none
Access is Denied - Remote Desktop

    Question

  • I have set up my Server (2008 R2 Foundation) for remote desktop and RemoteApp as per the instructions provided by Microsoft.  I am using a single server for all functions.  When a user logs in to the Server through remote desktop, the remote desktop screen comes up and then the user immediately gets an 'Access is Denied' message.  If the user connects through RDWeb, the RemoteApps are displayed, but when the user clicks on an application, they are prompted again for their login credentials and then they get the remote desktop screen with an 'Access is Denied' screen as well.  This happens even for Administrators.

    I am getting very frustrated with this as I have read many blogs and tried everything to no avail.  PLEASE help me.

    Friday, March 19, 2010 3:11 PM

All replies

  • Hi,

     

    Please try adding your users into the Remote Desktop Users local group on that server and see if it helps.

    If still not working, please check the Event Viewer on that server and post all related logs here.

     


    сила в справедливости
    Friday, March 19, 2010 5:21 PM
  • Sorry, but I need a little help with that.  Perhaps I am doing something wrong.  I already had my users in the Active Directory Builtin Remote Desktop Users group.  If I am adding to the wrong location can you give me explicit directions to the proper location to add these users?  thanks.
    Friday, March 19, 2010 7:10 PM
  • Right click My Computer and go to Manage, in the opened windows go to Configuration > Local Users and Groups. In the list of groups find Remote Desktop Users and double click it, then click Add button and add the required group (for instance Domain Users).
    (FYI: If this server is a Domain Controller there will not be local groups and you cannot perform this step)
    Check if it helped.

    If still not working, open GPO linked to your Terminal Server and go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > find "Allow logon through Terminal Services" define this policy and add required groups. After that apply the policy and close all windows. Now either restart the Terminal Server or open CMD and issue gpupdate /force

     

     


    сила в справедливости
    Friday, March 19, 2010 7:44 PM
  • This Server is a domain controller, but I did add my groups through gpo to the Remote Desktop Servers.  And, same problem.

    I don't see anything in the event viewer that jumps out.  Is there a particular area I should look at?

    Saturday, March 20, 2010 1:41 AM
  •  I did add my groups through gpo to the Remote Desktop Servers.

    You do not have to add your group to "Remote Desktop Users", as on Domain Controller "Remote Desktop Users" do not have "Logon through Terminal services" right. You have to add required group to the "Allow logon through Terminal Services" Policy Setting, or add "Remote Desktop Users" group to "Allow logon through Terminal Services" and then add users to "Remote Desktop Users" group.

     


    сила в справедливости
    Sunday, March 21, 2010 8:00 PM
  • As near as I can tell, I had that already set up and still the same ... 'Access is Denied'.  Is there a log I can provide that would help pin point this? 
    Monday, March 22, 2010 2:50 AM
  • As near as I can tell, I had that already set up and still the same ... 'Access is Denied'.  Is there a log I can provide that would help pin point this?

    Has anyone been able to resolve this?  I would glady allow someone to remote into this server to figure out what is going on as I have not yet put it into production, but am very anxious to do so.

    I really need this resolved!

    Tuesday, March 23, 2010 5:00 AM
  • I have experienced the same problem i have deleted local and roaming profile and all works. In my problem, corrupted profile generated access denied.
    Tuesday, March 23, 2010 4:05 PM
  • Thank you for trying to help me out here.  I really appreciate it.  However, I am not very sophisticated when it comes to server configuration, so do you mean just delete any local user accounts?  And what do you mean by roaming profile.  If you could provide directions as to how to do what you are suggesting, I would really appreciate it.  I set up my Windows 2000 server with absolutely no issues, but this 2008 version has not been the same experience.
    Tuesday, March 23, 2010 11:57 PM
  • Delete local profile on 2008 R2, and roaming profile if you have setup them.
    Thursday, March 25, 2010 8:36 AM
  • I still get 'Access is Denied'. 
    Tuesday, March 30, 2010 2:14 AM
  • I still get 'Access is Denied'. 

    It looks as though I made a HUGE mistake in purchasing Windows Server. 
    Friday, April 09, 2010 12:06 AM
  • Hi there,

    I last saw this one on WS08 and I think someone got it resolved by changing System Locale Settings.

    Can you please make sure that Restrict Users to Single Session is disabled via RD Session Host Configuration Settings?

    ~Cheers

    http://blog.helpforsure.info

    Sunday, April 11, 2010 11:02 AM
  • Thanks for responding, but that did not work.  I still get 'Access is Denied'
    Wednesday, April 21, 2010 4:44 AM
  • I just ran into this issue and was able to resolve it by setting the Remote Desktop Services service logon to Network Service. It was set to LocalSystem.

    When reviewing the system logs, I found the following two errors:

    The Remote Desktop Services service is marked as an interactive service.  However, the system is configured to not allow interactive services.

    and

    36888

    Schannel N/A NT AUTHORITY\SYSTEM The following fatal alert was generated: 10. The internal error state is 10.

    I also was thinking about resetting the machine account password with the netdom command but, didnt end up needing to.

    Here are my notes from the issue - just in case you are seeing a combination of problems.

    We are getting an "Access is Denied" message when trying to RDP into a Windows Foundation Server 2008 R2 system. To eliminate external access issues, we are trying to just RDP into localhost at this point. We do get the same message when trying from a remote system.

    Items that we have confirmed at this point:

    • Apparantly this did work one time and ever since then it hasnt worked (no way to confirm this).
    • New user account "TestUser" is a member of the remote deskop users group and administrators group (have tested with just admin / Remote desktop users group only as well)
    • No profile issues exist
    • Server is only a member of a workgroup
    • TestUser account in the "allow logon through terminal services" Local Security policy
    • All firewall settings are disabled
    • Server is listening on port 3389
    • C:\ permissions are at default settings
    • We have tried the "restrict each user to a single session" in both settings
    • Network Level Authentication is disabled for the connection
    • Security layer - tried both negotiate and rdp security layer
    • Encryption level both Client Compatible and Low
    • Remote control settings are set to Use remote control with default user settings.
    • Server is in Remote Desktop for Administration Licesing mode
    • We have deleted and re-created the RDP-TCP connection.
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\ create a DWORD value called “IgnoreRegUserConfigErrors” and assign the value “1” to this property (also tried 0)
    • we also applied kb 951422 for new termserv.dll, rdpcorekmts.dll, and rdpwsx.dll files
    Tuesday, May 11, 2010 10:10 PM
  • Hi everyone,

     

    I have the same problem. I set up a standalone w2k8 R2 server with no domain config, just workgroup. I configured rdp connexion to users (admin and local users).  Since the beginning, I still have Access Denied.

    Does anyone  resolved this case?

    Thanks for your answers.

     

    Thursday, September 16, 2010 9:13 AM
  • Ok,  Thanks Brent. After reading again your post I just set the Remote Desktop Services service logon to Network Service. Now it works fine.

     

    Thanks a lot for the solution.

     

    Thursday, September 16, 2010 1:01 PM
  • I had the same issue. Reason was: The Certificate assigned to RDP Session Host configuration got replaced automatically. The RD Session Host config ignores this and therefore cannot find a valid certificate. Just reconfigure your RD Session Host to use the newly assigned certificate. This worked for me.

    Best regards

    Stefan

    Friday, April 20, 2012 9:38 AM
  • Thanks Brent, Thanks a lot for the resolution. It worked for me.

    Tuesday, July 10, 2012 9:17 AM
  • I had this symptom and was totally stumped. Turns out the fix was to allow built-in Users group Read permission on the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    Apparently when Administrators, SYSTEM, and CREATOR OWNER have access to this key, but Users do not, no user can logon using RDP. (I had previously removed Users access to this key because I enabled AutoAdminLogin and DefaultUser and DefaultPassword values. Thinking only administrators would be remotely logging in, I was safe removing User read permissions to the clear-text password in the registry. It works on Windows Server 2003, but does not work on Windows Server 2008 R2.)


    • Edited by George Perkins Wednesday, November 13, 2013 10:04 PM spelling
    • Proposed as answer by George Perkins Wednesday, November 13, 2013 10:04 PM
    Wednesday, November 13, 2013 10:01 PM
  • I was getting access denied also, I followed all the posts with no success, I noticed on the box I was RDP'ing to that there was a successful logon audit entry, but nothing else.  I reproduced the issue multiple times in a row and then ran a set command to find my logon server, went on the logon server (one of my DC's) and noticed the following warnings

    

    Following event 29 I came accross the following doc: http://technet.microsoft.com/en-us/library/cc734096(v=ws.10).aspx

    Once I recreated the Domain Certificates, I verified the KDC and it was successful.  RDP still didn't work, but the events went away when reproducing the issue, rebooted the DC (our logon server)  and the server we were RDP'ing too  and once back up I was able to RDP with no problems to all Servers.

    Wednesday, May 14, 2014 11:40 AM
  • Hi guys

    it worked for me when I added the 

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\ create a DWORD value called “IgnoreRegUserConfigErrors” and assign the value “1” to this property (also tried 0)

    thanks  Brent


    Marcello Jordan, MCP, MCDT, MCTS, MCITP

    Friday, September 19, 2014 3:33 PM