives a connection authenticates successfully and that's it..but I get a Access is denied... here is the only error in the log I can find that may be related, this message comes up every 15 minutes while I am trying to RDP in but goes back to every 4 - 6 hrs when I am not attempting to RDP
Log Name: System
Source: Service Control Manager
Date: 10/11/2011 8:28:12 AM
Event ID: 7000
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: SOURCE COMPUTER NAME
Description:
The Diagnostic Service Host service failed to start due to the following error:
The account specified for this service is different from the account specified for other services running in the same process.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="49152">7000</E
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2011-10-11T12:
<EventRecordID>121306</Eve
<Correlation />
<Execution ProcessID="512" ThreadID="4016" />
<Channel>System</Channel>
<Computer>SOURCE COMPUTER NAME</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">Diagnostic Service Host</Data>
<Data Name="param2">%%1079</Data
</EventData>
</Event>
ASKER
ok so maybe this is a file or registry permissions configuration issue, as I have gone through the entire GPO and undid everything that was done 1 by 1 and cannot get RDP to work. Anyone have any idea what file or registry entries I should to check?
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
ok so I got a message from an "Admin" saying that I have to respond to madhatter5501's suggestion in my original question, anyone have a solution to this? considering i did answer his question in the forum within 11 minutes?
Nucularfisher, that is awesome advice, but for some reason I am still stuck on the GPO. I am creating a test machine, I have split the GPO into 6 smaller GPOs and Im going to join my fresh install to the domain then implement 1 GPO at a time until I have the issue
Nucularfisher, that is awesome advice, but for some reason I am still stuck on the GPO. I am creating a test machine, I have split the GPO into 6 smaller GPOs and Im going to join my fresh install to the domain then implement 1 GPO at a time until I have the issue
did you make any progress with the test machine and smaller GPOs?
ASKER
I split them up and found that the issue is coming from within Computer / Windows sub field. But while separating the GPOs I have run into another issue... The Black screen of Death, I have made a new question for this issue , I wanted to link to the new question but this Expert Exchange Website is up one second and down the next. I cannot get to the new page to link it. I guess Ill put up a link when it comes back up.
ASKER
ASKER
Ok so I caused more problems than I solved by splitting up the GPOs I am back to where I was when I started this post as I have rolled back all of the VMs and freshly installed all of the physical machines. anyone have any input on what may break RDP?
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Closing due to inactivity before the moderators FORCE an answer, thanks for trying. Money well spent... Points were only awarded for determination.
Hi PMP Admin, did you figure out how to resolve this problem regarding "access denied"? I'm having exactly the same problem. Tks.
Active Directory
Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.
86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
