# Solved: RDP wrongly insists user is NOT allowed via Terminal Services Access Rights



## dlipman (Feb 14, 2013)

I am the Domain Administrator. I have lost access to one of my servers, Server 2008 Standard R2.

I now get...










The Built-In "*Remote Desktop Users*" group is populated with a Domain based Group for remote Access.

I have a GPO for the "Default Domain Controllers Policy" where; *security settings\local policies\user rights assignment* --> "*Allow log on through Remote Desktop Services*" has been properly populated.

I can use RDP to access Domain Participant workstations but I lost access to the server.

I have Google-searched for relevant documents but all I can find tells me what I can do to set it up, verifying what I have done is already correct.

I have even gone into "*Remote Desktop Session Host Configuration*" --> rdp-tcp --> security

I verified settings and added Users and Groups to no-avail.

_*Any ideas as to why the "allow terminals services access rights" got broken or how it may be corrected ?*_


----------



## valis (Sep 24, 2004)

howdy dlipman, and welcome to TSG.

When did this start? And how? Was there any indication as to what happened? Have you checked the event logs? Only time I've seen that on a domain I had to add to workgroup and then re-add to the domain, and that cured it.

thanks, 

v


----------



## dlipman (Feb 14, 2013)

Thanx for the reply.

It started after I rebuilt the server. An offsite user complained he could not access the server. I was already remoted in. This was Monday.

I verified his password but I had problems with his access to the server via RDP.

I kept testing the account to no-avail.

Maybe i was tired, who knows. But I went into Server Roles and I added "*Remote Desktop Servers*" (_ albeit all I needed was the two simultaneous RDP sessions Server 2008 already provides_ ).

When I rebooted the server, I was no longer able to access the server RDP ( _or any other accounts_ ).

Tuesday was a US Federal Holiday ( _*Thank you Veterans for all you have sacrificed !*_ )

Today I came in, still no access so I removed "*Remote Desktop Servers*" and rebooted.

I have been struggling to figure this out since.


----------



## valis (Sep 24, 2004)

since you rebuilt the server, you may want to double check that their accounts on that box don't have to be rebuilt. Is it a DC or a file serve?

also, have you read this yet?


----------



## dlipman (Feb 14, 2013)

Yes and yes.

It is a DC and is also a F/S.


----------



## valis (Sep 24, 2004)

so you can or cannot currently rdp into that box? If you can get in, have you verified that the box has remote desktop enabled?

I'm heading out shortly, but this forum is generally pretty well read for a buncha volunteers. If I'm not back on this evening I will be around 6 am CST tomorrow.

thanks,

v


----------



## dlipman (Feb 14, 2013)

I can not get in, as myself, the Domain Administrator. 

I can not Remote-in with any accounts.

In the TecNet blog you referenced it states...



> By default, the *Administrators* and *Remote Desktop Users* groups are given remote logon rights. So, users who are a part of these groups will be authorized to logon remotely to the server.


I had it...
I lost it...
_I need to get it back. _


----------



## valis (Sep 24, 2004)

do you have physical access to that box? That may be the only way left, stand in front of it and verify that that wasn't dumped when you deleted the remote desktop servers.

I'm assuming you are on the domain remotely; can you ping the box? What happens when you try to navigate by UNC and IP?


----------



## dlipman (Feb 14, 2013)

I was physically in front of the box for seven hours prior to my post.

I got nowhere. That's why I made the post.

I either used the LAN IP or the static WAN IP and always get... ( including now )










Nothing wrong using UNC via \\IP or \\SERVER_NAME

I can use, right now, *TELNET WAN_IP 3389* and get a connection, just no authentication.

The networking is not the problem. It is a group/Security issue.

As far as the Winlogon Process is concerned the user doesn't have the authority that being in set by being in "*Allow log on through Remote Desktop Services*"

There is a disconnect there. I think the Event Log showed Event 4625 with sub-type 
0xc000015b "*The user has not been granted the requested logon type at this machine.*"


----------



## dlipman (Feb 14, 2013)

Event Log Entry


----------



## dlipman (Feb 14, 2013)

I just installed the Remote Desktop Services and Licensing Server to the Server Roles and applied two Per User RDP CALs.

No change.

I ran RSOP on the server to see if there are conflicting policies or "*Deny log on through Remote Desktop Services*".

"*Deny log on through Remote Desktop Services*" is Not Defined so there are no explicit denials.

The "Default Domain Controller Policy" is the Source GPO and it is properly populated.

I can't find any reason for a denial and the following result...


----------



## dlipman (Feb 14, 2013)

Ok..... too quiet. 

Are there any command line utilities (not GUI) that I can run to verify the underlying requirements.

Check SIDs, Registry Entries, dependencies ... _*Anything*_ ?


----------



## dlipman (Feb 14, 2013)

_*I have resolution !*_

It was suggested that I create a new user and test RDP.

That brought me, as an administrator, to a situation where I think group memberships were calling themselves in a kind of self-circle. Maybe something like in a dictionary where a word being defined can't be in its definition. { _or something to that effect_ }

For the user it was a SID issue. I deleted the old account, created a new account. Add that user and all is well. Then it was just a matter of tweaking security permissions.


----------



## valis (Sep 24, 2004)

wow.....my apologies, have been busy with a corporate move.....I want to say thanks for posting the solution; far too frequently the user just says thanks and disappears.

Again, my apologies.

thanks, 

v


----------



## dlipman (Feb 14, 2013)

*valis:*

Nothing to apologize for. You have given me your personal time to assist me with my problem. I can only _*Thank You *_for the time you gave me and the place to "vocalize" the problem ( _so to speak_ ).

I can not, and will not, ask for help in any Usenet News Group or Web Forum and not keep the thread up-to-date. Even if it "appears" that I am talking to myself. Obviously I can't put all my eggs in one basket so I had to ask questions in other locations. Looking for that one person who looks at the problem from an angle that I missed.

Once I have some kind of resolution I *MUST* go back to each location and supply feedback. Otherwise I have not been a good participant and I have wasted YOUR TIME. If that would have been the case, how could I come back, in the future, with good conscience and pose another query ?


----------



## valis (Sep 24, 2004)

my friend, you are welcome here as long as you wish to stay.


----------

