-2

small 2003 domain with <50 clients. Today I was unable to RDP to my usual set of servers using my domain admin account. I get the error of: "To logon to this remote computer, you must be granted the Allow log on through Terminal Services right. By default, memers of the Remote Desktop Users group have this right. If you are not a member of the Remote Desktop Users group or another group that has this right, or if the remote desktop users group does not have this right, you must be granted this right manually.

I then attempted to do so with the administrator@domain account, and that failed as well. I consoled into one server using VMware console. This is a server that is set for all employees to be a part of the local Remote access group. RDPing to that server using any credentials failed.

I would like advise on how to get the domain administrators back able to RDP.

Eric
  • 7
  • 1
  • 5
  • It sounds like you may have moved your administrators group around in AD - or possibly removed them from the Remote Desktop Users. Check this in AD first. It could also be a result of changing GPO. – user987654321 Jan 25 '16 at 18:24
  • Administrator's group is still in builtin. Looks like it has the usual members. GPO might be, I know we had someone poking in there the other day but the scope wasn't related to RDP or terminal services. Is there a way to look at a log of all GPO changes and when they happened? This is acting like a deny all, and I have no idea how to fix it. – Eric Jan 25 '16 at 18:32
  • GPO shows for policy 'remote desktop enabled', it is unchecked for enforced. Windows Settings > Security Settings > Local Policies > policy:Allow Log on through terminal services', setting is blank. – Eric Jan 25 '16 at 18:55
  • 2
    [Windows Server 2003 extended support ended on July 14, 2015](https://www.microsoft.com/en-us/server-cloud/products/windows-server-2003/). – HopelessN00b Jan 25 '16 at 19:44
  • Are you sure noone setup restricted group's group policy and locked out the admin account by error ? I seen that in the past, gave the same symptom – yagmoth555 Jan 25 '16 at 19:51

2 Answers2

2

Two things work to allow or deny a user the ability to logon via Terminal Services; user rights and permissions. Make sure the user in question has both.

enter image description here

enter image description here

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Terminal Services Configuration\connections shows administrators has full control, and remote desktop users have guest and user. No deny anywhere. The users in questions are all the domain admins. I am nervous this is messed up badly. – Eric Jan 25 '16 at 19:07
  • I noticed I was logged in with RDP as my admin account to the two domain controllers. I closed out one and reattempted to login to it - and got the same error. Guess I logged into it before the change in rights happened. – Eric Jan 25 '16 at 19:08
  • Make sure to check the User Rights Assignment in the Local Security Policy that Administrators has that user right. The Domain Admins group should be a member of the local Administrators group so check that as well. – joeqwerty Jan 25 '16 at 19:09
  • Domain controllers don't have local users, right? So I can't do that. – Eric Jan 25 '16 at 19:19
  • Oh, forgot this was a DC. – joeqwerty Jan 25 '16 at 19:21
0

Are you able to telnet to that server's 3389?
- Ensure the domain admin is part of the Remote Desktop Users security group
- Check the system Properties > Remote tab, ensure the Remote Desktop is enabled for this computer
- Domain Admin should show here

Lex
  • 574
  • 2
  • 6
  • 16