Remote Desktop not working for new members of Remote Desktop Users group

I recently promoted a new server to Domain Controller and since then new users added to the remote desktop users get the whole "To log on to this remote computer, you must be granted the Allow  log on throught Terminal Services bit...." bit. I am not sure the promoted server is related to the issue but at any rate when I go to the Local Security Policy "security Settings\local Policies\User Rights Assignment"  the Allow log on through Remote Desktop Services add user button is grey out.  I hate greyed out buttons.  
Anyway, in Group Policy Management when right click to edit the "Default Domain Controllers Policy" I get a "Failed to open the Group Policy Object"  and the details say "The system cannot find the path specified". So, as result I am not able to enable/edit "Allow log on through Terminal Services".  The Group Policy Management Editor does not seem to be working at all. Any suggestions?
MarkSnark1Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TheNemesisCommented:
As a quick and dirty approach add your domain user group, that should be enabled to use rdp, to the local group "remote desktop users" (if it's not the dc you want to rdp on).

But your main problem seems to be, that your ad replication between the old and new dc doesn't seem to work. Have you verified your log files on both dcs? Anything stating that there were problems replicating? Are the default dc shares in place on both servers (\\dc\sysvol)?
0
MarkSnark1Author Commented:
People who had remote desktop privleges prior to the dc promotion can still use rdp but when new users and groups to the Remote Desktop Users group, including the Domain Users group which I just added per your suggestion, still get the message when attempting to log on.  I agree with you that it is probably a replication issue of which the Group Policy Editor failing is also a symptom. The problem is I do not how diagnose nor fix it.  I did not see anything in the event viewer that would lead me in any direction.  Thank you for the response.
0
TheNemesisCommented:
Can you confirm that on both dcs there are shares mounted under the name \\dc1\sysvol and \\dc2\sysvol? Can you please restart the file replication service on both servers and check the corresponding logs for entries about frs?
0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

MarkSnark1Author Commented:
Thank you,
I ran net share and essentially got the followin on both dc's:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.ATWOODCC>net share

Share name   Resource                        Remark

-------------------------------------------------------------------------------
C$           C:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\Windows                      Remote Admin
NETLOGON     C:\Windows\SYSVOL\sysvol\ATWOODCC.LOCAL\SCRIPTS
                                             Logon server share
SYSVOL       C:\Windows\SYSVOL\sysvol        Logon server share
Techsup      C:\Techsup
The command completed successfully.

I also restarted the "file replication service" on both servers. The GP editor still does not work.  Where do I find the logs?

Thank you again.
0
MarkSnark1Author Commented:
In the event view for the system log there were no errors for either of the dc's when I restarted the frs.
0
TheNemesisCommented:
Ok, so FRS seems ok, else you would have no netlogon share on both servers.

Can you state, what error message you get, when editing gpos?

Can you do a dcdiag on both dcs and post it here?

Can the new users log onto different machines, or does the problem only exist on the terminal server? If only on ts, have you checked dns configuration (dns must not point to external servers)?
0
MarkSnark1Author Commented:
The message when I right click on the Default Domain Controllers Policy is "Failed to open the Group Policy Object. You may not have appropriate rights.  Details: The system cannot find the path specified."

I do not know to which path it refers nor how or where to change it.
0
MarkSnark1Author Commented:
I ran the dcdiag but I do not know how to capture the results.
0
TheNemesisCommented:
Use dcdiag > result.txt, open result.txt with notepad and copy & paste here
0
MarkSnark1Author Commented:
The problem only exits when they try to use remote desktop to access other computers from within and without the LAN.  Using their there logon credentials on local computers works fine.
0
TheNemesisCommented:
So you need to allow all users in your environment to connect to client pcs through rdp, right?

If that is true, can you please launch the computer management on a client that is to be accessed by a user and check, what members are in the local "Remote Desktop users" group? Only members in there can login via rdp (you can do different, but this is the simplest way). If you manually add the new user to log in there, can he/she the access this test pc via rdp?
0
MarkSnark1Author Commented:
DC1

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = atwoodsrvx

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\ATWOODSRVX

      Starting test: Connectivity

         ......................... ATWOODSRVX passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\ATWOODSRVX

      Starting test: Advertising

         ......................... ATWOODSRVX passed test Advertising

      Starting test: FrsEvent

         ......................... ATWOODSRVX passed test FrsEvent

      Starting test: DFSREvent

         ......................... ATWOODSRVX passed test DFSREvent

      Starting test: SysVolCheck

         ......................... ATWOODSRVX passed test SysVolCheck

      Starting test: KccEvent

         ......................... ATWOODSRVX passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... ATWOODSRVX passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... ATWOODSRVX passed test MachineAccount

