Microsoft RD Client on IOS iPad, user logon fails with server event ID 4625.
We're using newest v8.1.5 of the IOS MS RD Client on ipads. Our MS RDS host is Windows 2008 R2.
Remote users logon fails, server shows event ID 4625. The event 4625 detail states Failure Reason: "User not allowed to logon at this computer."
We can successfully logon as Administrator but not as any of our remote users.
BIG HINT: Our Administrator account works because we do NOT have a domain user restriction for [Log On To] for Administrator, but we do restrict by COMPUTER name our remote users. THAT'S THE DIFFERENCE. If we temporarily remove the [Log On To] restriction for a remote user, presto they can logon perfectly fine.
What's with MS IOS RD Client? Pocket Cloud alternative works fine for all users, but that app is now dying due to discontinued by Dell/Wyse.
Remote users logon fails, server shows event ID 4625. The event 4625 detail states Failure Reason: "User not allowed to logon at this computer."
We can successfully logon as Administrator but not as any of our remote users.
BIG HINT: Our Administrator account works because we do NOT have a domain user restriction for [Log On To] for Administrator, but we do restrict by COMPUTER name our remote users. THAT'S THE DIFFERENCE. If we temporarily remove the [Log On To] restriction for a remote user, presto they can logon perfectly fine.
What's with MS IOS RD Client? Pocket Cloud alternative works fine for all users, but that app is now dying due to discontinued by Dell/Wyse.
ASKER
We tried using all the IPs and FQDNs we could think of in the list of [Log On To] computers without any success.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We do the [Log On To] restriction via "Active Directory Users and Computers" management administrative tools.
Is this same as "at the domain level" as what you are referring to when you wrote "We never restricted logon access at the domain level."? I assume yes.
I do see that we already have a domain user group specifically for our remote users. And that group is already listed in the "Remote Desktop Users" group on our one and only RDS host server.
Perhaps we are being needlessly redundant to also have the restriction in the [Log On To] list. Our remote users are never going to need to log into any other PCs on our network, they 100% remote users only, so we always thought the specific restriction in the [Log On To] list was a good security setting, no chance of accidently login anywhere else. I'll have to give this some careful thought.
Is this same as "at the domain level" as what you are referring to when you wrote "We never restricted logon access at the domain level."? I assume yes.
I do see that we already have a domain user group specifically for our remote users. And that group is already listed in the "Remote Desktop Users" group on our one and only RDS host server.
Perhaps we are being needlessly redundant to also have the restriction in the [Log On To] list. Our remote users are never going to need to log into any other PCs on our network, they 100% remote users only, so we always thought the specific restriction in the [Log On To] list was a good security setting, no chance of accidently login anywhere else. I'll have to give this some careful thought.
I have never used that "Log on to..." option in the user account properties in Active Directory Users and Computers.
I was thinking you must have had some GPO linked to the OU where the terminal server is to restrict logon rights.
By default, regular users lack rights to log on to any PC or server remotely, so I think just using the RD Users group on your RDS server is an effective way to permit users to only log on to that server.
I was thinking you must have had some GPO linked to the OU where the terminal server is to restrict logon rights.
By default, regular users lack rights to log on to any PC or server remotely, so I think just using the RD Users group on your RDS server is an effective way to permit users to only log on to that server.
ASKER
So we think our proposed solution is
1. Remove the existing [Log On To] computer restrictions listed within each remote user account via "Active Directory Users and Computers" management administrative tools.
2. Add Domain Policy: Deny log on locally. Add our Remote Users Group to this to deny list. This was a previously undefined group policy.
Our Remote User Access to RDS host still provided via RDS host PC local group “Remote Desktop User”.
This solution does indeed now allow our remote users to use the IOS App for MS RD Client. I think it's a bit rotten that this apparent bug in RD Client v8.1.5 forced our hand to change of some of the Policy objects logistics when theoretically the [Log On To] restrictions should also have worked as they were.
1. Remove the existing [Log On To] computer restrictions listed within each remote user account via "Active Directory Users and Computers" management administrative tools.
2. Add Domain Policy: Deny log on locally. Add our Remote Users Group to this to deny list. This was a previously undefined group policy.
Our Remote User Access to RDS host still provided via RDS host PC local group “Remote Desktop User”.
This solution does indeed now allow our remote users to use the IOS App for MS RD Client. I think it's a bit rotten that this apparent bug in RD Client v8.1.5 forced our hand to change of some of the Policy objects logistics when theoretically the [Log On To] restrictions should also have worked as they were.
ASKER
Hi Alicia - Your solution is working perfectly. Thank you.
You're welcome! I'm glad I could help.
I have never used the iOS RD client, but at my last job we had issues with users logging on to our load balanced terminal server farm via TS Gateway. They would get a TS Resource Access Policy error (TS RAP) stating they didn't have rights to log on to the server in question even though the server was specified by name in the RAP in the TS Gateway server's settings. We corrected the problem by adding the IPs of the farm & all member servers to the local computer group used by the RAP (turned out our load balancing hardware would use the IPs interchangeably with the fully qualified domain names to direct users to any of the servers in the farm).
Worth a shot...