Windows Server 2012 Standard RDS Access Denied for Domain Users

remote-desktop-services windows windows-server-2012 remote-desktop
23,967

Domain Admins always have remote desktop logon rights, but other users need to be granted this privilege explicitly. It sounds like your Domain Users may have been removed from the local permissions group.

Places to Check:

  • Ensure that Domain Users are added to the RDS server's "Remote Desktop Users" local security group.
  • Open Remote Desktop Session Host Configuration and check the properties for the RDP-Tcp connection. Make sure that nobody modified the security in this location. The security tab should still include "Remote Desktop Users" with 'User Access' and 'Guest Access' allowed.
  • Still on the RDP-Tcp Properties dialog, ensure that the security layer setting is "Negotiate" and the encryption level is "Client Compatible" unless you are required to set that higher.
  • Check a GPResult for the following:
    • Allow log on through Remote Desktop Services should be set to Administrators, Remote Desktop Users.
    • Deny log on through Remote Desktop Services should be set to Guests and ideally Local account, Guests.
    • Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Session Host > Connections > *Allow users to connect remotely by using Remote Desktop Services* should be set to either Not configured or Enabled.
Share:
23,967

Related videos on Youtube

GarudaLead
Author by

GarudaLead

Updated on September 18, 2022

Comments

  • GarudaLead
    GarudaLead over 1 year

    I've recently started having a problem where users can no longer log into the RDS server. They get 'Access is denied'.

    enter image description here

    If I add them to Domain Admins, they are able to get on without issue. I've checked Local Security Policy > Local Policies > User Rights Assignments > All log on through Remote Desktop Services. It has the appropriate groups assigned. I even added Domain Users to include everyone, but the users still get the access denied unless they are in the domain admins group.

    I've checked the event log and the only 2 events associated with the security log are 2 4634 events that say An account was logged off. One with Logon Type 3 and the other with Logon Type 10.

    Any ideas as to what could be casuing the issue?

    • Admin
      Admin almost 6 years
      RDP service in trouble, I guess the symptom is there even if you restart the server ? If the restart does not solve the issue try with a user without any GPO applied to it, a local user in worst case
    • Admin
      Admin almost 6 years
      I think it has to be a permissions / authentication issue because it's happening to both the RDS servers in the domain.
    • Admin
      Admin almost 6 years
      Make sure no gpo remove your right to logon, which is why I suggest to test out with a user without GPO.
    • Admin
      Admin almost 6 years
      "access denied" is too generic to troubleshoot as it could means so many things. If the affected server is fresh install, I would consider new build, reinstall and try again. You could also try resetting the affected account to "Local System", reset the RDS service to "Network Service and see if this fix the problem.
    • Admin
      Admin almost 5 years
      Access Denied is very generic. I ran into this issue recently. In my case the server was not able to get in contact with the domain controller in order to authenticate users. I did an nslookup for the domain controller on the server and didn't get a response. After looking at my dns settings on the server. I saw that I was missing my DNS suffixes. After adding them in everything worked as intended.
  • GarudaLead
    GarudaLead almost 6 years
    I've checked and all the security settings are set as they should be and I still get the access denied error.
  • SamErde
    SamErde almost 6 years
    There are no audit failure events in the Security event log?
  • GarudaLead
    GarudaLead almost 6 years
    No, that's the odd thing. I get 2 log off events. They are identical except for that the logon types are different. One is type 3 the other is type 10.
  • SamErde
    SamErde almost 6 years
    Interesting - those numbers do make sense. Logon type 3 is "Network Logon" and logon type 10 is "Remote Interactive" (RDS). But those are both success events, right?
  • GarudaLead
    GarudaLead almost 6 years
    They are successful events. I did as @yagmoth555 suggested above and created a local user and made them a member of the Remote Desktop Users group. I was able to log that user in. So it sounds like it is a GPO causing an issue. I'll start with some GPO Results. Anywhere I should look other than the above?
  • SamErde
    SamErde almost 6 years
    Added a few group policy settings to check in my answer above.
  • djdomi
    djdomi almost 3 years
    mostly i think the default settings will work fine

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Windows Server 2012 Black Screen
Remote Desktop Client on Windows Server 2012
How does IPv6 and Windows Remote Desktop work?
How does a running application behave when a remote desktop session "ends"?
How to set the network interface for RDP in Windows Server 2012?
Win 2012 RDS farm not accessible for external clients
RDS Multiple Licensing Servers
Cannot install RDS-Web-Access
RDS, RDWeb, and RemoteApp: How to use public certificate for launching apps on session host?
Web cam on RDS 2012 r2 clients?