1

I've recently started having a problem where users can no longer log into the RDS server. They get 'Access is denied'.

enter image description here

If I add them to Domain Admins, they are able to get on without issue. I've checked Local Security Policy > Local Policies > User Rights Assignments > All log on through Remote Desktop Services. It has the appropriate groups assigned. I even added Domain Users to include everyone, but the users still get the access denied unless they are in the domain admins group.

I've checked the event log and the only 2 events associated with the security log are 2 4634 events that say An account was logged off. One with Logon Type 3 and the other with Logon Type 10.

Any ideas as to what could be casuing the issue?

SamErde
  • 3,409
  • 3
  • 24
  • 44
GarudaLead
  • 181
  • 1
  • 1
  • 7
  • RDP service in trouble, I guess the symptom is there even if you restart the server ? If the restart does not solve the issue try with a user without any GPO applied to it, a local user in worst case – yagmoth555 May 31 '18 at 13:04
  • I think it has to be a permissions / authentication issue because it's happening to both the RDS servers in the domain. – GarudaLead May 31 '18 at 13:46
  • Make sure no gpo remove your right to logon, which is why I suggest to test out with a user without GPO. – yagmoth555 May 31 '18 at 14:17
  • "access denied" is too generic to troubleshoot as it could means so many things. If the affected server is fresh install, I would consider new build, reinstall and try again. You could also try resetting the affected account to "Local System", reset the RDS service to "Network Service and see if this fix the problem. – Sunny J May 31 '18 at 14:27
  • 1
    Access Denied is very generic. I ran into this issue recently. In my case the server was not able to get in contact with the domain controller in order to authenticate users. I did an nslookup for the domain controller on the server and didn't get a response. After looking at my dns settings on the server. I saw that I was missing my DNS suffixes. After adding them in everything worked as intended. – Prescient Aug 06 '19 at 20:55

4 Answers4

1

Domain Admins always have remote desktop logon rights, but other users need to be granted this privilege explicitly. It sounds like your Domain Users may have been removed from the local permissions group.

Places to Check:

  • Ensure that Domain Users are added to the RDS server's "Remote Desktop Users" local security group.
  • Open Remote Desktop Session Host Configuration and check the properties for the RDP-Tcp connection. Make sure that nobody modified the security in this location. The security tab should still include "Remote Desktop Users" with 'User Access' and 'Guest Access' allowed.
  • Still on the RDP-Tcp Properties dialog, ensure that the security layer setting is "Negotiate" and the encryption level is "Client Compatible" unless you are required to set that higher.
  • Check a GPResult for the following:
    • Allow log on through Remote Desktop Services should be set to Administrators, Remote Desktop Users.
    • Deny log on through Remote Desktop Services should be set to Guests and ideally Local account, Guests.
    • Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Session Host > Connections > *Allow users to connect remotely by using Remote Desktop Services* should be set to either Not configured or Enabled.
SamErde
  • 3,409
  • 3
  • 24
  • 44
  • I've checked and all the security settings are set as they should be and I still get the access denied error. – GarudaLead May 31 '18 at 14:15
  • There are no audit failure events in the Security event log? – SamErde May 31 '18 at 14:17
  • No, that's the odd thing. I get 2 log off events. They are identical except for that the logon types are different. One is type 3 the other is type 10. – GarudaLead May 31 '18 at 14:22
  • Interesting - those numbers do make sense. Logon type 3 is "Network Logon" and logon type 10 is "Remote Interactive" (RDS). But those are both success events, right? – SamErde May 31 '18 at 14:25
  • Here's a shot in the dark--any chance that somebody messed with the ACL on the Users folder? If you're getting successful logoffs, maybe the access denied message is coming from a post-authentication process. – SamErde May 31 '18 at 14:26
  • They are successful events. I did as @yagmoth555 suggested above and created a local user and made them a member of the Remote Desktop Users group. I was able to log that user in. So it sounds like it is a GPO causing an issue. I'll start with some GPO Results. Anywhere I should look other than the above? – GarudaLead May 31 '18 at 14:31
  • Added a few group policy settings to check in my answer above. – SamErde May 31 '18 at 14:47
0

