Win 7 32 bit Remote Desktop "Access is Denied"

Hello all thanks for looking,

I am standing up a secure environment. I have 4 (Virtual) Win 2008 64 bit servers and multiple (physical) win 7 pro 32 bit clients. I originally stood everything up and installed all software on all systems. I was able to remote desktop from any machine to any machine with no issues. I started to lock the systems down via GPO I know this has to do with GPO because I have rolled back machines and am able to tell exactly where the issue began. Unfortunately I cannot pin point exactly what value is my culprit. When I disable the GPO the problem persists. I can only RDP in when I disable the GPO and sys restore the physical machine, then as soon as I re enable the GPO I get " Access is Denied " on a blue windows login screen with nthe OS displayed. Error logs on both machines give no hints the only event logged is on the destination machine under application logs / microsoft / windows / TerminalServicesRemoteConnectionManager this

Listener RDP-tcp recieved a connection

then

Remote Desktop Services : User authentication Succeeded:
User : USERX
Domain: DOMAINX
Source Network Address : my.net.add.x

then
Terminal Server role is not installed

then
The Remote Connection Manager selected Kernel mode RDP protocol Stack

  then
Listener RDP-Tcp has started listening

Over and over. This is a Win 7 pro to win 7 pro attempt- its the same from any source to any destination. The user name I am using is an Admin, Domain admin, local admin, remote desktop user  and overall every role possible. There are alot of permissions re-assignments etc but I am sure this is due to the policy

here is a policy printout

Security Settings
Account Policies/Password Policy
Policy      Setting
Enforce password history      24 passwords remembered
Maximum password age      42 days
Minimum password age      1 days
Minimum password length      14 characters
Password must meet complexity requirements      Enabled
Store passwords using reversible encryption      Disabled
Account Policies/Account Lockout Policy
Policy      Setting
Account lockout duration      0 minutes
Account lockout threshold      3 invalid logon attempts
Reset account lockout counter after      60 minutes
Account Policies/Kerberos Policy
Policy      Setting
Enforce user logon restrictions      Enabled
Maximum lifetime for service ticket      600 minutes
Maximum lifetime for user ticket      10 hours
Maximum lifetime for user ticket renewal      7 days
Maximum tolerance for computer clock synchronization      5 minutes
Local Policies/Audit Policy
Policy      Setting
Audit account logon events      Success, Failure
Audit logon events      Success, Failure
Audit object access      No auditing
Audit policy change      Success, Failure
Audit privilege use      Failure
Audit process tracking      No auditing
Audit system events      No auditing
Local Policies/User Rights Assignment
Policy      Setting
Access Credential Manager as a trusted caller      
Access this computer from the network      NT AUTHORITY\Authenticated Users, BUILTIN\Administrators
Act as part of the operating system      
Add workstations to domain      BUILTIN\Administrators
Adjust memory quotas for a process      NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Allow log on locally       Domain Admins, BUILTIN\Administrators
Allow log on through Terminal Services      BUILTIN\Administrators
Back up files and directories      BUILTIN\Administrators
Bypass traverse checking      NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\Authenticated Users, BUILTIN\Administrators
Change the system time      NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Change the time zone      NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Create a pagefile      BUILTIN\Administrators
Create a token object      
Create global objects      NT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Create permanent shared objects      
Create symbolic links      BUILTIN\Administrators
Debug programs      
Deny access to this computer from the network      BUILTIN\Guests
Deny log on as a batch job      BUILTIN\Guests
Deny log on as a service      
Deny log on locally      BUILTIN\Guests
Deny log on through Terminal Services      BUILTIN\Guests
Enable computer and user accounts to be trusted for delegation      BUILTIN\Administrators
Force shutdown from a remote system      BUILTIN\Administrators
Generate security audits      NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Impersonate a client after authentication      NT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Increase a process working set      NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Increase scheduling priority      BUILTIN\Administrators
Load and unload device drivers      BUILTIN\Administrators
Lock pages in memory      
Log on as a batch job      BUILTIN\Administrators
Manage auditing and security log      PMP\Auditor Group
Modify an object label      BUILTIN\Administrators
Modify firmware environment values      BUILTIN\Administrators
Perform volume maintenance tasks      BUILTIN\Administrators
Profile single process      BUILTIN\Administrators
Profile system performance      BUILTIN\Administrators
Remove computer from docking station      BUILTIN\Administrators
Replace a process level token      NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Restore files and directories      BUILTIN\Administrators
Shut down the system      BUILTIN\Administrators
Synchronize directory service data      
Take ownership of files or other objects      BUILTIN\Administrators
Local Policies/Security Options
Accounts
Policy      Setting
Accounts: Administrator account status      Enabled
Accounts: Guest account status      Disabled
Accounts: Limit local account use of blank passwords to console logon only      Enabled
Accounts: Rename administrator account      "DELETED"
Accounts: Rename guest account      "DELETED"
Audit
Policy      Setting
Audit: Audit the access of global system objects      Disabled
Audit: Audit the use of Backup and Restore privilege      Disabled
Audit: Shut down system immediately if unable to log security audits      Disabled
Devices
Policy      Setting
Devices: Allow undock without having to log on      Disabled
Devices: Allowed to format and eject removable media      Administrators
Devices: Prevent users from installing printer drivers      Enabled
Devices: Restrict CD-ROM access to locally logged-on user only      Disabled
Domain Member
Policy      Setting
Domain member: Digitally encrypt or sign secure channel data (always)      Enabled
Domain member: Digitally encrypt secure channel data (when possible)      Enabled
Domain member: Digitally sign secure channel data (when possible)      Enabled
Domain member: Disable machine account password changes      Disabled
Domain member: Maximum machine account password age      30 days
Domain member: Require strong (Windows 2000 or later) session key      Enabled

