RDP Issue with Domain Admin Account on A Domain Controller

[Guest Rashid]

I was using a tool "fix" vulnerabilities on my system. Normally, on member

servers, I back out the tools terminal server related "fixes" with changes to

the registry. However, this time, it doesn't appear to be working.

 

I am unable to logon to one domain controller using RDP with THE domain

admin account. The local registry settings are:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]

"Shadow"=dword:00000000

"fAllowToGetHelp"=dword:00000000

"fWritableTSCCPermTab"=dword:00000000

"MinEncryptionLevel"=dword:00000003

"DeleteTempDirsOnExit"=dword:00000001

"fResetBroken"=dword:00000001

"fAllowUnsolicited"=dword:00000000

"fEncryptRPCTraffic"=dword:00000001

 

The Default Domain Controller Security Policy for Terminal Serives is Not

Defined for both Allow and Deny. I did try to specifically set an Allow but

it had no effect so I backed it out. The Domain Security Policy is also Not

Defined and has never been touched.

 

I have looked over other similair posts but none seem to be 100% relevant or

work for me. Any suggestions?

[Guest Vera Noest [MVP]]

Re: RDP Issue with Domain Admin Account on A Domain Controller

 

What error message do you get when you try to connect?

Can you logon to the console of the DC?

Are there any errors or warnings in the EventLog on the server?

Is the server still configured to allow Remote Desktop for

Administration connections?

Have you checked the security settings on the rdp-tcp connection,

in Terminal Services Configuration?

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?UmFzaGlk?= <Rashid@discussions.microsoft.com> wrote on

11 jun 2008 in microsoft.public.windows.terminal_services:

> I was using a tool "fix" vulnerabilities on my system.

> Normally, on member servers, I back out the tools terminal

> server related "fixes" with changes to the registry. However,

> this time, it doesn't appear to be working.

>

> I am unable to logon to one domain controller using RDP with THE

> domain admin account. The local registry settings are:

>

> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows

> NT\Terminal Services] "Shadow"=dword:00000000

> "fAllowToGetHelp"=dword:00000000

> "fWritableTSCCPermTab"=dword:00000000

> "MinEncryptionLevel"=dword:00000003

> "DeleteTempDirsOnExit"=dword:00000001

> "fResetBroken"=dword:00000001

> "fAllowUnsolicited"=dword:00000000

> "fEncryptRPCTraffic"=dword:00000001

>

> The Default Domain Controller Security Policy for Terminal

> Serives is Not Defined for both Allow and Deny. I did try to

> specifically set an Allow but it had no effect so I backed it

> out. The Domain Security Policy is also Not Defined and has

> never been touched.

>

> I have looked over other similair posts but none seem to be 100%

> relevant or work for me. Any suggestions?

[Guest Rashid]

Re: RDP Issue with Domain Admin Account on A Domain Controller

 

I apologize for not replying sooner. An even bigger issue took me away from

this one. Now I am returning to it. Good ideas but so far, nothing is

checking out. See my responses below:

> What error message do you get when you try to connect?

 

Warning Box Title: Logon Message

Warning Box Body: To log on to this remote computer, you must be granted the

Allw log on through Terminal Services right. By default, members of the

Remote Desktop Users group have this right. If youa re not a member of the

Remote Desktop Users group or another group that has this right, or if the

Remote Desktop User group does not have this right, you must be granted this

right manually.

> Can you logon to the console of the DC?

 

Yes

> Are there any errors or warnings in the EventLog on the server?

 

There is nothing specific in the System/Application EventLogs. The security

logs of course are full of information because there is extensive auditing

going on but nothing that I can specifically find.

> Is the server still configured to allow Remote Desktop for

> Administration connections?

 

Yes

> Have you checked the security settings on the rdp-tcp connection,

> in Terminal Services Configuration?

 

I am not finding any differences in all of the settings for the RDP-TCP

connection that is different from other servers that are working. The

users/rights in the permissions the tab are a match.