+ Reply to Thread
Results 1 to 19 of 19
  1. Junior Member
    Join Date
    Nov 2007
    Location
    Montréal, Québec
    Posts
    11

    Certifications
    MCP (70-270)
    #1

    Default Domain admin cannot remote desktop to domain controller

    Hello all,

    First post here, just starting to study for MCSA. I am stuck on a problem with remote desktop connection. I cannot remote desktop to the domain controller using the domain admin account. Error message:



    Why do I have to add the domain administrator to the domain remote desktop users group in order to allow him to be able to remote desktop to the domain controller? Isn't the domain administrator supposed to be allowed by default? This is what I thought I had understood, and something else seems to confirm it as well:

    In the system properties of the domain controller, remote tab, "select remote users", at the bottom it says: "contoso\administrator already has access".

    Now it does let me add the administrator (domain admin account) to the domain remote desktop users group. And indeed if I add it, the problem is solved and I can remote desktop to the domain controller using the domain admin account. Is this normal? Am I missing something?

    In RDP-Tcp properties/Permissions, I left everything to default: Contoso\Administrators has full control, Remote Desktop Users have user and guest access.

    What's even harder to understand is that if I add simple users (non-admin) to the Remote desktop users group on the domain controller, those users are able to remote desktop to it. I thought that only members of the domain administrators group could remote desktop to a domain controller. So why would adding simple users to the remote desktop users group be enough for my domain controller to grant them access to remote desktop?

    In administrative tools/Domain Controller Security Policy, as well as in administrative tools/Domain Security Policy, I have not changed anything to the "Allow log on through terminal services" policy. It's set to "not defined" in both cases. So I really don't see what's causing this.

    Any help appreciated.
    Cheers!
    Reply With Quote Quote  

  2. SS -->
  3. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #2
    First, welcome to the forums.

    Second, I'd like to congratulate you on actually giving us enough background information to help you out.

    It's refreshing because usually someone will post with a problem like yours and only give a one sentence description.

    Okay, now I'll have to admit that I need to review how Terminal Services acts with a DC.

    I'll post back if I find something. Meanwhile consider this a "bump" for your topic.
    Reply With Quote Quote  

  4. Question Mark Member rjbarlow's Avatar
    Join Date
    Apr 2007
    Location
    the few neurons in my brain... Italy!
    Posts
    419

    Certifications
    CCNA, MCSA 2k3: Messaging, MCP, 70-285. WIP: 70-236, 70-293
    #3
    Administrator profile --> tab Terminal service profile, maybe this account (strangely) has the Deny this user permission to logon... active, try to see there.
    Reply With Quote Quote  

  5. MIPS processor please Mishra's Avatar
    Join Date
    Feb 2007
    Location
    Ashburn, VA
    Posts
    2,468

    Certifications
    MCSA:2012, MCITP:EA/SA, MCSE 2003, MCTS: Vista, VCP4, AAS
    #4

    Default Re: Domain admin cannot remote desktop to domain controller

    Quote Originally Posted by Cambridge
    Hello all,

    First post here, just starting to study for MCSA. I am stuck on a problem with remote desktop connection. I cannot remote desktop to the domain controller using the domain admin account. Error message:



    Why do I have to add the domain administrator to the domain remote desktop users group in order to allow him to be able to remote desktop to the domain controller? Isn't the domain administrator supposed to be allowed by default? This is what I thought I had understood, and something else seems to confirm it as well:

    It should be added by default. Is it a test domain you just setup or something else someone has setup in the past?

    In the system properties of the domain controller, remote tab, "select remote users", at the bottom it says: "contoso\administrator already has access".

    Now it does let me add the administrator (domain admin account) to the domain remote desktop users group. And indeed if I add it, the problem is solved and I can remote desktop to the domain controller using the domain admin account. Is this normal? Am I missing something?

    In RDP-Tcp properties/Permissions, I left everything to default: Contoso\Administrators has full control, Remote Desktop Users have user and guest access.

    What's even harder to understand is that if I add simple users (non-admin) to the Remote desktop users group on the domain controller, those users are able to remote desktop to it. I thought that only members of the domain administrators group could remote desktop to a domain controller. So why would adding simple users to the remote desktop users group be enough for my domain controller to grant them access to remote desktop?

