none
Access is denied

    Question

  •  

    Just installed Longhorn August Beta version and configure to Terminal Service role.  I did add user from my AD to “Remote Desktop Users” local group and trying to connect by TS and after logon received “Access is denied” message. BTW: in Event Viewer I see that logon was OK. Interesting that member of Domain Administrators group could connect and work by TS to this new server. Problem occurs only with regular users.

    Please, help

    Tuesday, October 24, 2006 5:41 PM

Answers

  • Is the machine configured as a Domain Controller?

    On a DC the RDU group is removed from the 'allow logon via terminal services right'.  This is by design for security reason, you can add the group back into the right using gpedit.msc.

    Alex

    Thursday, October 26, 2006 2:31 AM
    Moderator
  •  Juda T. wrote:

    Yes, of cause I did this from the top. That the same as to add user to remote desktop users.

    I still couldn’t understand why domain administrators could connect and users that add to remote desktop users couldn’t?

    Could this issue may be relevant to Terminal Service Licensing

     

    Was this machine a DC? - on a DC we remove the RDU group from the logon via TS right.

    Monday, November 06, 2006 7:24 PM
    Moderator
  • On Windows 2003 and LH you need to add users to the RDU group to use remote desktop / the local administrators group is always part of this, if domain joined domain admins is always by default a member of the local admins group.

    This is why admins work and no one else did.  This has been the way TS has worked since the release of 2003. This has nothing to do with CALs when a machine is in remote desktop mode.

    When you are in the terminal server role you need a CAL for all connections including the first 2 admin connections.

    Saturday, November 11, 2006 8:57 PM
    Moderator

All replies

  • Is the machine configured as a Domain Controller?

    On a DC the RDU group is removed from the 'allow logon via terminal services right'.  This is by design for security reason, you can add the group back into the right using gpedit.msc.

    Alex

    Thursday, October 26, 2006 2:31 AM
    Moderator
  • No, it isn’t. The only role applied on the server is Terminal Services

    Allow logon is set to Admins and Remote Desktop users groups

    Thursday, October 26, 2006 10:55 AM
  • I am having the same problem, and it looks like I have the same situation as you.  Logging in as administrator works fine, but any other user will get "The requested session access is denied".  The security log on the machine says that the login was successful, but obviously it wasn't.


    Thursday, October 26, 2006 12:47 PM
  • Ok, I just figured out what the problem was.  I had to go to Control Panel -> System, click on 'Remote Settings' link, then click the 'Select Users' button, and then add the users/groups there.
    Thursday, October 26, 2006 1:26 PM
  • Yes, of cause I did this from the top. That the same as to add user to remote desktop users.

    I still couldn’t understand why domain administrators could connect and users that add to remote desktop users couldn’t?

    Could this issue may be relevant to Terminal Service Licensing

    Thursday, October 26, 2006 2:25 PM
  • I do realize that they are supposed to be the same thing, but it didn't work for me until I added it through the properties page instead of the Computer Management console.

    *shrug*  go figure.

    As far as I can tell, the CAL packs I installed are working correctly, plus I hadn't changed anything with the licenses when it started working.
    Thursday, October 26, 2006 6:40 PM
  • No, didn't work. I added user through properties page and same result

    Could you elaborate about CAL packs? I don't have one and just initialized Licensing without install any CAL packs. Could it be the reasons for access denied?

    Sunday, October 29, 2006 11:36 AM
  •  Juda T. wrote:

    Yes, of cause I did this from the top. That the same as to add user to remote desktop users.

    I still couldn’t understand why domain administrators could connect and users that add to remote desktop users couldn’t?

    Could this issue may be relevant to Terminal Service Licensing

     

    Was this machine a DC? - on a DC we remove the RDU group from the logon via TS right.

    Monday, November 06, 2006 7:24 PM
    Moderator
  • No, not a DC. Regular server with TS Server role
    Tuesday, November 07, 2006 9:41 AM
  • On Windows 2003 and LH you need to add users to the RDU group to use remote desktop / the local administrators group is always part of this, if domain joined domain admins is always by default a member of the local admins group.

