none
RDP Fails from a Win 10 machine using team account - Local account no issue RRS feed

  • Question

  • Okay a member of a team on site was upgraded to Windows 10.

    They use a team account for RDP which works fine for other staff and has done for some years now, however I can add a local account as a member of the RDP users group and this works, when using the team account it fails and lastly when using my IT account it works fine, all accounts are members of the RDP users group.

    We do not restrict logon by machines otherwise this would fail for the local account that was created on the remote computer if this was the issue.

    When deleting the contents at c:\windows\system32\grouppolicy the computer was allowed to connect.

    The team account works fine locally and remotely for other members of the team.

    Re-applying GPO's and restarting the machine brings back the issues.

    The only setting we have is to allow log on through RDS for Administrators and Remote Desktop Users, this group has the team account along with the IT support teams accounts.


    • Edited by JDJudge Monday, January 27, 2020 10:39 AM spelling
    Monday, January 27, 2020 10:38 AM

Answers

  • Here is a work around for you I have just found.

    If the account is restricted to specific machines remove that and set to all machines.

    To keep it so they can only access specific machines remove domain users from teh AD membership, on the remote computer add as a user in the Remote desktop User group to then allow remote access to the machine this has also fixed the error message when attempting to accessing a machine that hasn't been setup for remote access.

    Message is now The connection was denied because the user account is not authorised for remote log-in but once added to RDP user group on the machine it will then allow remote access.

    This may or may not have been partially resolved by changing the default group in AD.

    But the above steps will restore RDP access for anyone impacted

    • Marked as answer by JDJudge Wednesday, February 19, 2020 3:26 PM
    Wednesday, February 19, 2020 3:21 PM

All replies

  • Hi,

    What is the error message about failure RDP connection?

    Once problem happens, please check event viewer on both local and remote system and try to find relate event log, location such as below:
    Applications and Services Logs - Microsoft - Windows - TerminalServices & RemopteDesktopServices

    Besides, I want to confirm with you if you had deployed RDS servers to enable remote desktop connection? Or, only enable RDP via System - Remote Settings - Allow …?

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 28, 2020 7:18 AM
  • Hello Eve,

    Thank you for the reply, I have looked in Event Viewer and on the remote machine the below is available.

    Application and Services Logs – Microsoft – Windows – Terminal Services-RemoteConnectionManager then the only log with information is the Operational log.

    At the times of the attempted request this logs the below.

    Listener RDP-Tcp received a connection (Event ID 261).

    When I had fully removed policies from the remote machine it logged the below.

    Remote Desktop Services: User authentication succeeded:

    User: team account (AD not local)

    Domain: Our domain name

    Source Network Address: his IP address.

    While policies were in place but I had created him a local user in the remote desktop users group of the machine.

    Remote Desktop Services: User authentication succeeded:

    User: david

    Domain: local machine

    Source Network Address: his IP address.

    Machine the request is sent from has the below entries.

    RD Session Host Server role is not installed. (Event ID 1136)

     

    Listener RDP-Tcp has started listening (Event ID 258)

    Connection from listener RDP-Tcp will have terminal class of {5828227c-20cf-4408-b73f-73ab70b8849f} (Event ID 20523)

    I have been advised by our infrastructure team the below regarding the RDS Servers.

    "

    The RDS Servers is a role in Windows Server 2012+ and therefore is not applicable to Windows Workstations.  It is the new name for Terminal Services.

    "So this doesn't apepar to be applicable to the issue.

    Kind regards,

    Jamie

    Tuesday, January 28, 2020 1:25 PM
  • Error message from RDP session.

    


    Tuesday, January 28, 2020 1:51 PM
  • Same issue, have you solved it
    Tuesday, January 28, 2020 2:58 PM
  • Still trying to fix this.

    But I wanted to add testing this with other accounts with the same settings applied not all have the issue.

    So this would suggest it isn't GPO causing the problem, removing theGPO's from my machine when testing this didn't resolve the problem.

    Using RDP from a Windows 7 machine with the problem account didn't have the same issue it allowed the account access.

    RDP version on the Windows 10 machine, Shell version 10.0.18362 Control Version 10.0.18362 Remote Desktop Protocol 10.7

    RDP version on the working Windows 7 machine, Shell version 6.3.9600 Control Version 6.3.9600 Remote Desktop Protocol 8.1.

    Both support Network Level Authentication but it would suggest the issue is with the RDP version, or introduced at somepoint between them.

    Do you have a Windows 8 or 8.1 system you can test the issue with and see if that version also has the problem?


    • Edited by JDJudge Wednesday, January 29, 2020 9:32 AM spelling
    Wednesday, January 29, 2020 9:05 AM
  • Also set GPO's to match both machines - no change.

    Tested by adding everyone to the RDP group memberships - no change.

    [Window Title]
    Remote Desktop Connection

    [Content]
    The system administrator has limited the computers you can log on with. Try logging on at a different computer. If the problem continues, contact your system administrator or technical support.

    [OK] [Help]

    Wednesday, January 29, 2020 9:36 AM
  • Just to add I have been informed by the user who first raised this to me, that it worked on his previous computer which was running Windows 10.

    Checked the version and this is running 1803 (Redstone 4) following moving onto systems running 1903+ we see the problem with RDP.

    Testing installing 1803 on another computer to test out the login issue and compare RDP versions in use if it works.

    Shell version 10.0.17134

    Control Version 10.0.17134

    Remote Desktop Protocol 10.5

    This apepars to work fine.

    Tested on version 2004

    Shell version 10.0.19541
    Control Version 10.0.19541
    Remote Desktop Protocol 10.8

    This worked without issue, I can't deploy this build for obvious reasons.

    The problem for us is with the below version and potentially with 1809.

    RDP version on the Windows 10 machine, Shell version 10.0.18362 Control Version 10.0.18362 Remote Desktop Protocol 10.7

    So a work around would be to downgrade or upgrade teh RDP version.

    I have taken ownership of the various files and folders and attempted to upgrade to the version used on Win 10 2004.

    My system now reports the below version but still fails with the same error message.

    Shell Version 10.0.19541 Control Version 10.0.19541 Remote Desktop Protocol 10.8

    So far any domain joined machine fails even 1803.

    • Edited by JDJudge Wednesday, January 29, 2020 12:02 PM adding extra details
    Wednesday, January 29, 2020 11:09 AM
  • Hi,

    Network Level Authentication is enabled by default on Windows 10 as far as I know, if possible, try to disable NLA and check the result.

    If problem persists, detail log collection/analyzing should be necessary. I would suggest you contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue. In addition, if the issue has been proved as system flaw, the consulting fee would be refund. 

    Global Customer Service phone numbers:
    https://support.microsoft.com/en-us/help/13948/global-customer-service-phone-numbers 

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 6, 2020 7:28 AM
  • Disabling has no impact on the issue, NLA I believe was enforced form Windows 8 by default but if not specifically set should use the target machines settings.

    Testing with it enabled, disabled and not configured always yields the same results.

    I will get our infrastructure team to attempt to investigate this further and contact Microsoft if required.

    Monday, February 10, 2020 9:40 AM
  • Here is a work around for you I have just found.

    If the account is restricted to specific machines remove that and set to all machines.

    To keep it so they can only access specific machines remove domain users from teh AD membership, on the remote computer add as a user in the Remote desktop User group to then allow remote access to the machine this has also fixed the error message when attempting to accessing a machine that hasn't been setup for remote access.

    Message is now The connection was denied because the user account is not authorised for remote log-in but once added to RDP user group on the machine it will then allow remote access.

    This may or may not have been partially resolved by changing the default group in AD.

    But the above steps will restore RDP access for anyone impacted

    • Marked as answer by JDJudge Wednesday, February 19, 2020 3:26 PM
    Wednesday, February 19, 2020 3:21 PM
  • Hello Eve,

    Just for your records here is a way to get past the issue but isn't an exact fix.

    "

    Here is a work around for you I have just found.

    If the account is restricted to specific machines remove that and set to all machines.

    To keep it so they can only access specific machines remove domain users from teh AD membership, on the remote computer add as a user in the Remote desktop User group to then allow remote access to the machine this has also fixed the error message when attempting to accessing a machine that hasn't been setup for remote access.

    Message is now The connection was denied because the user account is not authorised for remote log-in but once added to RDP user group on the machine it will then allow remote access.

    This may or may not have been partially resolved by changing the default group in AD.

    But the above steps will restore RDP access for anyone impacted

    "

    I haven't risen this with MS and am still waiting on further support (in house) but think I have resolved htis back to an issue with the way AD is applying permissions to the account.

    Log on is acting as prevent logon so prevents any system access, if i set this back to a specific machine which I just had working over RDP it then goes back to the original error message.

    "The system administrator has limited the computers you can log on with. Try logging on at a different computer."
    When this is set to allow for the machine in question, this works fine for other staff members.
    This is clearly a bug that doesn't just exist on my site evident  by the multiple forums online with people impacted by this problem.

    I've no idea why the permissions are working the wrong way around for some accounts and not all of them.

    Wednesday, February 19, 2020 3:26 PM