    When you add people to the remote desktop group then it indeed gives them access to log into the domain controller. They do not have administrative rights however.

    In administrative tools/Domain Controller Security Policy, as well as in administrative tools/Domain Security Policy, I have not changed anything to the "Allow log on through terminal services" policy. It's set to "not defined" in both cases. So I really don't see what's causing this.

    Any help appreciated.
    Cheers!
    [/b]
    Reply With Quote Quote  

  6. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #5
    To the best of my understanding:

    When a user initiates an RDP connection to a computer, it will establish the connection only if Remote Desktop is enabled either in the System Properties>Remote tab of the computer or in a GPO that applies to that computer. This is obviously already done in your case.

    Next, the user's credentials are checked. The user must have the RIGHT to log on through terminal services. If that is verified, then the actual user account properties are checked to see if he is allowed or if the "Deny this user permission to logon to any terminal server" is checked on the Terminal Services profile tab.

    Last, the user's group membership is checked to make sure he is a member of either the Remote Desktop Users or Administrators groups. If all of these conditions are met, the user can successfully log on. If any one condition is not met, he cannot logon and no other conditions are checked.

    There are also 2 different Remote Desktop Users groups. There is a "local" Remote Desktop Users group on member servers, and then there is also a "Domain Local" Remote Desktop Users group on Domain Controllers. The latter is not assigned the right to logon through Terminal Services by default. I suspect this is the issue you ran into - I am not sure why MS did it this way.

    As for your second question, if you, as an admin, grant joe blow user the right to logon to Remote Desktop to a DC, then they have that right plain and simple. Without additional rights they won't be able to use tools like ADUC, but they can log on to the DC.

    HTH
    Reply With Quote Quote  

  7. MIPS processor please Mishra's Avatar
    Join Date
    Feb 2007
    Location
    Ashburn, VA
    Posts
    2,468

    Certifications
    MCSA:2012, MCITP:EA/SA, MCSE 2003, MCTS: Vista, VCP4, AAS
    #6
    Another little note that you might want to take is that plain users can only log into other workstation operating systems. This is not allowed on any server system.

    And as for my previous statement, please add that you do have to be a user of the domain controller before you will be able to log into that machine.
    Reply With Quote Quote  

  8. Junior Member
    Join Date
    Nov 2007
    Location
    Montréal, Québec
    Posts
    11

    Certifications
    MCP (70-270)
    #7
    Quote Originally Posted by rjbarlow
    Administrator profile --> tab Terminal service profile, maybe this account (strangely) has the Deny this user permission to logon... active, try to see there.
    Verified, it's not the case.

    Quote Originally Posted by Mishra
    It should be added by default. Is it a test domain you just setup or something else someone has setup in the past?
    This is a virgin test domain, I am following Microsoft Press' 70-290 Training Kit. To be honest, it is quite possible that, after hours of testing to solve another problem, I removed the domain administrator from the domain remote desktop users group and forgot to add it back. So can you confirm that it is supposed to be in there out of the box? It does make sense, I'm not arguing that. It's just that in the book, when they say that the domain admin should be able to remote desktop to the domain controller by default, I thought it meant that this is something you cannot set yourself anywhere, kind of a built-in property in the OS. That probably sounds silly but I am new to that, still trying to adjust to Microsoft's philosophy.

    I have several other questions following all your answers to my original post, but let's start with that. Thanks for the help.
    Reply With Quote Quote  

  9. Senior Member /usr's Avatar
    Join Date
    Dec 2003
    Location
    West Virginia
    Posts
    1,776
    #8
    Can you create a new account, add them to the Domain Admins, then try it out?

    As a test just now at work, I remoted into our DC, removed myself from the Remote Desktop Users group, then tried it again. It worked.

