Access is Denied - Remote Desktop


  • I have set up my Server (2008 R2 Foundation) for remote desktop and RemoteApp as per the instructions provided by Microsoft.  I am using a single server for all functions.  When a user logs in to the Server through remote desktop, the remote desktop screen comes up and then the user immediately gets an 'Access is Denied' message.  If the user connects through RDWeb, the RemoteApps are displayed, but when the user clicks on an application, they are prompted again for their login credentials and then they get the remote desktop screen with an 'Access is Denied' screen as well.  This happens even for Administrators.

    I am getting very frustrated with this as I have read many blogs and tried everything to no avail.  PLEASE help me.

    Friday, March 19, 2010 3:11 PM

All replies

  • Hi,


    Please try adding your users into the Remote Desktop Users local group on that server and see if it helps.

    If still not working, please check the Event Viewer on that server and post all related logs here.


    сила в справедливости
    Friday, March 19, 2010 5:21 PM
  • Sorry, but I need a little help with that.  Perhaps I am doing something wrong.  I already had my users in the Active Directory Builtin Remote Desktop Users group.  If I am adding to the wrong location can you give me explicit directions to the proper location to add these users?  thanks.
    Friday, March 19, 2010 7:10 PM
  • Right click My Computer and go to Manage, in the opened windows go to Configuration > Local Users and Groups. In the list of groups find Remote Desktop Users and double click it, then click Add button and add the required group (for instance Domain Users).
    (FYI: If this server is a Domain Controller there will not be local groups and you cannot perform this step)
    Check if it helped.

    If still not working, open GPO linked to your Terminal Server and go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > find "Allow logon through Terminal Services" define this policy and add required groups. After that apply the policy and close all windows. Now either restart the Terminal Server or open CMD and issue gpupdate /force



    сила в справедливости
    Friday, March 19, 2010 7:44 PM
  • This Server is a domain controller, but I did add my groups through gpo to the Remote Desktop Servers.  And, same problem.

    I don't see anything in the event viewer that jumps out.  Is there a particular area I should look at?

    Saturday, March 20, 2010 1:41 AM
  •  I did add my groups through gpo to the Remote Desktop Servers.

    You do not have to add your group to "Remote Desktop Users", as on Domain Controller "Remote Desktop Users" do not have "Logon through Terminal services" right. You have to add required group to the "Allow logon through Terminal Services" Policy Setting, or add "Remote Desktop Users" group to "Allow logon through Terminal Services" and then add users to "Remote Desktop Users" group.


    сила в справедливости
    Sunday, March 21, 2010 8:00 PM
  • As near as I can tell, I had that already set up and still the same ... 'Access is Denied'.  Is there a log I can provide that would help pin point this? 
    Monday, March 22, 2010 2:50 AM
  • As near as I can tell, I had that already set up and still the same ... 'Access is Denied'.  Is there a log I can provide that would help pin point this?

    Has anyone been able to resolve this?  I would glady allow someone to remote into this server to figure out what is going on as I have not yet put it into production, but am very anxious to do so.

    I really need this resolved!

    Tuesday, March 23, 2010 5:00 AM
  • I have experienced the same problem i have deleted local and roaming profile and all works. In my problem, corrupted profile generated access denied.
    Tuesday, March 23, 2010 4:05 PM
  • Thank you for trying to help me out here.  I really appreciate it.  However, I am not very sophisticated when it comes to server configuration, so do you mean just delete any local user accounts?  And what do you mean by roaming profile.  If you could provide directions as to how to do what you are suggesting, I would really appreciate it.  I set up my Windows 2000 server with absolutely no issues, but this 2008 version has not been the same experience.
    Tuesday, March 23, 2010 11:57 PM
  • Delete local profile on 2008 R2, and roaming profile if you have setup them.
    Thursday, March 25, 2010 8:36 AM
  • I still get 'Access is Denied'. 
    Tuesday, March 30, 2010 2:14 AM
  • I still get 'Access is Denied'. 

    It looks as though I made a HUGE mistake in purchasing Windows Server. 
    Friday, April 09, 2010 12:06 AM
  • Hi there,

    I last saw this one on WS08 and I think someone got it resolved by changing System Locale Settings.

    Can you please make sure that Restrict Users to Single Session is disabled via RD Session Host Configuration Settings?


    Sunday, April 11, 2010 11:02 AM
  • Thanks for responding, but that did not work.  I still get 'Access is Denied'
    Wednesday, April 21, 2010 4:44 AM
  • I just ran into this issue and was able to resolve it by setting the Remote Desktop Services service logon to Network Service. It was set to LocalSystem.

