Problem with Terminal Services
We installed Terminal Services onto our server at work, which is a Windows 2003 Server and is a Domain Controller. Since then none of us have been able to RDP onto the server using our admin account (which we were previously able to do without problems). After getting the windows logon screen and entering our account details we get the message.
“To log onto this remote computer, you must have Terminal Server User Access permissions on this computer. By default, members of the Remote Desktop Users group have these permissions. If you are not a member of the Remote Desktop Users group or another group that has these permissions, or if the Remote Desktop User group does not have these permissions, you must be granted these permissions manually”
This means that we have to physically go over to the server in order to be able to log onto it. Have ensured that our administrator account is a member of the Remote Desktop User group in AD. Have also checked under system properties that “allow remote connections to this computer” are enabled.
Have also amended the local security settings using secpol.msc and adding the administrator and remote desktop users groups in the “Allow logon through Terminal Services” and making sure they are not listed in the “Deny logon through Terminal Services”.
Have gone into the Terminal Services Configuration and ensured that the administrator account for the domain is a member, and has all of the allow permissions and no denied permissions.
Have also tried amending our default GPO and added the administrator account to “Allow log on through Terminal Services”.
If anybody has any ideas on how to resolve this issue it would be great.
“To log onto this remote computer, you must have Terminal Server User Access permissions on this computer. By default, members of the Remote Desktop Users group have these permissions. If you are not a member of the Remote Desktop Users group or another group that has these permissions, or if the Remote Desktop User group does not have these permissions, you must be granted these permissions manually”
This means that we have to physically go over to the server in order to be able to log onto it. Have ensured that our administrator account is a member of the Remote Desktop User group in AD. Have also checked under system properties that “allow remote connections to this computer” are enabled.
Have also amended the local security settings using secpol.msc and adding the administrator and remote desktop users groups in the “Allow logon through Terminal Services” and making sure they are not listed in the “Deny logon through Terminal Services”.
Have gone into the Terminal Services Configuration and ensured that the administrator account for the domain is a member, and has all of the allow permissions and no denied permissions.
Have also tried amending our default GPO and added the administrator account to “Allow log on through Terminal Services”.
If anybody has any ideas on how to resolve this issue it would be great.
Comments
-
crrussell3
Member Posts: 561
Ok, I have to ask... Why was Terminal Services installed on a DC?
As a test (and imo best practice) I would create a new ad group, add whomever you want to be able to RDP into the DC into the group, and add the group manually or via gpo. Don't forget, DC's don't have local users/groups, so you can't rely on them in this case.MCTS: Windows Vista, Configuration
MCTS: Windows WS08 Active Directory, Configuration -
undomiel
Member Posts: 2,818
You would also need to give the group explicit permissions on the TS session as well.Jumping on the IT blogging band wagon -- http://www.jefferyland.com/ -
whatthehell
Member Posts: 920
Perhaps utilize GPResult and check on the Group Policies?2017 Goals:
[ ] Security + [ ] 74-409 [ ] CEH
Future Goals:
TBD