    I'm in the Domain Admin group, among others...
    Reply With Quote Quote  

  10. Infrequent Poster Silver Bullet's Avatar
    Join Date
    Aug 2004
    Posts
    677

    Certifications
    A+, Network+, Server+, APS, MCP, MCSA:M 2003 MCSE 2003 MCTS(70-649), VCP3, VCP4, VCP5, TCSE, CCNA, DCUCSS, CCNP, CCIE
    #9
    Quote Originally Posted by Cambridge
    I thought it meant that this is something you cannot set yourself anywhere, kind of a built-in property in the OS.
    Have a look in Group Policy under Computer Configuration > Windows Settings > Security Settings > User Rights. You can grant additional groups the right to login at the "Allow logon through Terminal Services". Additionally, you can deny groups with the Deny Logon through Terminal Services. This may be handy if you have a user that belongs to multiple groups and you decide you want one group to have this ability but not the others. (That make sense?)
    Reply With Quote Quote  

  11. MIPS processor please Mishra's Avatar
    Join Date
    Feb 2007
    Location
    Ashburn, VA
    Posts
    2,468

    Certifications
    MCSA:2012, MCITP:EA/SA, MCSE 2003, MCTS: Vista, VCP4, AAS
    #10
    It is definitely supposed to be in there by default. I'm sure you broke something!
    Reply With Quote Quote  

  12. Junior Member
    Join Date
    Nov 2007
    Location
    Montréal, Québec
    Posts
    11

    Certifications
    MCP (70-270)
    #11
    Quote Originally Posted by /usr
    Can you create a new account, add them to the Domain Admins, then try it out?

    As a test just now at work, I remoted into our DC, removed myself from the Remote Desktop Users group, then tried it again. It worked.

    I'm in the Domain Admin group, among others...
    Tried that, but the new account cannot remote desktop even when member of Domain Admins. My domain administrator also is a member of domain admins and cannot either.

    Quote Originally Posted by Silver Bullet
    Have a look in Group Policy under Computer Configuration > Windows Settings > Security Settings > User Rights. You can grant additional groups the right to login at the "Allow logon through Terminal Services".
    I have it under Group Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services. I assume that's what you meant. In there, I only have Remote Desktop Users, but neither Domain Admins nor Administrator.

    I think I could summarize my whole problem/questions as follows:

    Out of the box, what specific groups/accounts are supposed to be under Group Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services on a Domain Controller?

    Out of the box, what specific groups/accounts are supposed to be member of the Remote Desktop Users group?

    On a Domain Controller, what's the difference between:
    • 1)Group Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services
      (currently: Remote Desktop Users only)

      2)Administrative Tools > Domain Security Policy > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services
      (currently: Not defined)

      3)Administrative Tools > Domain Controller Security Policy > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services
      (currently: Not defined)

    Thank you so much everyone for the help.
    Reply With Quote Quote  

  13. Junior Member
    Join Date
    Nov 2007
    Location
    Montréal, Québec
    Posts
    11

    Certifications
    MCP (70-270)
    #12
    Come on, anyone? I really tried to summarize/clarify/simplify all my problems and question in the last post. And my questions are pretty simple I believe, I just need the answers from someone with more experience and who knows. I would really appreciate any help. You don't need to read the whole thread, my last post contains all the unclear remaining points.

    Thanks a lot!
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #13
    Quote Originally Posted by Cambridge
    I think I could summarize my whole problem/questions as follows:

    Out of the box, what specific groups/accounts are supposed to be under Group Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services on a Domain Controller?

    Out of the box, what specific groups/accounts are supposed to be member of the Remote Desktop Users group?

    On a Domain Controller, what's the difference between:
    • 1)Group Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services
      (currently: Remote Desktop Users only)

      2)Administrative Tools > Domain Security Policy > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services
      (currently: Not defined)

      3)Administrative Tools > Domain Controller Security Policy > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services
      (currently: Not defined)

    Thank you so much everyone for the help.
    On my servers at work and a few VMs that are fairly new installs, I either have administrators or administrators and remote desktop users listed under: Group Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services

    I don't believe I ever modified these settings. The pattern I noticed was that domain controllers have only administrators while member servers have administrators and remote desktop users. Again, some of these were setup over two years ago, and I really don't remember if I modified any of these settings. I may have just removed remote desktop users from my domain controllers (but one of my virtual machines is like that too, and I don't think I'd have gone to the effort for that).

    Either way, the administrators group was always assigned that right. If you only have remote desktop users assigned that right, you should be able to either add the account you're trying to connect remotely with to that group, or add the administrators group (assuming your account belongs to that group) to that policy.

    None of my machines had any members for remote desktop users.

