[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Win 7 32 bit Remote Desktop "Access is Denied"

Posted on 2011-10-05
26
Medium Priority
?
4,564 Views
Last Modified: 2013-12-04
Hello all thanks for looking,

I am standing up a secure environment. I have 4 (Virtual) Win 2008 64 bit servers and multiple (physical) win 7 pro 32 bit clients. I originally stood everything up and installed all software on all systems. I was able to remote desktop from any machine to any machine with no issues. I started to lock the systems down via GPO I know this has to do with GPO because I have rolled back machines and am able to tell exactly where the issue began. Unfortunately I cannot pin point exactly what value is my culprit. When I disable the GPO the problem persists. I can only RDP in when I disable the GPO and sys restore the physical machine, then as soon as I re enable the GPO I get " Access is Denied " on a blue windows login screen with nthe OS displayed. Error logs on both machines give no hints the only event logged is on the destination machine under application logs / microsoft / windows / TerminalServicesRemoteConnectionManager this

Listener RDP-tcp recieved a connection

then

Remote Desktop Services : User authentication Succeeded:
User : USERX
Domain: DOMAINX
Source Network Address : my.net.add.x

then
Terminal Server role is not installed

then
The Remote Connection Manager selected Kernel mode RDP protocol Stack

  then
Listener RDP-Tcp has started listening

Over and over. This is a Win 7 pro to win 7 pro attempt- its the same from any source to any destination. The user name I am using is an Admin, Domain admin, local admin, remote desktop user  and overall every role possible. There are alot of permissions re-assignments etc but I am sure this is due to the policy

here is a policy printout

Security Settings
Account Policies/Password Policy
Policy      Setting
Enforce password history      24 passwords remembered
Maximum password age      42 days
Minimum password age      1 days
Minimum password length      14 characters
Password must meet complexity requirements      Enabled
Store passwords using reversible encryption      Disabled
Account Policies/Account Lockout Policy
Policy      Setting
Account lockout duration      0 minutes
Account lockout threshold      3 invalid logon attempts
Reset account lockout counter after      60 minutes
Account Policies/Kerberos Policy
Policy      Setting
Enforce user logon restrictions      Enabled
Maximum lifetime for service ticket      600 minutes
Maximum lifetime for user ticket      10 hours
Maximum lifetime for user ticket renewal      7 days
Maximum tolerance for computer clock synchronization      5 minutes
Local Policies/Audit Policy
Policy      Setting
Audit account logon events      Success, Failure
Audit logon events      Success, Failure
Audit object access      No auditing
Audit policy change      Success, Failure
Audit privilege use      Failure
Audit process tracking      No auditing
Audit system events      No auditing
Local Policies/User Rights Assignment
Policy      Setting
Access Credential Manager as a trusted caller      
Access this computer from the network      NT AUTHORITY\Authenticated Users, BUILTIN\Administrators
Act as part of the operating system      
Add workstations to domain      BUILTIN\Administrators
Adjust memory quotas for a process      NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Allow log on locally       Domain Admins, BUILTIN\Administrators
Allow log on through Terminal Services      BUILTIN\Administrators
Back up files and directories      BUILTIN\Administrators
Bypass traverse checking      NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\Authenticated Users, BUILTIN\Administrators
Change the system time      NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Change the time zone      NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Create a pagefile      BUILTIN\Administrators
Create a token object      
Create global objects      NT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Create permanent shared objects      
Create symbolic links      BUILTIN\Administrators
Debug programs      
Deny access to this computer from the network      BUILTIN\Guests
Deny log on as a batch job      BUILTIN\Guests
Deny log on as a service      
Deny log on locally      BUILTIN\Guests
Deny log on through Terminal Services      BUILTIN\Guests
Enable computer and user accounts to be trusted for delegation      BUILTIN\Administrators
Force shutdown from a remote system      BUILTIN\Administrators
Generate security audits      NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Impersonate a client after authentication      NT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Increase a process working set      NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Increase scheduling priority      BUILTIN\Administrators
Load and unload device drivers      BUILTIN\Administrators
Lock pages in memory      
Log on as a batch job      BUILTIN\Administrators
Manage auditing and security log      PMP\Auditor Group
Modify an object label      BUILTIN\Administrators
Modify firmware environment values      BUILTIN\Administrators
Perform volume maintenance tasks      BUILTIN\Administrators
Profile single process      BUILTIN\Administrators
Profile system performance      BUILTIN\Administrators
Remove computer from docking station      BUILTIN\Administrators
Replace a process level token      NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Restore files and directories      BUILTIN\Administrators
Shut down the system      BUILTIN\Administrators
Synchronize directory service data      
Take ownership of files or other objects      BUILTIN\Administrators
Local Policies/Security Options
Accounts
Policy      Setting
Accounts: Administrator account status      Enabled
Accounts: Guest account status      Disabled
Accounts: Limit local account use of blank passwords to console logon only      Enabled
Accounts: Rename administrator account      "DELETED"
Accounts: Rename guest account      "DELETED"
Audit
Policy      Setting
Audit: Audit the access of global system objects      Disabled
Audit: Audit the use of Backup and Restore privilege      Disabled
Audit: Shut down system immediately if unable to log security audits      Disabled
Devices
Policy      Setting
Devices: Allow undock without having to log on      Disabled
Devices: Allowed to format and eject removable media      Administrators
Devices: Prevent users from installing printer drivers      Enabled
Devices: Restrict CD-ROM access to locally logged-on user only      Disabled
Domain Member
Policy      Setting
Domain member: Digitally encrypt or sign secure channel data (always)      Enabled
Domain member: Digitally encrypt secure channel data (when possible)      Enabled
Domain member: Digitally sign secure channel data (when possible)      Enabled
Domain member: Disable machine account password changes      Disabled
Domain member: Maximum machine account password age      30 days
Domain member: Require strong (Windows 2000 or later) session key      Enabled