      Starting test: NCSecDesc

         ......................... ATWOODSRVX passed test NCSecDesc

      Starting test: NetLogons

         ......................... ATWOODSRVX passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... ATWOODSRVX passed test ObjectsReplicated

      Starting test: Replications

         ......................... ATWOODSRVX passed test Replications

      Starting test: RidManager

         ......................... ATWOODSRVX passed test RidManager

      Starting test: Services

         ......................... ATWOODSRVX passed test Services

      Starting test: SystemLog

         An Error Event occurred.  EventID: 0x00000457

            Time Generated: 12/11/2011   15:13:41

            Event String:

            Driver Remote Desktop Easy Print required for printer HP160509 (HP Photosmart Plus B210 series) (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.

         An Error Event occurred.  EventID: 0x00000457

            Time Generated: 12/11/2011   15:13:56

            Event String:

            Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.

         An Error Event occurred.  EventID: 0x00000457

            Time Generated: 12/11/2011   15:13:59

            Event String:

            Driver Remote Desktop Easy Print required for printer Kyocera Mita KM-2550 KX on SERVER (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.

         An Error Event occurred.  EventID: 0x00000457

            Time Generated: 12/11/2011   15:14:00

            Event String:

            Driver Remote Desktop Easy Print required for printer UpstairsCopier on oiclx (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.

         An Error Event occurred.  EventID: 0x00000457

            Time Generated: 12/11/2011   15:14:01

            Event String:

            Driver Remote Desktop Easy Print required for printer ServerRoomHP on oiclx (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.

         An Error Event occurred.  EventID: 0x00000457

            Time Generated: 12/11/2011   15:14:01

            Event String:

            Driver Remote Desktop Easy Print required for printer DownStairsCopier on oiclx (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.

         An Error Event occurred.  EventID: 0x00000457

            Time Generated: 12/11/2011   15:14:02

            Event String:

            Driver Remote Desktop Easy Print required for printer HP Photosmart Plus B210 series (Network) (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.

         An Error Event occurred.  EventID: 0x00000457

            Time Generated: 12/11/2011   15:14:03

            Event String:

            Driver Remote Desktop Easy Print required for printer KONICA Minolta C451 PS on ATWOODSRVX (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.

         An Error Event occurred.  EventID: 0x00000457

            Time Generated: 12/11/2011   15:14:04

            Event String:

            Driver Remote Desktop Easy Print required for printer Fax (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.

         An Error Event occurred.  EventID: 0x00000457

            Time Generated: 12/11/2011   15:14:04

            Event String:

            Driver Remote Desktop Easy Print required for printer Kyocera KM-2560 (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.

         An Error Event occurred.  EventID: 0x00000457

            Time Generated: 12/11/2011   15:14:05

            Event String:

            Driver Remote Desktop Easy Print required for printer Microsoft XPS Document Writer (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.

         An Error Event occurred.  EventID: 0x00000457

            Time Generated: 12/11/2011   15:14:06

            Event String:

            Driver Remote Desktop Easy Print required for printer OPtionsKyocera KM-2540 (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.

         An Error Event occurred.  EventID: 0x00000457

            Time Generated: 12/11/2011   15:14:07

            Event String:

            Driver Remote Desktop Easy Print required for printer OptionsKyoceraDownstairs (redirected 2) is unknown. Contact the administrator to install the driver before you log in again.

         ......................... ATWOODSRVX failed test SystemLog

      Starting test: VerifyReferences

         ......................... ATWOODSRVX passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : ATWOODCC

      Starting test: CheckSDRefDom

         ......................... ATWOODCC passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ATWOODCC passed test CrossRefValidation

   
   Running enterprise tests on : ATWOODCC.LOCAL

      Starting test: LocatorCheck

         ......................... ATWOODCC.LOCAL passed test LocatorCheck

      Starting test: Intersite

         ......................... ATWOODCC.LOCAL passed test Intersite

0
MarkSnark1Author Commented:
DC2

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = GoodmanVmAd

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\GOODMANVMAD

      Starting test: Connectivity

         ......................... GOODMANVMAD passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\GOODMANVMAD

      Starting test: Advertising

         ......................... GOODMANVMAD passed test Advertising

      Starting test: FrsEvent

         ......................... GOODMANVMAD passed test FrsEvent

      Starting test: DFSREvent

         ......................... GOODMANVMAD passed test DFSREvent

      Starting test: SysVolCheck

         ......................... GOODMANVMAD passed test SysVolCheck

      Starting test: KccEvent

         ......................... GOODMANVMAD passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... GOODMANVMAD passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... GOODMANVMAD passed test MachineAccount