    The first item in your list (assuming you targeted the local computer), is the local policy for that machine. The second item is the policy for your entire domain, and the third is the policy for all the domain controllers in your domain.
    Reply With Quote Quote  

  15. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #14
    Out of the box, what specific groups/accounts are supposed to be under Group Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services on a Domain Controller?
    Local Administrators and the local Remote Desktop Users group have this right on member servers, I could not find a reference specific to DC's.

    Out of the box, what specific groups/accounts are supposed to be member of the Remote Desktop Users group?
    No one.
    http://technet2.microsoft.com/window....mspx?mfr=true


    On a Domain Controller, what's the difference between:

    1)Group Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services
    (currently: Remote Desktop Users only)
    This setting applies to just that particular server or DC.

    2)Administrative Tools > Domain Security Policy > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services
    (currently: Not defined)
    Applies to all servers/workstations in the domain.

    3)Administrative Tools > Domain Controller Security Policy > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services
    (currently: Not defined)
    Applies to all DC's in your domain, but not member servers.

    Opposite to what you stated, these are not really simple questions. That's the likely reason no one has offered any input. Unless someone knows this off the top of their heads, it takes time and research to answer these. My answers are my honest-to-goodness best shot, but I could stand corrected if you can find a MS paper explaining the things you asked about. I've included a few links that might help, but I couldn't find exactly the information you were looking for.

    http://technet2.microsoft.com/window....mspx?mfr=true
    http://technet2.microsoft.com/window....mspx?mfr=true
    http://www.microsoft.com/technet/sec.../tcgch04n.mspx
    http://technet2.microsoft.com/window....mspx?mfr=true

    Hey, I see dynamik beat me to the punch. His info looks spot on.
    Reply With Quote Quote  

  16. Junior Member
    Join Date
    Aug 2005
    Posts
    7
    #15

    Default I learned this one today actually

    In a bootcamp class I'm in, I learned that on a domain controller, and only on a dc, you have to explicitly allow ts/rd on the DC. By default, Microsoft will not let you remote desktop to a dc without this setting. It's a security feature.
    Reply With Quote Quote  

  17. Junior Member
    Join Date
    Jan 2008
    Posts
    1
    #16
    Hi Cambridge,

    I had the same problem on a fresh installed server.
    I’ve installed the DC as all others before but had no chance to connect via remote Desktop. The only difference between all other servers was that once sysprep was run on the Server. After comparing the server with the other I found no difference in the rights.
    I’ve found a workaround to logon with the admin again. I’ve added the administrator account directly to the RDP-Tcp Permissions and then I was able to logon again.
    Maybe someone can find the real error because also the domain group “Remote Desktop Users” was as usual there with the right permissions and the admin was also in the group.



    Bye
    Messerf
    Reply With Quote Quote  

  18. Junior Member
    Join Date
    Apr 2008
    Posts
    2
    #17

    Default Please help troubleshoot this

    I had the same problem as in earlier two screenshots but I found some more info after I ran the command.

    FIND /I "Cannot find" %SYSTEMROOT\Security\Logs\winlogon.log

    ---------- C:\WINDOWS\SECURITY\LOGS\WINLOGON.LOG
    Cannot find domain administrators.
    Cannot find domain administrators.

    What may be the cause of not able to find domain administrators group?
    Reply With Quote Quote  

  19. Junior Member
    Join Date
    Apr 2008
    Posts
    2
    #18

    Default Security Policy Tweaked

    I could fix my issue... somebody added domain administrators instead of domain admins in log on locally security policies and that caused the problem. I removed the extra letters and reloaded the security policy. Now administrator can log in to the domain controller.
    Reply With Quote Quote  

  20. MIPS processor please Mishra's Avatar
    Join Date
    Feb 2007
    Location
    Ashburn, VA
    Posts
    2,468

    Certifications
    MCSA:2012, MCITP:EA/SA, MCSE 2003, MCTS: Vista, VCP4, AAS
    #19

    Default Re: Security Policy Tweaked

    Quote Originally Posted by mwenenko
    I could fix my issue... somebody added domain administrators instead of domain admins in log on locally security policies and that caused the problem. I removed the extra letters and reloaded the security policy. Now administrator can log in to the domain controller.
    Well there you go. First 2 posts in techexams and you are talking to yourself.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks