Announcement

Collapse
No announcement yet.

Win2k3 RDP Login: Domain Users = works, Administrator = Fails

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Win2k3 RDP Login: Domain Users = works, Administrator = Fails

    Recently upgraded Win2K3 R2 server to Active Directory role. All was well, rebooted machine after removing old AV software. After reboot, regular, remote desktop users can access the terminal server but anyone in any admin group (Administrators, Enterprise Admins, Domain Admins) cannot. When any Admin user attempts to log on, via RDP, get the, "To log on to this computer, you must have Terminal Server User Access Permissions on this Computer..." Etc.

    Steps taken:
    1). I have checked all policies, in all the obvious places, and nothing seems amiss (although there are nooks and crannies I have likely overlooked). I've not created any group policies since the domain level group policies work fine for our office (with the exception of this issue).
    2). Added just about everyone, including Administrator group users to Terminal Server Access security policy, network access policy. Did the same to remote desktop users. Same issue.
    3). Created test user. Test user logs in fine as Domain User, User, and remote desktop user (groups). Promoted this test user to administrator, cannot log on, receives same error as above. Repeated for Domain Admin, Enterprise Admin, all with same result. Demoted test user back to normal non-admin user, able to log in fine.
    4). Messed around with groups and users, trying different combinations, reviewed group policies again… Found nothing obvious.
    5). Searched the net in vain.
    6). Came here in hope someone would know just where I might have messed up, and, more importantly, how I can go about solving the issue.
    Thanks!

  • #2
    Re: Win2k3 RDP Login: Domain Users = works, Administrator = Fails

    For a start, I would do the following:
    - login as a regular user and run the following commands:
    net user [username] /domain >c:\%USERNAME%_details.txt
    gpresult >c:\%USERNAME%_policies.txt
    These two commands will give you the details of the user (pay especially attention to Global Group Membership section) and the policies that apply on him.
    - try to login to the server's console and do the same two commands. You can then compare the two pairs of TXT files.
    It might be that somewhere you gave a DENY right to some group, and the Admins are part of that group. Or an overlooked policy ...
    What do you think?

    Sorin Solomon

    »»»»»
    In order to succeed, your desire for success should be greater than your fear of failure.
    -
    «««««

    Comment


    • #3
      Re: Win2k3 RDP Login: Domain Users = works, Administrator = Fails

      Open please terminal configuration and review the access control list to the TS.
      Also, tryo to disable the remote admin mode of TS and enable it again.
      Best Regards,

      Yuval Sinay

      LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

      Comment


      • #4
        Re: Win2k3 RDP Login: Domain Users = works, Administrator = Fails

        Thanks for the assistance, sorinso and yuval. After completing both recommendations and some more digging and checking, the issue was solved:

        1). gpresult shows user X has REMOTE INTERACTIVE LOGON in the global policy, while admin Y does not. Remote interactive logon is pretty nebulous, and I was able to narrow down the individual security policies that influence that policy (so as to not do further damage).
        2). "Deny logon through terminal services" had one entry: SUPPORT_388945a0
        3). Removing that entry solved the issue.

        Now, my background is in FreeBSD/Samba-as-domain-controller, so I'll admit an almost comic lack of understanding when it comes to Windows users and privileges associated with AD, but I'm feeling some obscure support account no one knew existed is pretty strange. Regardless, all is well once again, and your help is much appreciated.

        Comment


        • #5
          Re: Win2k3 RDP Login: Domain Users = works, Administrator = Fails

          Hi, discolor.
          Not that I doubt your actions, but it's hard for me to believe that changing permissions for the SUPPORT_388945a0 account could have solved the problem. This is a built-in account (an account that is created during the server installation) that its use is very specific.
          I would like to suggest you to read some articles related to your findings:
          REMOTE INTERACTIVE LOGON :
          - http://technet2.microsoft.com/Window....mspx?mfr=true
          - http://technet2.microsoft.com/Window....mspx?mfr=true
          SUPPORT_388945a0:
          - http://technet2.microsoft.com/Window....mspx?mfr=true
          - http://www.microsoft.com/technet/sec.../s3sgch05.mspx
          Just some hits I thought will be nice for you to read. There are plenty more...
          Good luck.

          Sorin Solomon

          »»»»»
          In order to succeed, your desire for success should be greater than your fear of failure.
          -
          «««««

          Comment

          Working...
          X