Friday, March 19, 2010 3:11 PM
I have set up my Server (2008 R2 Foundation) for remote desktop and RemoteApp as per the instructions provided by Microsoft. I am using a single server for all functions. When a user logs in to the Server through remote desktop, the remote desktop screen comes up and then the user immediately gets an 'Access is Denied' message. If the user connects through RDWeb, the RemoteApps are displayed, but when the user clicks on an application, they are prompted again for their login credentials and then they get the remote desktop screen with an 'Access is Denied' screen as well. This happens even for Administrators.
I am getting very frustrated with this as I have read many blogs and tried everything to no avail. PLEASE help me.
Friday, March 19, 2010 5:21 PM
Please try adding your users into the Remote Desktop Users local group on that server and see if it helps.
If still not working, please check the Event Viewer on that server and post all related logs here.
сила в справедливости
Friday, March 19, 2010 7:10 PMSorry, but I need a little help with that. Perhaps I am doing something wrong. I already had my users in the Active Directory Builtin Remote Desktop Users group. If I am adding to the wrong location can you give me explicit directions to the proper location to add these users? thanks.
Friday, March 19, 2010 7:44 PM
Right click My Computer and go to Manage, in the opened windows go to Configuration > Local Users and Groups. In the list of groups find Remote Desktop Users and double click it, then click Add button and add the required group (for instance Domain Users).
(FYI: If this server is a Domain Controller there will not be local groups and you cannot perform this step)
Check if it helped.
If still not working, open GPO linked to your Terminal Server and go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > find "Allow logon through Terminal Services" define this policy and add required groups. After that apply the policy and close all windows. Now either restart the Terminal Server or open CMD and issue gpupdate /force
сила в справедливости
Saturday, March 20, 2010 1:41 AM
This Server is a domain controller, but I did add my groups through gpo to the Remote Desktop Servers. And, same problem.
I don't see anything in the event viewer that jumps out. Is there a particular area I should look at?
Sunday, March 21, 2010 8:00 PM
I did add my groups through gpo to the Remote Desktop Servers.
You do not have to add your group to "Remote Desktop Users", as on Domain Controller "Remote Desktop Users" do not have "Logon through Terminal services" right. You have to add required group to the "Allow logon through Terminal Services" Policy Setting, or add "Remote Desktop Users" group to "Allow logon through Terminal Services" and then add users to "Remote Desktop Users" group.
сила в справедливости
Monday, March 22, 2010 2:50 AMAs near as I can tell, I had that already set up and still the same ... 'Access is Denied'. Is there a log I can provide that would help pin point this?
Tuesday, March 23, 2010 5:00 AM
As near as I can tell, I had that already set up and still the same ... 'Access is Denied'. Is there a log I can provide that would help pin point this?
Has anyone been able to resolve this? I would glady allow someone to remote into this server to figure out what is going on as I have not yet put it into production, but am very anxious to do so.
I really need this resolved!
Tuesday, March 23, 2010 4:05 PMI have experienced the same problem i have deleted local and roaming profile and all works. In my problem, corrupted profile generated access denied.
Tuesday, March 23, 2010 11:57 PMThank you for trying to help me out here. I really appreciate it. However, I am not very sophisticated when it comes to server configuration, so do you mean just delete any local user accounts? And what do you mean by roaming profile. If you could provide directions as to how to do what you are suggesting, I would really appreciate it. I set up my Windows 2000 server with absolutely no issues, but this 2008 version has not been the same experience.
Thursday, March 25, 2010 8:36 AMDelete local profile on 2008 R2, and roaming profile if you have setup them.
Tuesday, March 30, 2010 2:14 AMI still get 'Access is Denied'.
Friday, April 09, 2010 12:06 AM
I still get 'Access is Denied'.
It looks as though I made a HUGE mistake in purchasing Windows Server.
Sunday, April 11, 2010 11:02 AM
I last saw this one on WS08 and I think someone got it resolved by changing System Locale Settings.
Can you please make sure that Restrict Users to Single Session is disabled via RD Session Host Configuration Settings?
Wednesday, April 21, 2010 4:44 AMThanks for responding, but that did not work. I still get 'Access is Denied'
Tuesday, May 11, 2010 10:10 PM
I just ran into this issue and was able to resolve it by setting the Remote Desktop Services service logon to Network Service. It was set to LocalSystem.
When reviewing the system logs, I found the following two errors:The Remote Desktop Services service is marked as an interactive service. However, the system is configured to not allow interactive services.
Schannel N/A NT AUTHORITY\SYSTEM The following fatal alert was generated: 10. The internal error state is 10.
I also was thinking about resetting the machine account password with the netdom command but, didnt end up needing to.
Here are my notes from the issue - just in case you are seeing a combination of problems.
We are getting an "Access is Denied" message when trying to RDP into a Windows Foundation Server 2008 R2 system. To eliminate external access issues, we are trying to just RDP into localhost at this point. We do get the same message when trying from a remote system.
Items that we have confirmed at this point:
- Apparantly this did work one time and ever since then it hasnt worked (no way to confirm this).
- New user account "TestUser" is a member of the remote deskop users group and administrators group (have tested with just admin / Remote desktop users group only as well)
- No profile issues exist
- Server is only a member of a workgroup
- TestUser account in the "allow logon through terminal services" Local Security policy
- All firewall settings are disabled
- Server is listening on port 3389
- C:\ permissions are at default settings
- We have tried the "restrict each user to a single session" in both settings
- Network Level Authentication is disabled for the connection
- Security layer - tried both negotiate and rdp security layer
- Encryption level both Client Compatible and Low
- Remote control settings are set to Use remote control with default user settings.
- Server is in Remote Desktop for Administration Licesing mode
- We have deleted and re-created the RDP-TCP connection.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\ create a DWORD value called “IgnoreRegUserConfigErrors” and assign the value “1” to this property (also tried 0)
- we also applied kb 951422 for new termserv.dll, rdpcorekmts.dll, and rdpwsx.dll files
- Proposed As Answer by Brent Caskey, MCM Tuesday, May 11, 2010 10:10 PM
Thursday, September 16, 2010 9:13 AM
I have the same problem. I set up a standalone w2k8 R2 server with no domain config, just workgroup. I configured rdp connexion to users (admin and local users). Since the beginning, I still have Access Denied.
Does anyone resolved this case?
Thanks for your answers.
Thursday, September 16, 2010 1:01 PM
Ok, Thanks Brent. After reading again your post I just set the Remote Desktop Services service logon to Network Service. Now it works fine.
Thanks a lot for the solution.
Friday, April 20, 2012 9:38 AM
I had the same issue. Reason was: The Certificate assigned to RDP Session Host configuration got replaced automatically. The RD Session Host config ignores this and therefore cannot find a valid certificate. Just reconfigure your RD Session Host to use the newly assigned certificate. This worked for me.
Tuesday, July 10, 2012 9:17 AM
Thanks Brent, Thanks a lot for the resolution. It worked for me.