DELETED

Interactive logon: Number of previous logons to cache (in case domain controller is not available)      1 logons
Interactive logon: Prompt user to change password before expiration      14 days
Interactive logon: Require Domain Controller authentication to unlock workstation      Disabled
Interactive logon: Require smart card      Disabled
Interactive logon: Smart card removal behavior      Lock Workstation
Microsoft Network Client
Policy      Setting
Microsoft network client: Digitally sign communications (always)      Enabled
Microsoft network client: Digitally sign communications (if server agrees)      Enabled
Microsoft network client: Send unencrypted password to third-party SMB servers      Disabled
Microsoft Network Server
Policy      Setting
Microsoft network server: Amount of idle time required before suspending session      15 minutes
Microsoft network server: Digitally sign communications (always)      Enabled
Microsoft network server: Digitally sign communications (if client agrees)      Enabled
Microsoft network server: Disconnect clients when logon hours expire      Enabled
Network Access
Policy      Setting
Network access: Allow anonymous SID/Name translation      Disabled
Network access: Do not allow anonymous enumeration of SAM accounts      Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares      Enabled
Network access: Do not allow storage of credentials or .NET Passports for network authentication      Enabled
Network access: Let Everyone permissions apply to anonymous users      Disabled

DELETED

Network Security
Policy      Setting
Network security: Do not store LAN Manager hash value on next password change      Enabled
Network security: Force logoff when logon hours expire      Disabled
Network security: LAN Manager authentication level      Send NTLMv2 response only. Refuse LM & NTLM
Network security: LDAP client signing requirements      Negotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients      Enabled
Require NTLMv2 session security      Enabled
Require 128-bit encryption      Enabled
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers      Enabled
Require NTLMv2 session security      Enabled
Require 128-bit encryption      Enabled
Recovery Console
Policy      Setting
Recovery console: Allow automatic administrative logon      Disabled
Recovery console: Allow floppy copy and access to all drives and all folders      Disabled
Shutdown
Policy      Setting
Shutdown: Allow system to be shut down without having to log on      Disabled
Shutdown: Clear virtual memory pagefile      Disabled
System Cryptography
Policy      Setting
System cryptography: Force strong key protection for user keys stored on the computer      User must enter a password each time they use a key
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing      Disabled
System Objects
Policy      Setting
System objects: Require case insensitivity for non-Windows subsystems      Enabled
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)      Enabled
System Settings
Policy      Setting
System settings: Optional subsystems      
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies      Enabled
User Account Control
Policy      Setting
User Account Control: Admin Approval Mode for the Built-in Administrator account      Enabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode      Prompt for credentials
User Account Control: Behavior of the elevation prompt for standard users      Automatically deny elevation requests
User Account Control: Detect application installations and prompt for elevation      Enabled
User Account Control: Only elevate executables that are signed and validated      Disabled
User Account Control: Run all administrators in Admin Approval Mode      Enabled
User Account Control: Switch to the secure desktop when prompting for elevation      Enabled
User Account Control: Virtualize file and registry write failures to per-user locations      Enabled
Other
Policy      Setting
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings      Enabled
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)      Highest protection, source routing is completely disabled
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)      Enabled
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)      Enabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop      Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations      Enabled
Event Log
Policy      Setting
Maximum application log size      16384 kilobytes
Maximum security log size      1000064 kilobytes
Maximum system log size      16384 kilobytes
Prevent local guests group from accessing application log      Enabled
Prevent local guests group from accessing security log      Enabled
Prevent local guests group from accessing system log      Enabled
Retention method for application log      As needed
Retention method for security log      Manually
Retention method for system log      As needed
Restricted Groups
Group                        Members                Member of
BUILTIN\Remote Desktop Users    Administrators