    When reviewing the system logs, I found the following two errors:

    The Remote Desktop Services service is marked as an interactive service.  However, the system is configured to not allow interactive services.



    Schannel N/A NT AUTHORITY\SYSTEM The following fatal alert was generated: 10. The internal error state is 10.

    I also was thinking about resetting the machine account password with the netdom command but, didnt end up needing to.

    Here are my notes from the issue - just in case you are seeing a combination of problems.

    We are getting an "Access is Denied" message when trying to RDP into a Windows Foundation Server 2008 R2 system. To eliminate external access issues, we are trying to just RDP into localhost at this point. We do get the same message when trying from a remote system.

    Items that we have confirmed at this point:

    • Apparantly this did work one time and ever since then it hasnt worked (no way to confirm this).
    • New user account "TestUser" is a member of the remote deskop users group and administrators group (have tested with just admin / Remote desktop users group only as well)
    • No profile issues exist
    • Server is only a member of a workgroup
    • TestUser account in the "allow logon through terminal services" Local Security policy
    • All firewall settings are disabled
    • Server is listening on port 3389
    • C:\ permissions are at default settings
    • We have tried the "restrict each user to a single session" in both settings
    • Network Level Authentication is disabled for the connection
    • Security layer - tried both negotiate and rdp security layer
    • Encryption level both Client Compatible and Low
    • Remote control settings are set to Use remote control with default user settings.
    • Server is in Remote Desktop for Administration Licesing mode
    • We have deleted and re-created the RDP-TCP connection.
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\ create a DWORD value called “IgnoreRegUserConfigErrors” and assign the value “1” to this property (also tried 0)
    • we also applied kb 951422 for new termserv.dll, rdpcorekmts.dll, and rdpwsx.dll files
    Tuesday, May 11, 2010 10:10 PM
  • Hi everyone,


    I have the same problem. I set up a standalone w2k8 R2 server with no domain config, just workgroup. I configured rdp connexion to users (admin and local users).  Since the beginning, I still have Access Denied.

    Does anyone  resolved this case?

    Thanks for your answers.


    Thursday, September 16, 2010 9:13 AM
  • Ok,  Thanks Brent. After reading again your post I just set the Remote Desktop Services service logon to Network Service. Now it works fine.


    Thanks a lot for the solution.


    Thursday, September 16, 2010 1:01 PM
  • I had the same issue. Reason was: The Certificate assigned to RDP Session Host configuration got replaced automatically. The RD Session Host config ignores this and therefore cannot find a valid certificate. Just reconfigure your RD Session Host to use the newly assigned certificate. This worked for me.

    Best regards


    Friday, April 20, 2012 9:38 AM
  • Thanks Brent, Thanks a lot for the resolution. It worked for me.

    Tuesday, July 10, 2012 9:17 AM
  • I had this symptom and was totally stumped. Turns out the fix was to allow built-in Users group Read permission on the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    Apparently when Administrators, SYSTEM, and CREATOR OWNER have access to this key, but Users do not, no user can logon using RDP. (I had previously removed Users access to this key because I enabled AutoAdminLogin and DefaultUser and DefaultPassword values. Thinking only administrators would be remotely logging in, I was safe removing User read permissions to the clear-text password in the registry. It works on Windows Server 2003, but does not work on Windows Server 2008 R2.)

    • Edited by George Perkins Wednesday, November 13, 2013 10:04 PM spelling
    • Proposed as answer by George Perkins Wednesday, November 13, 2013 10:04 PM
    Wednesday, November 13, 2013 10:01 PM
  • I was getting access denied also, I followed all the posts with no success, I noticed on the box I was RDP'ing to that there was a successful logon audit entry, but nothing else.  I reproduced the issue multiple times in a row and then ran a set command to find my logon server, went on the logon server (one of my DC's) and noticed the following warnings


    Following event 29 I came accross the following doc:

    Once I recreated the Domain Certificates, I verified the KDC and it was successful.  RDP still didn't work, but the events went away when reproducing the issue, rebooted the DC (our logon server)  and the server we were RDP'ing too  and once back up I was able to RDP with no problems to all Servers.

