2

Server 2008 R2 server that several users in the domain (non-domain admins) need to be able to remote to -- added them to a security group in AD ("HPS-BS"), added that security group to Local group of Remote Desktop Users on the server.

(Server is also the RD Licensing Server on the domain)

Daily the security group gets reset to a SID: Example

Thus making it so no one from that group can remote in because they no longer are a member of the local remote desktop users, giving an error of "The connection was denied because the user account is not authorized for remote login".

I have tried several things with no success:

  • Rejoining the domain on the server
  • Reinstalling & reactivating RD licensing for the server
  • Re-adding the server to Terminal Server License Servers group

Any other ideas to what could be going on?

toups
  • 131
  • 1
  • 6

1 Answers1

2

I would suspect a more fundamental issue, such as domain/global catalog/secure channel connectivity.

Things to check:

Firewall(s).

The RDS server time is in sync with all domain controllers (within the default five minute threshold).

DNS settings are correct on the RDS server and all related DNS zones for the domain.

On the Remote Desktop server, ensure that the group policy settings for encrypting and signing secure channel data are enabled and consistent with all domain controllers:

Computer > Windows Settings > Security Settings > Local Policies > Security Options >

Domain Member: Digitally encrypt or sign secure channel data (always)

That is the default setting.

You can verify the secure channel between the RDS server and the domain controllers using NLTEST on the RDS server: 

nltest /sc_verify:domainname
Greg Askew
  • 35,880
  • 5
  • 54
  • 82