Terminal Services on Domain Controller

[Guest Jeff Yana]

Dear List-

 

I have two DCs in a root forest domain in which I have lost the ability to

connect using RDP. It all started when I mistakenly choose to modify User

Access Rights in the Default Domain Controller GPO. I have reset the Default

Domain Controller User Access Rights back to the defaults, but with no

results. I have even tried removing the DCs from their default OU, refreshing

their GPOs, but again with no results. As best as I can recall, the only

setting that I originally modified was adding the default Administrator user

to the Deny logon using TS setting.

 

Any suggestions on how best to troubleshoot this issue? As a non-MS user, I

find Window's poor logging functionality very frustrating and bewildering.

 

Thanks.

[Guest Vera Noest [MVP]]

Re: Terminal Services on Domain Controller

 

Since the cause of the problem has nothing to do with TS, you will

probably get better help in a GPO newsgroup, like

microsoft.public.windows.group_policy

 

I'm not sure what kind of logging you are looking for. From the OS

point of view, nothing is wrong, it's simply configuring the server

according to the settings in the GPO. So it won't log this as an

error. If you want to, you can check that this is true:

 

221833 - How to enable user environment debug logging in retail

builds of Windows

http://support.microsoft.com/?kbid=221833

 

Interpreting Userenv log files

http://technet2.microsoft.com/WindowsServer/en/Library/ccd7b430-

99a5-40fd-b68a-6c1979e565a21033.mspx

 

I expect that you will find an entry for your failed attempts to

logon in the Security part of the EventLog on the server (assuming

that you have enabled auditing of security events).

 

By the way, Windows administrators usually make a backup of a GPO

before modifying it :-)

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?SmVmZiBZYW5h?= <JeffYana@discussions.microsoft.com>

wrote on 01 jun 2008 in

microsoft.public.windows.terminal_services:

> Dear List-

>

> I have two DCs in a root forest domain in which I have lost the

> ability to connect using RDP. It all started when I mistakenly

> choose to modify User Access Rights in the Default Domain

> Controller GPO. I have reset the Default Domain Controller User

> Access Rights back to the defaults, but with no results. I have

> even tried removing the DCs from their default OU, refreshing

> their GPOs, but again with no results. As best as I can recall,

> the only setting that I originally modified was adding the

> default Administrator user to the Deny logon using TS setting.

>

> Any suggestions on how best to troubleshoot this issue? As a

> non-MS user, I find Window's poor logging functionality very

> frustrating and bewildering.

>

> Thanks.