I have set up my Server (2008 R2 Foundation) for remote desktop and RemoteApp as per the instructions provided by Microsoft. I am using a single server for all functions. When a user logs in to the Server through remote desktop, the remote desktop screen comes up and then the user immediately gets an 'Access is Denied' message. If the user connects through RDWeb, the RemoteApps are displayed, but when the user clicks on an application, they are prompted again for their login credentials and then they get the remote desktop screen with an 'Access is Denied' screen as well. This happens even for Administrators.
I am getting very frustrated with this as I have read many blogs and tried everything to no avail. PLEASE help me.
Sorry, but I need a little help with that. Perhaps I am doing something wrong. I already had my users in the Active Directory Builtin Remote Desktop Users group. If I am adding to the wrong location can you give me explicit directions to the proper location to add these users? thanks.
Right click My Computer and go to Manage, in the opened windows go to Configuration > Local Users and Groups. In the list of groups find Remote Desktop Users and double click it, then click Add button and add the required group (for instance Domain Users).
(FYI: If this server is a Domain Controller there will not be local groups and you cannot perform this step)
Check if it helped.
If still not working, open GPO linked to your Terminal Server and go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > find "Allow logon through Terminal Services" define this policy and add required groups. After that apply the policy and close all windows. Now either restart the Terminal Server or open CMD and issue gpupdate /force
сила в справедливости
I did add my groups through gpo to the Remote Desktop Servers.
You do not have to add your group to "Remote Desktop Users", as on Domain Controller "Remote Desktop Users" do not have "Logon through Terminal services" right. You have to add required group to the "Allow logon through Terminal Services" Policy Setting, or add "Remote Desktop Users" group to "Allow logon through Terminal Services" and then add users to "Remote Desktop Users" group.
сила в справедливости
As near as I can tell, I had that already set up and still the same ... 'Access is Denied'. Is there a log I can provide that would help pin point this?
Has anyone been able to resolve this? I would glady allow someone to remote into this server to figure out what is going on as I have not yet put it into production, but am very anxious to do so.
I really need this resolved!
Thank you for trying to help me out here. I really appreciate it. However, I am not very sophisticated when it comes to server configuration, so do you mean just delete any local user accounts? And what do you mean by roaming profile. If you could provide directions as to how to do what you are suggesting, I would really appreciate it. I set up my Windows 2000 server with absolutely no issues, but this 2008 version has not been the same experience.
I last saw this one on WS08 and I think someone got it resolved by changing System Locale Settings.
Can you please make sure that Restrict Users to Single Session is disabled via RD Session Host Configuration Settings?
I just ran into this issue and was able to resolve it by setting the Remote Desktop Services service logon to Network Service. It was set to LocalSystem.
When reviewing the system logs, I found the following two errors:The Remote Desktop Services service is marked as an interactive service. However, the system is configured to not allow interactive services.
Schannel N/A NT AUTHORITY\SYSTEM The following fatal alert was generated: 10. The internal error state is 10.
I also was thinking about resetting the machine account password with the netdom command but, didnt end up needing to.
Here are my notes from the issue - just in case you are seeing a combination of problems.
We are getting an "Access is Denied" message when trying to RDP into a Windows Foundation Server 2008 R2 system. To eliminate external access issues, we are trying to just RDP into localhost at this point. We do get the same message when trying from a remote system.
Items that we have confirmed at this point:
- Apparantly this did work one time and ever since then it hasnt worked (no way to confirm this).
- New user account "TestUser" is a member of the remote deskop users group and administrators group (have tested with just admin / Remote desktop users group only as well)
- No profile issues exist
- Server is only a member of a workgroup
- TestUser account in the "allow logon through terminal services" Local Security policy
- All firewall settings are disabled
- Server is listening on port 3389
- C:\ permissions are at default settings
- We have tried the "restrict each user to a single session" in both settings
- Network Level Authentication is disabled for the connection
- Security layer - tried both negotiate and rdp security layer
- Encryption level both Client Compatible and Low
- Remote control settings are set to Use remote control with default user settings.
- Server is in Remote Desktop for Administration Licesing mode
- We have deleted and re-created the RDP-TCP connection.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\ create a DWORD value called “IgnoreRegUserConfigErrors” and assign the value “1” to this property (also tried 0)
- we also applied kb 951422 for new termserv.dll, rdpcorekmts.dll, and rdpwsx.dll files
- Proposed as answer by Brent Caskey, MCM Tuesday, May 11, 2010 10:10 PM
I have the same problem. I set up a standalone w2k8 R2 server with no domain config, just workgroup. I configured rdp connexion to users (admin and local users). Since the beginning, I still have Access Denied.
Does anyone resolved this case?
Thanks for your answers.
I had the same issue. Reason was: The Certificate assigned to RDP Session Host configuration got replaced automatically. The RD Session Host config ignores this and therefore cannot find a valid certificate. Just reconfigure your RD Session Host to use the newly assigned certificate. This worked for me.
I had this symptom and was totally stumped. Turns out the fix was to allow built-in Users group Read permission on the following registry key:
Apparently when Administrators, SYSTEM, and CREATOR OWNER have access to this key, but Users do not, no user can logon using RDP. (I had previously removed Users access to this key because I enabled AutoAdminLogin and DefaultUser and DefaultPassword values. Thinking only administrators would be remotely logging in, I was safe removing User read permissions to the clear-text password in the registry. It works on Windows Server 2003, but does not work on Windows Server 2008 R2.)