DELETED

Firewall is disabled completely and I have undid every setting having to do with encryption and RDP I can find. I have picked through the registry and restored keys with default keys. This Domain will have no internet or outside connection what so ever. I cannot get RDP to work.
0
Comment
Question by:PMP_Admin
  • 17
  • 3
  • 3
  • +3
26 Comments
 
LVL 11

Expert Comment

by:madhatter5501
ID: 36920998
I would first try checking the logon hours
0
 
LVL 1

Author Comment

by:PMP_Admin
ID: 36921064
no hours defined
0
 
LVL 1

Author Comment

by:PMP_Admin
ID: 36921080
I just verified 24/7 access on all RDP users including the username I am using
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 6

Expert Comment

by:Sid_F
ID: 36921643
I am presuming you get the access denied after you try login, in other words rdp is firing up ok?. launch tsconfig.msc from the 2008 machine. right-click on rdp-tcp and select properties. go to the security settings tab and review the ACL (make sure that there are no deny ACEs - by default, there are none).

0
 
LVL 1

Author Comment

by:PMP_Admin
ID: 36923524
Yes your assumption is correct. I launch MSTSC from within the domain (on win 7 client) use the IP address of another win7 client, authenticate with an admin acct, it completes the connection, screen goes black, then a blue login screen appears but it only says 'Access is denied" and Windows 7 Professional at the bottom.

per your suggestion, I logged onto the Domain Controller and there were no denys but network service and local service have only these special permissions set for allow, Query Information, Message, and Virtual channels. Is this correct? Admins have full control, Remote Desktop users have user access, and Interactive has only query info allowed.

I am attempting to connect from the win 7 pro to another win 7 pro
0
 
LVL 1

Author Comment

by:PMP_Admin
ID: 36923530
I also verified the same permissions on another Server 08 machine
0
 

Expert Comment

by:NuclearFisher
ID: 36924526
I've been always thought that RDP users require Interactive permission.
0
 
LVL 1

Author Comment

by:PMP_Admin
ID: 36929989
not the case, Before the policy configuration I was able to remote in with no issues and no interaction at the destination machine either way no dialog box currently comes up at the destination machine.
0
 
LVL 7

Expert Comment

by:scraby
ID: 36930783
Allow log on through Terminal Services      BUILTIN\Administrators

if you rdp from one win7 to another workstation you need to be authorized to login via remote to that station locally.  add the domain admin account to the local users group at the local machine level.  lusrmgr.msc at the machine, add domain admin to Remote Desktop Users Group

press Windows Key + Pause at local machine and make sure Remote Desktop is configured to allow incoming connections (you can add users there too).

if this works  then you can deploy these changes via GPO
0
 
LVL 1

Author Comment

by:PMP_Admin
ID: 36930950
windows key + pause? I added remote desktop users and authenticated uses to all User rights assignments in GPO and am still having the issue

 
0
 
LVL 1

Author Comment

by:PMP_Admin
ID: 36931115
When I press Win+Pause it launches system properties, from there i goto remote settings and yes it is set to accept and I am in the ACL (user already has access)
0
 

Expert Comment

by:NuclearFisher
ID: 36931244
If you get the access denied error and in the same time do not get the audit failures in Security log on terminal server - it means that access is denied somewhere on the object level (file system, registry).
Try to include Domain Users group to local Administrators on TS, then (if connected RDP ok) try local Power Users group.
Finally, compare the filesystem/registry permissions for local Administrators/Power Users and Users.