      Starting test: NCSecDesc

         ......................... GOODMANVMAD passed test NCSecDesc

      Starting test: NetLogons

         ......................... GOODMANVMAD passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... GOODMANVMAD passed test ObjectsReplicated

      Starting test: Replications

         ......................... GOODMANVMAD passed test Replications

      Starting test: RidManager

         ......................... GOODMANVMAD passed test RidManager

      Starting test: Services

         ......................... GOODMANVMAD passed test Services

      Starting test: SystemLog

         A warning event occurred.  EventID: 0x8000001D

            Time Generated: 12/11/2011   15:00:44

            Event String:

            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 12/11/2011   15:36:32

            Event String:

            Driver KONICA MINOLTA C652SeriesPS required for printer !!atwoodsrvx!C552ds-Copier is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 12/11/2011   15:36:33

            Event String:

            Driver Muratec MFX-2550 PCL6 required for printer !!atwoodsrvx!Muratec-FRONT DESK is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 12/11/2011   15:36:34

            Event String:

            Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.

         ......................... GOODMANVMAD failed test SystemLog

      Starting test: VerifyReferences

         ......................... GOODMANVMAD passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : ATWOODCC

      Starting test: CheckSDRefDom

         ......................... ATWOODCC passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ATWOODCC passed test CrossRefValidation

   
   Running enterprise tests on : ATWOODCC.LOCAL

      Starting test: LocatorCheck

         ......................... ATWOODCC.LOCAL passed test LocatorCheck

      Starting test: Intersite

         ......................... ATWOODCC.LOCAL passed test Intersite

0
MarkSnark1Author Commented:
The pc I am trying to give them access to is a virtual machine.  I will try to logon with their credentials from the hyper v host.  
0
TheNemesisCommented:
Ok, your dc's seem okay, too. You can reset your default domain controller policy to default (and thus repair it) by using the following command:

dcgpofix /target:dc

Then you need to reapply your settings (if you have them in mind or on paper). Perhaps it would be a good idea to make such settings in your own gpo, it is a best practise to leave the two built in gpos as they are.
0
MarkSnark1Author Commented:
I was able to logon to the virtual pc via the hyper-v app with the new user's credentials.
0
TheNemesisCommented:
Thus you verified that it's only the gpo not applying any more. Restore your gpo as stated above, create a new gpo and reapply your settings. Perhaps think about the option to use gpo to add your desired users to the local remote desktop users group for easier management.

Try the following:
Put rdp-enabled users in a security group, like "RDP users".
Create a gpo to add the group "RDP Users" to the local group "Remote Desktop Users" on the desired clients (using restricted groups)
0
MarkSnark1Author Commented:
I ran the gpo fix on the DC2 and it bombed with the following:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.ATWOODCC>cd\

C:\>dcgpofix /target:goodmanvmad

Microsoft(R) Windows(R) Operating System Default Group Policy Restore Utility v5
.1

Copyright (C) Microsoft Corporation. 1981-2003

Description: Recreates the Default Group Policy Objects (GPOs) for a domain

Syntax: DcGPOFix [/ignoreschema] [/Target: Domain | DC | BOTH]


This utility can restore either or both the Default Domain Policy or the
Default Domain Controllers Policy to the state that exists immediately after
a clean install. You must be a domain administrator to perform this operation.

WARNING: YOU WILL LOSE ANY CHANGES YOU HAVE MADE TO THESE GPOs. THIS UTILITY
IS INTENDED ONLY FOR DISASTER RECOVERY PURPOSES.

The parameter is incorrect.
The restore failed.  See previous messages for more details

C:\>

0
MarkSnark1Author Commented:
Not sure about the parameter.  I assumed just the machine name.
0
MarkSnark1Author Commented:
Does this utility change user share access on folders?  I have really never set much up in Group Policy so I am assuming it is not overwriting much with the default setup.  What are the adverse effects?
0
TheNemesisCommented:
No, you must not change anything in the command, that I pasted. Leave the dc in place, as it states, that the "Default Domaincontroller Policy" (-> parameter DC) should be rebuilt and not the "Default Domain Policy" (-> parameter DOMAIN).

So just type

dcgpofix /target:dc

Then it will run (hopefully ;))
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MarkSnark1Author Commented:
I am sure it will run but I am afraid of the warning.  I am not sure what might get shut down with this command.  Can you tell me what possible specific adverse affects it might have.  Is it going to render user folder share permisissions in effective?  I have not really modifided the Group Policy on this domain so I am not afraid of that but will it afftect user permission that have been set up through Active Directory. What server applications would fail?  Please see the warning below and understand my apprehension.  Thank you for your ongoing support.


