Domain admin cannot remote desktop to domain controller

Hello all,

First post here, just starting to study for MCSA. I am stuck on a problem with remote desktop connection. I cannot remote desktop to the domain controller using the domain admin account. Error message:

Why do I have to add the domain administrator to the domain remote desktop users group in order to allow him to be able to remote desktop to the domain controller? Isn't the domain administrator supposed to be allowed by default? This is what I thought I had understood, and something else seems to confirm it as well:

In the system properties of the domain controller, remote tab, "select remote users", at the bottom it says: "contoso\administrator already has access".

Now it does let me add the administrator (domain admin account) to the domain remote desktop users group. And indeed if I add it, the problem is solved and I can remote desktop to the domain controller using the domain admin account. Is this normal? Am I missing something?

In RDP-Tcp properties/Permissions, I left everything to default: Contoso\Administrators has full control, Remote Desktop Users have user and guest access.

What's even harder to understand is that if I add simple users (non-admin) to the Remote desktop users group on the domain controller, those users are able to remote desktop to it. I thought that only members of the domain administrators group could remote desktop to a domain controller. So why would adding simple users to the remote desktop users group be enough for my domain controller to grant them access to remote desktop?

In administrative tools/Domain Controller Security Policy, as well as in administrative tools/Domain Security Policy, I have not changed anything to the "Allow log on through terminal services" policy. It's set to "not defined" in both cases. So I really don't see what's causing this.

Any help appreciated.
Cheers!

Find more posts tagged with

Comments

sprkymrk

First, welcome to the forums.

Second, I'd like to congratulate you on actually giving us enough background information to help you out.

It's refreshing because usually someone will post with a problem like yours and only give a one sentence description.

Okay, now I'll have to admit that I need to review how Terminal Services acts with a DC.

I'll post back if I find something. Meanwhile consider this a "bump" for your topic.

rjbarlow

Administrator profile --> tab Terminal service profile, maybe this account (strangely) has the Deny this user permission to logon... active, try to see there.

Mishra

Cambridge wrote:

Hello all,

First post here, just starting to study for MCSA. I am stuck on a problem with remote desktop connection. I cannot remote desktop to the domain controller using the domain admin account. Error message:

Why do I have to add the domain administrator to the domain remote desktop users group in order to allow him to be able to remote desktop to the domain controller? Isn't the domain administrator supposed to be allowed by default? This is what I thought I had understood, and something else seems to confirm it as well:

It should be added by default. Is it a test domain you just setup or something else someone has setup in the past?

In the system properties of the domain controller, remote tab, "select remote users", at the bottom it says: "contoso\administrator already has access".

Now it does let me add the administrator (domain admin account) to the domain remote desktop users group. And indeed if I add it, the problem is solved and I can remote desktop to the domain controller using the domain admin account. Is this normal? Am I missing something?

In RDP-Tcp properties/Permissions, I left everything to default: Contoso\Administrators has full control, Remote Desktop Users have user and guest access.

What's even harder to understand is that if I add simple users (non-admin) to the Remote desktop users group on the domain controller, those users are able to remote desktop to it. I thought that only members of the domain administrators group could remote desktop to a domain controller. So why would adding simple users to the remote desktop users group be enough for my domain controller to grant them access to remote desktop?

When you add people to the remote desktop group then it indeed gives them access to log into the domain controller. They do not have administrative rights however.

In administrative tools/Domain Controller Security Policy, as well as in administrative tools/Domain Security Policy, I have not changed anything to the "Allow log on through terminal services" policy. It's set to "not defined" in both cases. So I really don't see what's causing this.

Any help appreciated.
Cheers!

[/b]

sprkymrk

To the best of my understanding:

When a user initiates an RDP connection to a computer, it will establish the connection only if Remote Desktop is enabled either in the System Properties>Remote tab of the computer or in a GPO that applies to that computer. This is obviously already done in your case.

Next, the user's credentials are checked. The user must have the RIGHT to log on through terminal services. If that is verified, then the actual user account properties are checked to see if he is allowed or if the "Deny this user permission to logon to any terminal server" is checked on the Terminal Services profile tab.

Last, the user's group membership is checked to make sure he is a member of either the Remote Desktop Users or Administrators groups. If all of these conditions are met, the user can successfully log on. If any one condition is not met, he cannot logon and no other conditions are checked.