DELETED

Interactive logon: Number of previous logons to cache (in case domain controller is not available)      1 logons
Interactive logon: Prompt user to change password before expiration      14 days
Interactive logon: Require Domain Controller authentication to unlock workstation      Disabled
Interactive logon: Require smart card      Disabled
Interactive logon: Smart card removal behavior      Lock Workstation
Microsoft Network Client
Policy      Setting
Microsoft network client: Digitally sign communications (always)      Enabled
Microsoft network client: Digitally sign communications (if server agrees)      Enabled
Microsoft network client: Send unencrypted password to third-party SMB servers      Disabled
Microsoft Network Server
Policy      Setting
Microsoft network server: Amount of idle time required before suspending session      15 minutes
Microsoft network server: Digitally sign communications (always)      Enabled
Microsoft network server: Digitally sign communications (if client agrees)      Enabled
Microsoft network server: Disconnect clients when logon hours expire      Enabled
Network Access
Policy      Setting
Network access: Allow anonymous SID/Name translation      Disabled
Network access: Do not allow anonymous enumeration of SAM accounts      Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares      Enabled
Network access: Do not allow storage of credentials or .NET Passports for network authentication      Enabled
Network access: Let Everyone permissions apply to anonymous users      Disabled

DELETED

Network Security
Policy      Setting
Network security: Do not store LAN Manager hash value on next password change      Enabled
Network security: Force logoff when logon hours expire      Disabled
Network security: LAN Manager authentication level      Send NTLMv2 response only. Refuse LM & NTLM
Network security: LDAP client signing requirements      Negotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients      Enabled
Require NTLMv2 session security      Enabled
Require 128-bit encryption      Enabled
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers      Enabled
Require NTLMv2 session security      Enabled
Require 128-bit encryption      Enabled
Recovery Console
Policy      Setting
Recovery console: Allow automatic administrative logon      Disabled
Recovery console: Allow floppy copy and access to all drives and all folders      Disabled
Shutdown
Policy      Setting
Shutdown: Allow system to be shut down without having to log on      Disabled
Shutdown: Clear virtual memory pagefile      Disabled
System Cryptography
Policy      Setting
System cryptography: Force strong key protection for user keys stored on the computer      User must enter a password each time they use a key
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing      Disabled
System Objects
Policy      Setting
System objects: Require case insensitivity for non-Windows subsystems      Enabled
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)      Enabled
System Settings
Policy      Setting
System settings: Optional subsystems      
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies      Enabled
User Account Control
Policy      Setting
User Account Control: Admin Approval Mode for the Built-in Administrator account      Enabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode      Prompt for credentials
User Account Control: Behavior of the elevation prompt for standard users      Automatically deny elevation requests
User Account Control: Detect application installations and prompt for elevation      Enabled
User Account Control: Only elevate executables that are signed and validated      Disabled
User Account Control: Run all administrators in Admin Approval Mode      Enabled
User Account Control: Switch to the secure desktop when prompting for elevation      Enabled
User Account Control: Virtualize file and registry write failures to per-user locations      Enabled
Other
Policy      Setting
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings      Enabled
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)      Highest protection, source routing is completely disabled
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)      Enabled
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)      Enabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop      Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations      Enabled
Event Log
Policy      Setting
Maximum application log size      16384 kilobytes
Maximum security log size      1000064 kilobytes
Maximum system log size      16384 kilobytes
Prevent local guests group from accessing application log      Enabled
Prevent local guests group from accessing security log      Enabled
Prevent local guests group from accessing system log      Enabled
Retention method for application log      As needed
Retention method for security log      Manually
Retention method for system log      As needed
Restricted Groups
Group                        Members                Member of
BUILTIN\Remote Desktop Users    Administrators

DELETED

Firewall is disabled completely and I have undid every setting having to do with encryption and RDP I can find. I have picked through the registry and restored keys with default keys. This Domain will have no internet or outside connection what so ever. I cannot get RDP to work.
LVL 1
PMP_AdminAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

madhatter5501Commented:
I would first try checking the logon hours
PMP_AdminAuthor Commented:
no hours defined
PMP_AdminAuthor Commented:
I just verified 24/7 access on all RDP users including the username I am using
Virus Depot: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!

Sid_FCommented:
I am presuming you get the access denied after you try login, in other words rdp is firing up ok?. launch tsconfig.msc from the 2008 machine. right-click on rdp-tcp and select properties. go to the security settings tab and review the ACL (make sure that there are no deny ACEs - by default, there are none).

PMP_AdminAuthor Commented:
Yes your assumption is correct. I launch MSTSC from within the domain (on win 7 client) use the IP address of another win7 client, authenticate with an admin acct, it completes the connection, screen goes black, then a blue login screen appears but it only says 'Access is denied" and Windows 7 Professional at the bottom.

per your suggestion, I logged onto the Domain Controller and there were no denys but network service and local service have only these special permissions set for allow, Query Information, Message, and Virtual channels. Is this correct? Admins have full control, Remote Desktop users have user access, and Interactive has only query info allowed.

I am attempting to connect from the win 7 pro to another win 7 pro
PMP_AdminAuthor Commented:
I also verified the same permissions on another Server 08 machine
NuclearFisherCommented:
I've been always thought that RDP users require Interactive permission.
PMP_AdminAuthor Commented:
not the case, Before the policy configuration I was able to remote in with no issues and no interaction at the destination machine either way no dialog box currently comes up at the destination machine.
scrabyCommented:
Allow log on through Terminal Services      BUILTIN\Administrators

if you rdp from one win7 to another workstation you need to be authorized to login via remote to that station locally.  add the domain admin account to the local users group at the local machine level.  lusrmgr.msc at the machine, add domain admin to Remote Desktop Users Group

press Windows Key + Pause at local machine and make sure Remote Desktop is configured to allow incoming connections (you can add users there too).

if this works  then you can deploy these changes via GPO
PMP_AdminAuthor Commented:
windows key + pause? I added remote desktop users and authenticated uses to all User rights assignments in GPO and am still having the issue

 
PMP_AdminAuthor Commented:
When I press Win+Pause it launches system properties, from there i goto remote settings and yes it is set to accept and I am in the ACL (user already has access)
NuclearFisherCommented:
If you get the access denied error and in the same time do not get the audit failures in Security log on terminal server - it means that access is denied somewhere on the object level (file system, registry).
Try to include Domain Users group to local Administrators on TS, then (if connected RDP ok) try local Power Users group.
Finally, compare the filesystem/registry permissions for local Administrators/Power Users and Users.