Give a try for the solution posted on Access is Denied - Remote Desktop

setting the Remote Desktop Services service logon to Network Service

enter image description here

Alexred
  • 68
  • 4
0

I've been looking for a solution to the problem during two days and it wasn't a gpo issue or a certificate either, it was the network policy I disabled it in the NPAS console and users could access to my Remote Apps, I hope this can help so cheers everyone

Rabah
  • 1
0

I suggest restart Remote Desktop Licensing service on your RDS (don't touch anything else if already been working which means you setup was ok) and try to reconnect. If all ok then I suggest to check and reset the counter to your RDL with below ps1 script

Remote Desktop Licensing - Click To See Image

## This Script is intended to be used for Querying remaining time and resetting Terminal Server (RDS) Grace Licensing Period to Default 120 Days.
## Developed by Prakash Kumar (prakash82x@gmail.com) May 28th 2016
## www.adminthing.blogspot.com
## Disclaimer: Please test this script in your test environment before executing on any production server.
## Author will not be responsible for any misuse/damage caused by using it.

Clear-Host
$ErrorActionPreference = "SilentlyContinue"

## Display current Status of remaining days from Grace period.
$GracePeriod = (Invoke-WmiMethod -PATH (gwmi -namespace root\cimv2\terminalservices -class win32_terminalservicesetting).__PATH -name GetGracePeriodDays).daysleft
Write-Host -fore Green ======================================================
Write-Host -fore Green 'Terminal Server (RDS) grace period Days remaining are' : $GracePeriod
Write-Host -fore Green ======================================================  
Write-Host
$Response = Read-Host "Do you want to reset Terminal Server (RDS) Grace period to Default 120 Days ? (Y/N)"

if ($Response -eq "Y") {
## Reset Terminal Services Grace period to 120 Days

$definition = @"
using System;
using System.Runtime.InteropServices; 
namespace Win32Api
{
    public class NtDll
    {
        [DllImport("ntdll.dll", EntryPoint="RtlAdjustPrivilege")]
        public static extern int RtlAdjustPrivilege(ulong Privilege, bool Enable, bool CurrentThread, ref bool Enabled);
    }
}
"@ 

Add-Type -TypeDefinition $definition -PassThru

$bEnabled = $false

## Enable SeTakeOwnershipPrivilege
$res = [Win32Api.NtDll]::RtlAdjustPrivilege(9, $true, $false, [ref]$bEnabled)

## Take Ownership on the Key
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod", [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
$acl = $key.GetAccessControl()
$acl.SetOwner([System.Security.Principal.NTAccount]"Administrators")
$key.SetAccessControl($acl)

## Assign Full Controll permissions to Administrators on the key.
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("Administrators","FullControl","Allow")
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)

## Finally Delete the key which resets the Grace Period counter to 120 Days.
Remove-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod'

write-host
Write-host -ForegroundColor Red 'Resetting, Please Wait....'
Start-Sleep -Seconds 10 

  }

Else 
    {
Write-Host
Write-Host -ForegroundColor Yellow '**You Chose not to reset Grace period of Terminal Server (RDS) Licensing'
  }

## Display Remaining Days again as final status
tlsbln.exe
$GracePost = (Invoke-WmiMethod -PATH (gwmi -namespace root\cimv2\terminalservices -class win32_terminalservicesetting).__PATH -name GetGracePeriodDays).daysleft
Write-Host
Write-Host -fore Yellow =====================================================
Write-Host -fore Yellow 'Terminal Server (RDS) grace period Days remaining are' : $GracePost
Write-Host -fore Yellow =====================================================

## Cleanup of Variables
Remove-Variable * -ErrorAction SilentlyContinue
Dave M
  • 4,514
  • 22
  • 31
  • 30
2Play
  • 1
  • 2