We help IT Professionals succeed at work.

unable to log onto a domain controller using RDP

SCFHP
SCFHP asked
on
I have tried the suggestion form  the forums and nothing has worked. I was able to RDP to the domain controller with no issues a couple of days ago.
now I am getting this error
"To log on to this remote computer, you must be granted the allow log on through Terminal Services right. By default, members of the Remote Desktop User group have this right."

modifying the group policy and the local security policy has not corrected the issue.

Please advise.
Comment
Watch Question

NVITEnd-user support

Commented:
after modifying the gp, have you run GPUPDATE /F on the server you are trying to access?
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Have you been removed from the domain admins group? Is RDP configured on the server?

Do you get this issues trying to remote into any other DC's?

Will.

Author

Commented:
I have not been removed from the DA group as I am able to RDP into one of the 3 DC's also RDP has been configured on the server as I was able to rdp a few days ago with no issues.

DC1 and DC3 are physical DC2 is virtual and I can log into DC2 with no issues.

I even tried adding the RDS config Host role and although not recommended it did not make a difference. the other thing that is interesting is no patches or changes have been performed on these 2 DC's. I have removed the RDSH role from the DC. to put things back the way they were
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Are all of the appropriate services running/started on the Domain controllers? Have you checked replication and the DC health?

Also have you been able to reboot the DC's to see if that makes any difference?

Will.
Commented:
all,

thank you for the replies. I was able to resolve the issue. I am not sure how this happened but the deny RDP login local secpol setting had domain users listed there on both DC's. I removed that and put guests sec group there instead and I am able to now log into both DC's with no issues.. has anyone heard of this happening in their network if so do you know how that got changed. nopatches or any updates wee installed on the DC's that could have caused this. weird !!!!
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
The only way you will be able to find out what changed this setting would be if you have auditing enabled. Otherwise you will not be able to find out.

Will.

Author

Commented:
I removed the domain users from the deny secpol setting under local policies - user rights assignment \deny log on through remote desktop and put the guests group there.