BTW the situation is very similar to that where Domain Users members can't print on a printer shared by workstation.
PMP_AdminAuthor Commented:
this would not explain why I can disable the GPO, roll-back the machine and the remote desktop will work, If I enable the GPO then GPUPDATE /FORCE then I get the access is denied, I am currently going through the GPO one item at a time and disabling or enabling every single object I will examine file permissions next
scrabyCommented:
that's a slow process but definitely the next logical step, are you getting anywhere?

so you enable and force gpo and rdp from one workstation to the next stops working and then when you disable gpo and restore both workstations back to prior to gpo, rdp starts to work again?......some have mentioned terminal server in this thread but that has nothing to do with your scenario since you are rdp from one ws to another and not to a ts correct?
PMP_AdminAuthor Commented:
scraby:
that's a slow process but definitely the next logical step, are you getting anywhere?---NO

so you enable and force gpo and rdp from one workstation to the next stops working and then when you disable gpo and restore both workstations back to prior to gpo, rdp starts to work again?......some have mentioned terminal server in this thread but that has nothing to do with your scenario since you are rdp from one ws to another and not to a ts correct? Kinda have this backwards. After I disable GPO and roll back the machines (Factory Default NO GPO) I can RDP just fine. After I enable my GPO and force then I cannot connect


I have attached a screen shot, i know the screenshot is server 08, it was just easier to get. I am attempting this on 2 win 7 machines, but get the errors on all machines regardless of the combination of source and destination/ OS



AcceSSisDenied.jpg
PMP_AdminAuthor Commented:
Applications and services\microsoft\windows\TerminalServices-RemoteConnectionManager


Log Name:      Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date:          10/11/2011 8:18:43 AM
Event ID:      1155
Task Category: None
Level:         Information
Keywords:      
User:          NETWORK SERVICE
Computer:      DESTINATION COMPUTER NAME
Description:
The Remote Connection Manager selected Kernel mode RDP protocol stack.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
    <EventID>1155</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x1000000000000000</Keywords>
    <TimeCreated SystemTime="2011-10-11T12:18:43.327852400Z" />
    <EventRecordID>1649</EventRecordID>
    <Correlation />
    <Execution ProcessID="1216" ThreadID="1172" />
    <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel>
    <Computer>DESTINATION COMPUTER NAME</Computer>
    <Security UserID="REMOVED" />
  </System>
  <EventData>
  </EventData>
</Event>

Log Name:      Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date:          10/11/2011 8:18:44 AM
Event ID:      258
Task Category: None
Level:         Information
Keywords:      
User:          NETWORK SERVICE
Computer:      DESTINATION COMPUTER NAME
Description:
Listener RDP-Tcp has started listening
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
    <EventID>258</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x1000000000000000</Keywords>
    <TimeCreated SystemTime="2011-10-11T12:18:44.255905500Z" />
    <EventRecordID>1650</EventRecordID>
    <Correlation ActivityID="{00000000-08C4-0000-04B8-EADD0F88CC01}" />
    <Execution ProcessID="1216" ThreadID="1236" />
    <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel>
    <Computer>DESTINATION COMPUTER NAME</Computer>
    <Security UserID="REMOVED" />
  </System>
  <UserData>
    <EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
      <listenerName>RDP-Tcp</listenerName>
    </EventXML>
  </UserData>
</Event>

Log Name:      Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date:          10/11/2011 8:24:05 AM
Event ID:      261
Task Category: None
Level:         Information
Keywords:      
User:          NETWORK SERVICE
Computer:      DESTINATION COMPUTER NAME
Description:
Listener RDP-Tcp received a connection
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
    <EventID>261</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x1000000000000000</Keywords>
    <TimeCreated SystemTime="2011-10-11T12:24:05.192505900Z" />
    <EventRecordID>1651</EventRecordID>
    <Correlation />
    <Execution ProcessID="1216" ThreadID="2452" />
    <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel>
    <Computer>DESTINATION COMPUTER NAME</Computer>
    <Security UserID="REMOVED" />
  </System>
  <UserData>
    <EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
      <listenerName>RDP-Tcp</listenerName>
    </EventXML>
  </UserData>
</Event>