BTW the situation is very similar to that where Domain Users members can't print on a printer shared by workstation.
0
 
LVL 1

Author Comment

by:PMP_Admin
ID: 36931308
this would not explain why I can disable the GPO, roll-back the machine and the remote desktop will work, If I enable the GPO then GPUPDATE /FORCE then I get the access is denied, I am currently going through the GPO one item at a time and disabling or enabling every single object I will examine file permissions next
0
 
LVL 7

Assisted Solution

by:scraby
scraby earned 80 total points
ID: 36936313
that's a slow process but definitely the next logical step, are you getting anywhere?

so you enable and force gpo and rdp from one workstation to the next stops working and then when you disable gpo and restore both workstations back to prior to gpo, rdp starts to work again?......some have mentioned terminal server in this thread but that has nothing to do with your scenario since you are rdp from one ws to another and not to a ts correct?
0
 
LVL 1

Author Comment

by:PMP_Admin
ID: 36947985
scraby:
that's a slow process but definitely the next logical step, are you getting anywhere?---NO

so you enable and force gpo and rdp from one workstation to the next stops working and then when you disable gpo and restore both workstations back to prior to gpo, rdp starts to work again?......some have mentioned terminal server in this thread but that has nothing to do with your scenario since you are rdp from one ws to another and not to a ts correct? Kinda have this backwards. After I disable GPO and roll back the machines (Factory Default NO GPO) I can RDP just fine. After I enable my GPO and force then I cannot connect


I have attached a screen shot, i know the screenshot is server 08, it was just easier to get. I am attempting this on 2 win 7 machines, but get the errors on all machines regardless of the combination of source and destination/ OS



AcceSSisDenied.jpg
0
 
LVL 1

Author Comment

by:PMP_Admin
ID: 36948585
Applications and services\microsoft\windows\TerminalServices-RemoteConnectionManager


Log Name:      Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date:          10/11/2011 8:18:43 AM
Event ID:      1155
Task Category: None
Level:         Information
Keywords:      
User:          NETWORK SERVICE
Computer:      DESTINATION COMPUTER NAME
Description:
The Remote Connection Manager selected Kernel mode RDP protocol stack.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
    <EventID>1155</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x1000000000000000</Keywords>
    <TimeCreated SystemTime="2011-10-11T12:18:43.327852400Z" />
    <EventRecordID>1649</EventRecordID>
    <Correlation />
    <Execution ProcessID="1216" ThreadID="1172" />
    <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel>
    <Computer>DESTINATION COMPUTER NAME</Computer>
    <Security UserID="REMOVED" />
  </System>
  <EventData>
  </EventData>
</Event>

Log Name:      Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date:          10/11/2011 8:18:44 AM
Event ID:      258
Task Category: None
Level:         Information
Keywords:      
User:          NETWORK SERVICE
Computer:      DESTINATION COMPUTER NAME
Description:
Listener RDP-Tcp has started listening
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
    <EventID>258</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x1000000000000000</Keywords>
    <TimeCreated SystemTime="2011-10-11T12:18:44.255905500Z" />
    <EventRecordID>1650</EventRecordID>
    <Correlation ActivityID="{00000000-08C4-0000-04B8-EADD0F88CC01}" />
    <Execution ProcessID="1216" ThreadID="1236" />
    <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel>
    <Computer>DESTINATION COMPUTER NAME</Computer>
    <Security UserID="REMOVED" />
  </System>
  <UserData>
    <EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
      <listenerName>RDP-Tcp</listenerName>
    </EventXML>
  </UserData>
</Event>

Log Name:      Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date:          10/11/2011 8:24:05 AM
Event ID:      261
Task Category: None
Level:         Information
Keywords:      
User:          NETWORK SERVICE
Computer:      DESTINATION COMPUTER NAME
Description:
Listener RDP-Tcp received a connection
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
    <EventID>261</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x1000000000000000</Keywords>
    <TimeCreated SystemTime="2011-10-11T12:24:05.192505900Z" />
    <EventRecordID>1651</EventRecordID>
    <Correlation />
    <Execution ProcessID="1216" ThreadID="2452" />
    <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel>
    <Computer>DESTINATION COMPUTER NAME</Computer>
    <Security UserID="REMOVED" />
  </System>
  <UserData>
    <EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
      <listenerName>RDP-Tcp</listenerName>
    </EventXML>
  </UserData>
</Event>