There are also 2 different Remote Desktop Users groups. There is a "local" Remote Desktop Users group on member servers, and then there is also a "Domain Local" Remote Desktop Users group on Domain Controllers. The latter is not assigned the right to logon through Terminal Services by default. I suspect this is the issue you ran into - I am not sure why MS did it this way.

As for your second question, if you, as an admin, grant joe blow user the right to logon to Remote Desktop to a DC, then they have that right plain and simple. Without additional rights they won't be able to use tools like ADUC, but they can log on to the DC.

HTH

Mishra

Another little note that you might want to take is that plain users can only log into other workstation operating systems. This is not allowed on any server system.

And as for my previous statement, please add that you do have to be a user of the domain controller before you will be able to log into that machine.

Cambridge

rjbarlow wrote:

Administrator profile --> tab Terminal service profile, maybe this account (strangely) has the Deny this user permission to logon... active, try to see there.

Verified, it's not the case.

Mishra wrote:

It should be added by default. Is it a test domain you just setup or something else someone has setup in the past?

This is a virgin test domain, I am following Microsoft Press' 70-290 Training Kit. To be honest, it is quite possible that, after hours of testing to solve another problem, I removed the domain administrator from the domain remote desktop users group and forgot to add it back. So can you confirm that it is supposed to be in there out of the box? It does make sense, I'm not arguing that. It's just that in the book, when they say that the domain admin should be able to remote desktop to the domain controller by default, I thought it meant that this is something you cannot set yourself anywhere, kind of a built-in property in the OS. That probably sounds silly but I am new to that, still trying to adjust to Microsoft's philosophy.

I have several other questions following all your answers to my original post, but let's start with that. Thanks for the help.

/usr

Can you create a new account, add them to the Domain Admins, then try it out?

As a test just now at work, I remoted into our DC, removed myself from the Remote Desktop Users group, then tried it again. It worked.

I'm in the Domain Admin group, among others...

Silver Bullet

Cambridge wrote:

I thought it meant that this is something you cannot set yourself anywhere, kind of a built-in property in the OS.

Have a look in Group Policy under Computer Configuration > Windows Settings > Security Settings > User Rights. You can grant additional groups the right to login at the "Allow logon through Terminal Services". Additionally, you can deny groups with the Deny Logon through Terminal Services. This may be handy if you have a user that belongs to multiple groups and you decide you want one group to have this ability but not the others. (That make sense?)

Mishra

It is definitely supposed to be in there by default. I'm sure you broke something!

Cambridge

/usr wrote:

Can you create a new account, add them to the Domain Admins, then try it out?

As a test just now at work, I remoted into our DC, removed myself from the Remote Desktop Users group, then tried it again. It worked.

I'm in the Domain Admin group, among others...

Tried that, but the new account cannot remote desktop even when member of Domain Admins. My domain administrator also is a member of domain admins and cannot either.

Silver Bullet wrote:

Have a look in Group Policy under Computer Configuration > Windows Settings > Security Settings > User Rights. You can grant additional groups the right to login at the "Allow logon through Terminal Services".

I have it under Group Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services. I assume that's what you meant. In there, I only have Remote Desktop Users, but neither Domain Admins nor Administrator.

I think I could summarize my whole problem/questions as follows:

Out of the box, what specific groups/accounts are supposed to be under Group Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services on a Domain Controller?

Out of the box, what specific groups/accounts are supposed to be member of the Remote Desktop Users group?

On a Domain Controller, what's the difference between:

1)Group Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services (currently: Remote Desktop Users only) 2)Administrative Tools > Domain Security Policy > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services (currently: Not defined) 3)Administrative Tools > Domain Controller Security Policy > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services (currently: Not defined)
Thank you so much everyone for the help.

Cambridge

Come on, anyone? I really tried to summarize/clarify/simplify all my problems and question in the last post. And my questions are pretty simple I believe, I just need the answers from someone with more experience and who knows. I would really appreciate any help. You don't need to read the whole thread, my last post contains all the unclear remaining points.

Thanks a lot!

dynamik

Cambridge wrote:

I think I could summarize my whole problem/questions as follows:

Out of the box, what specific groups/accounts are supposed to be under Group Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services on a Domain Controller?

Out of the box, what specific groups/accounts are supposed to be member of the Remote Desktop Users group?

On a Domain Controller, what's the difference between:
1)Group Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services (currently: Remote Desktop Users only) 2)Administrative Tools > Domain Security Policy > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services (currently: Not defined) 3)Administrative Tools > Domain Controller Security Policy > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services (currently: Not defined)

Thank you so much everyone for the help.

