Domain Controllers no longer acceptioning RDP sessions

[Guest jaredhattaway]

Since last weeks set of patches none of the Domain Admins have been able to

log onto any of the 15 domain controllers using RDP.

 

The error message when trying to logon:

 

"To log on to this remote computer, you must be granted the Allow log on

through Terminal Services right. By default, members of the Remote Desktop

Users group have this right. If you are not a member of the Remote Desktop

Users group or another group that has this right, or if the Remote Desktop

User group does not have this right, you must be granted this right manually"

 

Remote Desktop is enabled.

 

I have disabled and re-enabled the service as well as manually added the

Domain Admins group and then individual accounts to the Remote Desktop Users

group nothing.

 

No firewall changes have happened either.

 

I have not yet rolled back any patches to see if that fixes the problem.

 

Any ideas?

 

Thanks,

 

Jared

[Guest Vera Noest [MVP]]

Re: Domain Controllers no longer acceptioning RDP sessions

 

Does this happen on DC's only? Did you patch any member servers

(which are not Terminal Servers), and can you still connect to them

with rdp?

Have you checked the permissions on the rdp-tcp connection, in

Terminal Services Connection Configuration?

You could try on one of these DC's to delete the rdp-tcp connection

completely, and then create a new one, since they sometimes become

corrupt (but hardly on 15 servers simultaneously). That should give

you the default permissions.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?amFyZWRoYXR0YXdheQ==?=

<jaredhattaway@discussions.microsoft.com> wrote on 19 nov 2007 in

microsoft.public.windows.terminal_services:

> Since last weeks set of patches none of the Domain Admins have

> been able to log onto any of the 15 domain controllers using

> RDP.

>

> The error message when trying to logon:

>

> "To log on to this remote computer, you must be granted the

> Allow log on through Terminal Services right. By default,

> members of the Remote Desktop Users group have this right. If

> you are not a member of the Remote Desktop Users group or

> another group that has this right, or if the Remote Desktop User

> group does not have this right, you must be granted this right

> manually"

>

> Remote Desktop is enabled.

>

> I have disabled and re-enabled the service as well as manually

> added the Domain Admins group and then individual accounts to

> the Remote Desktop Users group nothing.

>

> No firewall changes have happened either.

>

> I have not yet rolled back any patches to see if that fixes the

> problem.

>

> Any ideas?

>

> Thanks,

>

> Jared

[Guest jaredhattaway]

RE: Domain Controllers no longer acceptioning RDP sessions

 

My apologies... this was not a Microsoft problem.

 

A new admin made a change to the Default DC Policy preventing access.

 

I will go back to putting salve on my forehead from hitting it against the

wall.

 

-Jared