    This is why admins work and no one else did.  This has been the way TS has worked since the release of 2003. This has nothing to do with CALs when a machine is in remote desktop mode.

    When you are in the terminal server role you need a CAL for all connections including the first 2 admin connections.

    Saturday, November 11, 2006 8:57 PM
    Moderator
  •  Alex,

    I just trying to verify your answears : I set-up Terminal Service role on LH server, I add my user to RDU local group and I recived "Access is denied". What the reasons of this error? Is it relevant to the reasons that I have no CAL licenses?

     

    Monday, November 13, 2006 5:58 PM
  • no this is unlikely to be releated to not having CALs.

    If you would like some CALs to prove this you can get Beta LH TS CALs from this web site free of charge http://licensecode.one.microsoft.com/ 

    Tuesday, November 21, 2006 1:59 AM
    Moderator
  • I found a post with the following and it helped me with the same scenario described here

    Open registry editor, under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\ create a DWORD value called “IgnoreRegUserConfigErrors” and assign the value “1” to this property

    Enjoy

    Tuesday, December 19, 2006 9:38 AM
  •  

    I was having this happen as well and the reg hack did not fix it.

     

    Ended up being a bone head mistake.  Was using an mstsc shortcut with the -console command.  Regular users don't get the remote console access.

    • Proposed as answer by PBU Friday, November 16, 2012 7:01 AM
    Friday, August 31, 2007 4:09 PM
  • Hi Alex,

    I am evalutaing Server 2008 for my company.  We all work in remote locations and log in to the server using RDC.  We have 4 users and Server 2008 only allows 2 RDC users.  I would like some Beta TS CALs to complete our evalutaion.  I tried the website you mentioned above and it looks like it is no longer available.  I do not want to purchase CALs to complete our evaluation.  Can you tell me how i can get some Beta TS CALs?

    Thanks,

    Tucker
    Monday, October 08, 2007 11:54 PM
  • Hi All,

    I had the 'Access is denied' error when trying to connect to a Citrix XenApp 5 server (Windows Server 2008 32-bit) using ICA Client 10 on Mac OS X.

    The registry hack fixed this problem.

    Thanks for that!
    Tuesday, October 28, 2008 1:04 AM
  • The registry key fix worked for me as well.  I started getting the error right after I configured the Terminal Server Licensing role.  I am a schema admin and it still wouldnt let me remote into the server.  I ensured that domain users was added to the RDU user list.  The Terminal server is not a domain controller either.  I just want to know what the registry key does?  Is this a bug in the OS or something that I need to fix?  Our terminal servers are critical for access and I rather keep them as bug free as possible.  
    Wednesday, July 01, 2009 2:37 PM
  • Wow, i feel like a fool.

    The -console bit fixed me right up. Thanks for pointing out my noobliness.

    R
    Wednesday, February 03, 2010 8:04 PM
  • The error message is not very helpful, I went straight to the RDU group.
    Tuesday, March 02, 2010 9:15 AM
  •  

    I was having this happen as well and the reg hack did not fix it.

     

    Ended up being a bone head mistake.  Was using an mstsc shortcut with the -console command.  Regular users don't get the remote console access.

    This was also my solution - if you are using a Remote Desktop snap-in with the MMC Admin Console, make sure to de-select the "Connect with /admin option" for the RDP object.
    Monday, July 12, 2010 10:14 PM
  • Hey guys, this has been driving me mad for AGES - Citrix with PingFederate for SSO.  I was getting the Access is Denied error.

    I tried this registry key hack after speaking to Ping and other people and this fixed it. 

    GENIUS

    Wednesday, July 20, 2011 9:04 AM
  • I found a post with the following and it helped me with the same scenario described here

    Open registry editor, under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\ create a DWORD value called “IgnoreRegUserConfigErrors” and assign the value “1” to this property

    Enjoy


    This really helped me Thanks for Grate article. I was using Citrix Zenapp to login to Windows server 2008 R2 sever and gettng access denied. Was fed up with this issue since las 4-5 days, which finally got resolved after your grate twick. But coruios to know the thiory behind that. Jaywant
    • Edited by Jaywantpune Thursday, January 12, 2012 5:27 AM
    Thursday, January 12, 2012 5:26 AM