none
Users cannot RDP into Server 2008 R2 server unless their account is added directly to the local administrators group

    Question

  • During deployment of a new application, we have been running into strange issues trying to run processes with certain domain accounts. Looking through the machine settings the only difference we could see between the affected accounts and accounts that work is that the affected accounts are added directly to the local administrators group and the accounts that work are added through AD security groups.

    Seeing this i decided to mess around with the account membership of the local administrators group. I found that if i place the account into an AD group that is a member of the local administrators group the account can no longer connect to the server through RDP (after a reboot of the server); however I can connect to the server locally and do indeed have full administrator privileges on the server. If i move the user back to being defined as a direct member of the local administrators group I can RDP again. All accounts are domain accounts; some accounts work and some accounts do not. All remote desktop settings are default including Local Security Policies.

    Works

    • Local\Administrators
      • Domain\AffectedAccount
      • Domain\UnaffectedAccount
      • Domain\Group
        • Domain\UnaffectedAccount

    Does Not Work

    • Local\Administrators
      • Domain\Group
        • Domain\AffectedAccount

    I believe this issue affects more than just RDP, however this is a pretty obvious condition produced by the underlying issue.

    My initial thought point to how the machines were provisioned. We clone out machines through VMware 5.1 and do not perform sysprep on the machines after cloning. After researching this further it appears that sysprep is indeed not required but still recommended.

    Searching around for a couple days has not yielded any useful results. There is also nothing useful in the event logs of the server.

    Has anyone encountered this issue before?










    • Edited by pgsmith Saturday, March 02, 2013 12:33 AM
    Saturday, March 02, 2013 12:02 AM

Answers

All replies

  • Hi,

    Thanks for your post.

    Please refer to the following KB article to troubleshoot this issue. Hope it helps.

    Remote Desktop disconnected or can’t connect to remote computer or to Remote Desktop server (Terminal Server) that is running Windows Server 2008 R2
    http://support.microsoft.com/kb/2477176


    Best Regards,
    Aiden


    Aiden Cao
    TechNet Community Support

    Wednesday, March 06, 2013 2:43 AM
    Moderator
  • Thats a good link. I walked through the instructions on that page and it did not resolve my issue. I beleive this is a system issue not an RDP issue. I will move forums.

    Wednesday, March 13, 2013 12:55 PM
  • Did you ever get a satisfactory answer to this?  I am having the same issue.  MS Best Practice is to put users in AD groups, add those groups to local groups, and give the local groups rights to the resources but it isn't working for some of my users in this case.  I'm a member of an AD group that is part of the Local Admins group on all of the servers, and NOT part of the local RDP group, and I never have a problem with RDP to any server.
    Friday, February 14, 2014 2:20 PM
  • Sorry FXLEWIS, i did not ever find a resolution. We dealt with the issue until we moved onto a new server.
    Friday, February 14, 2014 3:48 PM