0

I have Windows Server 2012R2 virtual servers connected to an Active Directory domain. The servers accept both domain user/pass and domain Smart Card logins. All administrative accounts/users can log in and get to the desktop without issues. However, when a non-administrative AD user attempts to log into the server, it goes through the whole login/profile/etc. process as usual but just as the desktop is about to come up the servers immediately say "Logging off ..." and the session ends.

I have added the AD user(s) to the server's "Remote Desktop Users" group and I have updated and added the user(s)/group to the LGPO "Allow log on through Remote Desktop Services" policy. I have tried numerous suggestions from here and from the web and so far nothing works. If I add the user(s) to the Administrators group they can log in and get to the desktop, and when I remove them from the group they can't.

This is a standard server and is not a connection broker, session host, or domain controller.

Is there something else that I am missing that would prevent non-admin users from getting to their desktop?

n0nuf
  • 9
  • 2

1 Answers1

0

You mention smart card logins. Is the ActivClient software installed on this server?

Please check this registry setting: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Shell should be explorer.exe

Userinit can vary depending on what version of ActivClient is installed.

Old versions: C:\Windows\system32\userinit.exe,"C:\Program Files\ActivIdentity\ActivClient\actsinit.exe"

New versions: C:\Windows\system32\userinit.exe,"C:\Program Files\HID Global\ActivClient\actsinit.exe"

It's a good idea to browse to the folder and see if the actsinit.exe file is there. My problem was I updated the ActivClient software and it left the path to the old version in the registry. After I fixed the path to point to the new location the standard users were able to logon.

Chihaya
  • 1
  • 1