how to fix remote desktop access in Windows Server 2012 R2
Solution 1
Finally found the problem. Launch gpedit.msc
, navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Allow log on through Remote Desktop Services
In my case this was empty, whereas on my working Servers it had the group Administrators
. Adding the group Administrators
immediately fixed my problem.
Solution 2
It sounds like you were playing with Restricted Groups. If so, the group isn't restricted any more, but everyone who was in that group has been kicked out.
You need to create a new GPO and apply it. Then you can log in. After you're safely logged in, you can un-apply it and make sure the group membership is what you want it to be.
Related videos on Youtube
Daniel
Updated on September 18, 2022Comments
-
Daniel over 1 year
Kind of an embarrassing question but...
One day I was playing around with GPOs to try and grant local Administrator access to a specific User group for a specific Client computer.
Somehow, I messed up the GPO. I have since deleted that GPO and I can’t find the original guide I was following.
The end result is that I now have a server running Windows Server 2012 R2, which I cannot connect to via RDP, using a domain Administrator account!
I receive the following message when attempting to connect as a domain Administrator:
To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Administrators group have this right. If the group you are in doesn’t have this right, or if the right has been removed from the Administrators group, you need to be granted this right manually.
Basically, how can I “undo” the effects of that old GPO, and return the RDP access settings to their default state? I know I could just add “Administrators” to the list of allowed users in the control panel, but I want to make sure I actually reverse whatever changes I accidentally made before.
-
joeqwerty almost 8 yearsAn important point to note: Deleting a GPO doesn't revert the settings that were configured by that GPO. You need to "unconfigure" the settings and then delete the GPO.
-
Daniel almost 8 yearsI know this. At the time, I thought the GPO hadn’t worked at all, so I just deleted it. Turns out it affected just this one server. And since I don’t frequently login to this server, I only just realized it now. So now I need to figure out how to reverse the effects of a GPO that doesn’t exist anymore.
-
-
Daniel almost 8 yearsI have console access to the server. I don’t need to fix the problem via GPO. How can I fix it on the machine directly?
-
Katherine Villyard almost 8 yearsEdit the membership of the Administrators group, or whichever group it was that you changed.
-
Daniel almost 8 yearsIs there any way I can see which groups have been changed from default :o
-
Katherine Villyard almost 8 yearsUnfortunately, no. :( If you have a similar server that didn't have the same policy applied, it might help you make an educated guess.
-
Daniel almost 8 yearsSo... apparently you can’t directly edit local users and groups on a domain controller, which this server happens to be. Soooooo, how can I edit this local group from the console :o
-
Katherine Villyard almost 8 yearsI just ran
net localgroup
andnet localgroup administrators
on a server core domain controller (without arguments) and it seemed to work. I didn't attempt to make any changes, though. -
Daniel almost 8 yearsYes, I think I was playing around with Restricted Groups, but I'm not sure what I did exactly. I have a working RDP GPO which makes use of Restricted Groups by editing the
BUILTIN\Administrators
andBUILTIN\Remote Desktop Users
groups. Well, I'm still at a loss as to what is wrong with this server as runningnet localgroup Administrators
andnet localgroup "Remote Desktop Users"
both show myDomainAdminAccount
. So I'm not sure why my RDP connection is getting rejected. :( -
Daniel almost 8 yearsNevermind. Finally found the problem. Launch
gpedit.msc
, navigate toComputer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Allow log on through Remote Desktop Services
In my case this was empty, whereas on my working Servers it had the groupAdministrators
. Adding the groupAdministrators
immediately fixed my problem.