    Wednesday, May 14, 2014 11:40 AM
  • Hi guys

    it worked for me when I added the 

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\ create a DWORD value called “IgnoreRegUserConfigErrors” and assign the value “1” to this property (also tried 0)

    thanks  Brent

    Marcello Jordan, MCP, MCDT, MCTS, MCITP

    • Proposed as answer by Jordi Brand Tuesday, May 19, 2015 9:06 AM
    Friday, September 19, 2014 3:33 PM
  • I checked and tried a lot of different solutions that I had come across, but this is what actually worked for me. Thanks!
    Thursday, October 16, 2014 7:23 PM
  • Thanks Marcello,

    It worked for me too and without need to reboot server :)

    Thursday, April 02, 2015 3:35 PM
  • Thx. Worked for me too.

    Thursday, May 07, 2015 8:11 AM
  • In my case "Client for Microsoft Networks" option was unchecked. After selecting this option, the access was normalized and the message "Access Denied" is no longer displayed.
    Monday, October 05, 2015 10:33 PM
  • Thanks! Work for me too!
    Monday, October 19, 2015 2:25 PM
  • this worked for me.

    Sunil Thacker

    Tuesday, December 08, 2015 8:47 AM
  • I had a similar behaviour but in my case the MaxTokenSize has been reached.

    I saw the same warnings in event viewer and got some odd behaviour beside, like adding a user to local group has been rejected as well and so on. But as a little workaround, just use mstsc.exe /admin to connect to the server (in my case Server 2008 R2). Somehow the broken Kerberos token will be ignored.
    But for sure I aligned the MaxTokenSize for this server (if not already happend with GPO) and this solves the other issues as well.
    However, to change the reg key "IgnoreRegUserConfigErrors" doesn't seem to be a good idea. I assume it means: "Ignore registrated user configuration errors" and is in no case a solution of the root cause. I would just use it as a workaround.

    Hope this will help

    • Proposed as answer by IndiJones Thursday, January 21, 2016 11:22 AM
    • Unproposed as answer by IndiJones Thursday, January 21, 2016 11:23 AM
    Thursday, January 21, 2016 11:20 AM
  • That also worked here. Unfreakingbelievable
    Wednesday, February 24, 2016 9:55 PM
  • Thanks so much!  Worked like a charm.  I had deleted some old profiles and it caused this issue for me.  Your resolution was just what I needed!
    Tuesday, March 29, 2016 7:39 PM
  • This worked for me. Thank you!!!
    Tuesday, June 07, 2016 8:16 PM
  • Thanks this works for me too :)


    Thursday, June 23, 2016 3:04 PM
  • This worked for me. Thanks so much!
    Tuesday, September 13, 2016 8:13 AM
  • This solution works perfectly. Thanks.
    Tuesday, November 22, 2016 9:45 AM
  • Thanks a lot, it works like charm!
    Wednesday, January 04, 2017 12:55 PM
  • Thank U. Thank U

    Work without need to restart.


    Tuesday, March 28, 2017 5:52 AM
  • Hi guys

    it worked for me when I added the 

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\ create a DWORD value called “IgnoreRegUserConfigErrors” and assign the value “1” to this property (also tried 0)

    thanks  Brent

    Marcello Jordan, MCP, MCDT, MCTS, MCITP

    This worked for me as well. I tried so many things and checked so many forums but my issue was resolved using this registry

    Monday, April 03, 2017 6:25 PM
  • It worked for me...after so much research I found this and it did helped!!

    Thanks Guys :-)

    MCSA Member

    Wednesday, April 19, 2017 3:36 AM
  • Worked for me!!!


    Friday, May 19, 2017 9:19 PM
  • do not delete the local and roaming folders this will mess you up!


    Saturday, October 14, 2017 7:44 AM
  • Oh and I almost forgot to give the answer... This issue happened with 2012 R2 - mstsc (or any other app I'd publish regardless of the switches I'd add) through Remote App

    so I had the exact same problem, with the Access denied... scratched my head, lost my hair and turned old and gray... until....!!!!!!! I ran Gpupdate /force and saw that my TS although it wasn't my EDGE server... and my EDGE TS was getting the updates and working fine... the 2nd hop was failing to get the gpupdates... it simply couldn't connect to Sysvol...

    low and behold, verify network and file sharing issues... verify IPv6 issues... disabled IPv6 with the 0xff bit by going to HKLM/SYSTEM/CurrentControlSet/Services/TCPIP6/Parameters and create the DisabledComponents DWORD, type in ff.

    open explorer and enable network and file sharing. reboot. and voila all is now working again!

    access denied no more!!!!!!!!

    if this helped please mark as answered!



    • Edited by G-EDGE Saturday, October 14, 2017 8:29 AM added target Server 2012 R2
    Saturday, October 14, 2017 8:27 AM