Log Name:      Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date:          10/11/2011 8:24:10 AM
Event ID:      1149
Task Category: None
Level:         Information
Keywords:      
User:          NETWORK SERVICE
Computer:      DESTINATION COMPUTER NAME
Description:
Remote Desktop Services: User authentication succeeded:

User: MYADMINACCOUNT
Domain: MYDOMAINNAME
Source Network Address: SOURCE IP ADDRESS
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
    <EventID>1149</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x1000000000000000</Keywords>
    <TimeCreated SystemTime="2011-10-11T12:24:10.173307600Z" />
    <EventRecordID>1653</EventRecordID>
    <Correlation />
    <Execution ProcessID="1216" ThreadID="5256" />
    <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel>
    <Computer>DESTINATION COMPUTER NAME</Computer>
    <Security UserID="REMOVED" />
  </System>
  <UserData>
    <EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
      <Param1>MY ADMIN ACCOUNT</Param1>
      <Param2>MYDOMAINNAME</Param2>
      <Param3>SOURCE IP ADDRESS</Param3>
    </EventXML>
  </UserData>
</Event>

Log Name:      Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date:          10/11/2011 8:24:18 AM
Event ID:      261
Task Category: None
Level:         Information
Keywords:      
User:          NETWORK SERVICE
Computer:      DESTINATION COMPUTER NAME
Description:
Listener RDP-Tcp received a connection
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
    <EventID>261</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x1000000000000000</Keywords>
    <TimeCreated SystemTime="2011-10-11T12:24:18.619391200Z" />
    <EventRecordID>1654</EventRecordID>
    <Correlation />
    <Execution ProcessID="1216" ThreadID="2452" />
    <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel>
    <Computer>DESTINATION COMPUTER NAME</Computer>
    <Security UserID="REMOVED" />
  </System>
  <UserData>
    <EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
      <listenerName>RDP-Tcp</listenerName>
    </EventXML>
  </UserData>
</Event>

Log Name:      Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date:          10/11/2011 8:25:16 AM
Event ID:      1136
Task Category: None
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      DESTINATION COMPUTER NAME
Description:
Terminal Server role is not installed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
    <EventID>1136</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x1000000000000000</Keywords>
    <TimeCreated SystemTime="2011-10-11T12:25:16.515039700Z" />
    <EventRecordID>1655</EventRecordID>
    <Correlation />
    <Execution ProcessID="972" ThreadID="1404" />
    <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel>
    <Computer>DESTINATION COMPUTER NAME</Computer>
    <Security UserID="REMOVED" />
  </System>
  <EventData>
  </EventData>
</Event>

Log Name:      Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date:          10/11/2011 8:25:16 AM
Event ID:      1155
Task Category: None
Level:         Information
Keywords:      
User:          NETWORK SERVICE
Computer:      DESTINATION COMPUTER NAME
Description:
The Remote Connection Manager selected Kernel mode RDP protocol stack.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
    <EventID>1155</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x1000000000000000</Keywords>
    <TimeCreated SystemTime="2011-10-11T12:25:16.720051500Z" />
    <EventRecordID>1656</EventRecordID>
    <Correlation />
    <Execution ProcessID="1244" ThreadID="1260" />
    <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel>
    <Computer>DESTINATION COMPUTER NAME</Computer>
    <Security UserID="REMOVED" />
  </System>
  <EventData>
  </EventData>
</Event>

Log Name:      Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date:          10/11/2011 8:25:23 AM
Event ID:      258
Task Category: None
Level:         Information
Keywords:      
User:          NETWORK SERVICE
Computer:      DESTINATION COMPUTER NAME
Description:
Listener RDP-Tcp has started listening
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
    <EventID>258</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x1000000000000000</Keywords>
    <TimeCreated SystemTime="2011-10-11T12:25:23.243424600Z" />
    <EventRecordID>1657</EventRecordID>
    <Correlation ActivityID="{8590674C-6FC3-0001-83C2-29C81088CC01}" />
    <Execution ProcessID="1244" ThreadID="1260" />
    <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel>
    <Computer>DESTINATION COMPUTER NAME</Computer>
    <Security UserID="REMOVED" />
  </System>
  <UserData>
    <EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
      <listenerName>RDP-Tcp</listenerName>
    </EventXML>
  </UserData>
</Event>