Log Name:      Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date:          10/11/2011 8:24:10 AM
Event ID:      1149
Task Category: None
Level:         Information
Keywords:      
User:          NETWORK SERVICE
Computer:      DESTINATION COMPUTER NAME
Description:
Remote Desktop Services: User authentication succeeded:

User: MYADMINACCOUNT
Domain: MYDOMAINNAME
Source Network Address: SOURCE IP ADDRESS
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
    <EventID>1149</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x1000000000000000</Keywords>
    <TimeCreated SystemTime="2011-10-11T12:24:10.173307600Z" />
    <EventRecordID>1653</EventRecordID>
    <Correlation />
    <Execution ProcessID="1216" ThreadID="5256" />
    <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel>
    <Computer>DESTINATION COMPUTER NAME</Computer>
    <Security UserID="REMOVED" />
  </System>
  <UserData>
    <EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
      <Param1>MY ADMIN ACCOUNT</Param1>
      <Param2>MYDOMAINNAME</Param2>
      <Param3>SOURCE IP ADDRESS</Param3>
    </EventXML>
  </UserData>
</Event>

Log Name:      Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date:          10/11/2011 8:24:18 AM
Event ID:      261
Task Category: None
Level:         Information
Keywords:      
User:          NETWORK SERVICE
Computer:      DESTINATION COMPUTER NAME
Description:
Listener RDP-Tcp received a connection
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
    <EventID>261</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x1000000000000000</Keywords>
    <TimeCreated SystemTime="2011-10-11T12:24:18.619391200Z" />
    <EventRecordID>1654</EventRecordID>
    <Correlation />
    <Execution ProcessID="1216" ThreadID="2452" />
    <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel>
    <Computer>DESTINATION COMPUTER NAME</Computer>
    <Security UserID="REMOVED" />
  </System>
  <UserData>
    <EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
      <listenerName>RDP-Tcp</listenerName>
    </EventXML>
  </UserData>
</Event>

Log Name:      Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date:          10/11/2011 8:25:16 AM
Event ID:      1136
Task Category: None
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      DESTINATION COMPUTER NAME
Description:
Terminal Server role is not installed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
    <EventID>1136</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x1000000000000000</Keywords>
    <TimeCreated SystemTime="2011-10-11T12:25:16.515039700Z" />
    <EventRecordID>1655</EventRecordID>
    <Correlation />
    <Execution ProcessID="972" ThreadID="1404" />
    <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel>
    <Computer>DESTINATION COMPUTER NAME</Computer>
    <Security UserID="REMOVED" />
  </System>
  <EventData>
  </EventData>
</Event>

Log Name:      Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date:          10/11/2011 8:25:16 AM
Event ID:      1155
Task Category: None
Level:         Information
Keywords:      
User:          NETWORK SERVICE
Computer:      DESTINATION COMPUTER NAME
Description:
The Remote Connection Manager selected Kernel mode RDP protocol stack.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
    <EventID>1155</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x1000000000000000</Keywords>
    <TimeCreated SystemTime="2011-10-11T12:25:16.720051500Z" />
    <EventRecordID>1656</EventRecordID>
    <Correlation />
    <Execution ProcessID="1244" ThreadID="1260" />
    <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel>
    <Computer>DESTINATION COMPUTER NAME</Computer>
    <Security UserID="REMOVED" />
  </System>
  <EventData>
  </EventData>
</Event>