C:\>dcgpofix /target:dc

Microsoft(R) Windows(R) Operating System Default Group Policy Restore Utility v5
.1

Copyright (C) Microsoft Corporation. 1981-2003

Description: Recreates the Default Group Policy Objects (GPOs) for a domain

Syntax: DcGPOFix [/ignoreschema] [/Target: Domain | DC | BOTH]


This utility can restore either or both the Default Domain Policy or the
Default Domain Controllers Policy to the state that exists immediately after
a clean install. You must be a domain administrator to perform this operation.

WARNING: YOU WILL LOSE ANY CHANGES YOU HAVE MADE TO THESE GPOs. THIS UTILITY
IS INTENDED ONLY FOR DISASTER RECOVERY PURPOSES.

You are about to restore Default Domain controller policy for the following doma
in
ATWOODCC.LOCAL
Do you want to continue: <Y/N>? y
WARNING: This operation will replace all 'User Rights Assignments' made in the c
hosen GPOs. This may render some server applications to fail. Do you want to con
tinue: <Y/N>?
0
TheNemesisCommented:
As it will overwrite the domain controller policy, it will revert every change, you made in this policy. So your arights assignments, that were made through this policy (and only those) will be reverted. You will have to do them all over (e.g. for your remote desktop users). If you had any other assignments within this policy, these will be lost, too. On the other hand you cannot change anything to the policy at current, as it is corrupt.

You can smoothen the process in first creating a new policy and rebuilding any setting, you already did in the default domain controller policy before resetting the ddcp.
0
MarkSnark1Author Commented:
I am just trying to get an idea of the scope.  I think the specific question is "what are assignments?" Will people be able to  logon without specific attention to their profile? Get their email? Access data in sql, get to documents in folders they are supposed to use, get to documents they are not supposed to use?  
In the five years I have supported this domain I cannot think of any changes I have made in the Group Policy editor but I have made plenty of changes in the AD, and usershares, databases.  3 third party Server based apps  run on dc1.  Will all of this turn to goo? Or will I just have to reassisgn Remote Desk Top users?  As always, I appreciate your input. Thank you.
0
TheNemesisCommented:
As I don't know, what was originally implemented in the policy, I can hardly guess the scope. In a standard environment, the default domain controller policy handles password policies, communication settings between dcs and clients, who is able to log onto domain controllers (console and rdp), mainly security settings.

In default state it does NOT configure any file system based access, no sql server related settings, no group memberships or e-mail settings.

But as there were changes made to the policy, I can't tell for sure. Maybe like you can only guess what settings may have been changed. I can say, that under normal circumstances no 3rd party software makes changes to the policy and only really really few depend on MANUAL changes to it.

If it was my domain or I were in this situation for a customer of mine, I would do the step provided above. You can't save the settings as they are corrupt already, so you don't have any other chance (in my opinion). It is most unlikely that any other software will suffer from the rebuild, but one cannot be 100% sure ...
0
TheNemesisCommented:
So I have one more idea, how you can savely check, what happens, if your default domain controller policy goes missing: Try to disable the gpo and use a test client and a test server to access each other. Start "gpupdate /force" on each (or reboot them both) to have the changes take effect.

Note that when you disable the gpo, it is like having it deleted (so e.g. password policy will be affected, too). So the effect will be much more than when you restore it to factory defaults.

Would this be a "save way" to test it for you?

I can't say "restore it to defaults, there is nothing that can go wrong" as this would be a lie. I try to inform you of all possible consequences as far as I can estimate them. I don't want to to talk you into doing it, I just give suggestions and hints.
0
MarkSnark1Author Commented:
Still working on this.  Not quite ready for the last resort.
0
MarkSnark1Author Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for MarkSnark1's comment http:/Q_27487600.html#37275076

for the following reason:

With Microsoft's assurance that this was the only option left, we executed the fix with no adverse affects on our relatively unchanged GP. &nbsp;Thank you for your help.
0
MarkSnark1Author Commented:
I did not request that this be closed without points.  The Nemisis should get 500 points.
0
MarkSnark1Author Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for MarkSnark1's comment http:/Q_27487600.html#37275076

for the following reason:

Thank you for your help. &nbsp;It worked with no adverse effects on our domain.
0
TheNemesisCommented:
MarkSnark1 added comment, that he wanted to award the points to me. Please check.
0
MarkSnark1Author Commented:
This solution worked.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.