On my servers at work and a few VMs that are fairly new installs, I either have administrators or administrators and remote desktop users listed under: Group Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services

I don't believe I ever modified these settings. The pattern I noticed was that domain controllers have only administrators while member servers have administrators and remote desktop users. Again, some of these were setup over two years ago, and I really don't remember if I modified any of these settings. I may have just removed remote desktop users from my domain controllers (but one of my virtual machines is like that too, and I don't think I'd have gone to the effort for that).

Either way, the administrators group was always assigned that right. If you only have remote desktop users assigned that right, you should be able to either add the account you're trying to connect remotely with to that group, or add the administrators group (assuming your account belongs to that group) to that policy.

None of my machines had any members for remote desktop users.

The first item in your list (assuming you targeted the local computer), is the local policy for that machine. The second item is the policy for your entire domain, and the third is the policy for all the domain controllers in your domain.

sprkymrk

Out of the box, what specific groups/accounts are supposed to be under Group Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services on a Domain Controller?

Local Administrators and the local Remote Desktop Users group have this right on member servers, I could not find a reference specific to DC's.

Out of the box, what specific groups/accounts are supposed to be member of the Remote Desktop Users group?

No one.
http://technet2.microsoft.com/windowsserver/en/library/73de2d7f-3cc3-4afb-88a2-dd0698c5d5091033.mspx?mfr=true

On a Domain Controller, what's the difference between:

1)Group Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services
(currently: Remote Desktop Users only)

This setting applies to just that particular server or DC.

2)Administrative Tools > Domain Security Policy > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services
(currently: Not defined)

Applies to all servers/workstations in the domain.

3)Administrative Tools > Domain Controller Security Policy > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services
(currently: Not defined)

Applies to all DC's in your domain, but not member servers.

Opposite to what you stated, these are not really simple questions. That's the likely reason no one has offered any input. Unless someone knows this off the top of their heads, it takes time and research to answer these. My answers are my honest-to-goodness best shot, but I could stand corrected if you can find a MS paper explaining the things you asked about. I've included a few links that might help, but I couldn't find exactly the information you were looking for.

http://technet2.microsoft.com/windowsserver/en/library/1631acad-ef34-4f77-9c2e-94a62f8846cf1033.mspx?mfr=true
http://technet2.microsoft.com/windowsserver/en/library/f6e01e51-14ea-48f4-97fc-5288a9a4a9b11033.mspx?mfr=true
http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch04n.mspx
http://technet2.microsoft.com/windowsserver/en/library/f21957b3-26bd-4085-bc44-73fac78340a41033.mspx?mfr=true

Hey, I see dynamik beat me to the punch. His info looks spot on.

gazanga

In a bootcamp class I'm in, I learned that on a domain controller, and only on a dc, you have to explicitly allow ts/rd on the DC. By default, Microsoft will not let you remote desktop to a dc without this setting. It's a security feature.

messerf

Hi Cambridge,

I had the same problem on a fresh installed server.
I’ve installed the DC as all others before but had no chance to connect via remote Desktop. The only difference between all other servers was that once sysprep was run on the Server. After comparing the server with the other I found no difference in the rights.
I’ve found a workaround to logon with the admin again. I’ve added the administrator account directly to the RDP-Tcp Permissions and then I was able to logon again.
Maybe someone can find the real error because also the domain group “Remote Desktop Users” was as usual there with the right permissions and the admin was also in the group.

Bye
Messerf

mwenenko

I had the same problem as in earlier two screenshots but I found some more info after I ran the command.

FIND /I "Cannot find" %SYSTEMROOT\Security\Logs\winlogon.log

C:\WINDOWS\SECURITY\LOGS\WINLOGON.LOG
Cannot find domain administrators.
Cannot find domain administrators.

What may be the cause of not able to find domain administrators group?

mwenenko

I could fix my issue... somebody added domain administrators instead of domain admins in log on locally security policies and that caused the problem. I removed the extra letters and reloaded the security policy. Now administrator can log in to the domain controller.

Mishra

mwenenko wrote:

I could fix my issue... somebody added domain administrators instead of domain admins in log on locally security policies and that caused the problem. I removed the extra letters and reloaded the security policy. Now administrator can log in to the domain controller.

Well there you go. First 2 posts in techexams and you are talking to yourself.