Log Name:      Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date:          10/11/2011 8:25:23 AM
Event ID:      258
Task Category: None
Level:         Information
Keywords:      
User:          NETWORK SERVICE
Computer:      DESTINATION COMPUTER NAME
Description:
Listener RDP-Tcp has started listening
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
    <EventID>258</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x1000000000000000</Keywords>
    <TimeCreated SystemTime="2011-10-11T12:25:23.243424600Z" />
    <EventRecordID>1657</EventRecordID>
    <Correlation ActivityID="{8590674C-6FC3-0001-83C2-29C81088CC01}" />
    <Execution ProcessID="1244" ThreadID="1260" />
    <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel>
    <Computer>DESTINATION COMPUTER NAME</Computer>
    <Security UserID="REMOVED" />
  </System>
  <UserData>
    <EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
      <listenerName>RDP-Tcp</listenerName>
    </EventXML>
  </UserData>
</Event>


That was the Event log dump of the events. This is the only thing RDP related in all of the event logs, it gets ready for a connection receives a connection authenticates successfully and that's it..but I get a Access is denied...  here is the only error in the log I can find that may be related, this message comes up every 15 minutes while I am trying to RDP in but goes back to every 4 - 6 hrs when I am not attempting to RDP

Log Name:      System
Source:        Service Control Manager
Date:          10/11/2011 8:28:12 AM
Event ID:      7000
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SOURCE COMPUTER NAME
Description:
The Diagnostic Service Host service failed to start due to the following error:
The account specified for this service is different from the account specified for other services running in the same process.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="49152">7000</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2011-10-11T12:28:12.121383800Z" />
    <EventRecordID>121306</EventRecordID>
    <Correlation />
    <Execution ProcessID="512" ThreadID="4016" />
    <Channel>System</Channel>
    <Computer>SOURCE COMPUTER NAME</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">Diagnostic Service Host</Data>
    <Data Name="param2">%%1079</Data>
  </EventData>
</Event>



 
PMP_AdminAuthor Commented:
ok so maybe this is a file or registry permissions configuration issue, as I have gone through the entire GPO and undid everything that was done 1 by 1 and cannot get RDP to work. Anyone have any idea what file or registry entries I should to check?
NuclearFisherCommented:
Try to add the RDP users first to local Administrators, then Power Users. Then compare those groups permissions.
Then enable object-level audit on the top levels of %Windir%, %UserProfiles% and %ProgramFiles% with propagation to the child objects.
Do the same thing for registry. Don't know about exact hive, but you can just enable for all root ones.
Then try RDP login again and dig the Security log for Object Access category events with Failed Audit.
Don't forget to adjust the events rotation on Security Log.

Finally, don't forget to update us about what you've found :)
PMP_AdminAuthor Commented:
ok so I got a message from an "Admin" saying that I have to respond to madhatter5501's suggestion in my original question, anyone have a solution to this? considering i did answer his question in the forum within 11 minutes?

Nucularfisher, that is awesome advice, but for some reason I am still stuck on the GPO. I am creating a test machine, I have split the GPO into 6 smaller GPOs and Im going to join my fresh install to the domain then implement 1 GPO at a time until I have the issue
scrabyCommented:
did you make any progress with the test machine and smaller GPOs?
PMP_AdminAuthor Commented:
I split them up and found that the issue is coming from within Computer / Windows sub field. But while separating the GPOs I have run into another issue... The Black screen of Death,  I have made a new question for this issue , I wanted to link to the new question but this Expert Exchange Website is up one second and down the next. I cannot get to the new page to link it. I guess Ill put up a link when it comes back up.
PMP_AdminAuthor Commented:
Ok so I caused more problems than I solved by splitting up the GPOs I am back to where I was when I started this post as I have rolled back all of the VMs and freshly installed all of the physical machines. anyone have any input on what may break RDP?
PMP_AdminAuthor Commented:
I assume since I have not been able to log into the site, that others are having the same issue and thats why there has not been any new posts for over a week..... when will the site be somewhat reliable again?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PMP_AdminAuthor Commented:
Closing due to inactivity before the moderators FORCE an answer, thanks for trying. Money well spent... Points were only awarded for determination.
computerdeptCommented:
Hi PMP Admin, did you figure out how to resolve this problem regarding "access denied"? I'm having exactly the same problem. Tks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.