That was the Event log dump of the events. This is the only thing RDP related in all of the event logs, it gets ready for a connection receives a connection authenticates successfully and that's it..but I get a Access is denied...  here is the only error in the log I can find that may be related, this message comes up every 15 minutes while I am trying to RDP in but goes back to every 4 - 6 hrs when I am not attempting to RDP

Log Name:      System
Source:        Service Control Manager
Date:          10/11/2011 8:28:12 AM
Event ID:      7000
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SOURCE COMPUTER NAME
Description:
The Diagnostic Service Host service failed to start due to the following error:
The account specified for this service is different from the account specified for other services running in the same process.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="49152">7000</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2011-10-11T12:28:12.121383800Z" />
    <EventRecordID>121306</EventRecordID>
    <Correlation />
    <Execution ProcessID="512" ThreadID="4016" />
    <Channel>System</Channel>
    <Computer>SOURCE COMPUTER NAME</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">Diagnostic Service Host</Data>
    <Data Name="param2">%%1079</Data>
  </EventData>
</Event>



 
0
 
LVL 1

Author Comment

by:PMP_Admin
ID: 36951093
ok so maybe this is a file or registry permissions configuration issue, as I have gone through the entire GPO and undid everything that was done 1 by 1 and cannot get RDP to work. Anyone have any idea what file or registry entries I should to check?
0
 

Assisted Solution

by:NuclearFisher
NuclearFisher earned 80 total points
ID: 36951356
Try to add the RDP users first to local Administrators, then Power Users. Then compare those groups permissions.
Then enable object-level audit on the top levels of %Windir%, %UserProfiles% and %ProgramFiles% with propagation to the child objects.
Do the same thing for registry. Don't know about exact hive, but you can just enable for all root ones.
Then try RDP login again and dig the Security log for Object Access category events with Failed Audit.
Don't forget to adjust the events rotation on Security Log.

Finally, don't forget to update us about what you've found :)
0
 
LVL 1

Author Comment

by:PMP_Admin
ID: 36955761
ok so I got a message from an "Admin" saying that I have to respond to madhatter5501's suggestion in my original question, anyone have a solution to this? considering i did answer his question in the forum within 11 minutes?

Nucularfisher, that is awesome advice, but for some reason I am still stuck on the GPO. I am creating a test machine, I have split the GPO into 6 smaller GPOs and Im going to join my fresh install to the domain then implement 1 GPO at a time until I have the issue
0
 
LVL 7

Expert Comment

by:scraby
ID: 36980344
did you make any progress with the test machine and smaller GPOs?
0
 
LVL 1

Author Comment

by:PMP_Admin
ID: 36980805
I split them up and found that the issue is coming from within Computer / Windows sub field. But while separating the GPOs I have run into another issue... The Black screen of Death,  I have made a new question for this issue , I wanted to link to the new question but this Expert Exchange Website is up one second and down the next. I cannot get to the new page to link it. I guess Ill put up a link when it comes back up.
0
 
LVL 1

Author Comment

by:PMP_Admin
ID: 36988527
Ok so I caused more problems than I solved by splitting up the GPOs I am back to where I was when I started this post as I have rolled back all of the VMs and freshly installed all of the physical machines. anyone have any input on what may break RDP?
0
 
LVL 1

Accepted Solution

by:
PMP_Admin earned 0 total points
ID: 37024208
I assume since I have not been able to log into the site, that others are having the same issue and thats why there has not been any new posts for over a week..... when will the site be somewhat reliable again?
0
 
LVL 1

Author Closing Comment

by:PMP_Admin
ID: 37123829
Closing due to inactivity before the moderators FORCE an answer, thanks for trying. Money well spent... Points were only awarded for determination.
0
 

Expert Comment

by:computerdept
ID: 37493584
Hi PMP Admin, did you figure out how to resolve this problem regarding "access denied"? I'm having exactly the same problem. Tks.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question