Access Denied trying to Remote Control a user session

December 19, 2009, 10:23 pm

≫ Next: RD session broker will not work with desktop sessions

≪ Previous: Windows 2012 R2 printers showing twice (and unable to set default printer)

Brand new Win2k8 SP2 server that is also a domain controller. From an administrator session or any user who is a domain admin I can right click any other users session in the Terminal Services Manager and the Remote Control menu item is available however, no matter what state they are in, the icon shows a little red arrow pointing down. Once I click on Remote Control I get the Remote Control hot key assignment box. When I click on the OK button I get a dialog box with a header of Terminal Services Manager, in the body of the dialog box it says "Access is denied" and you have an OK button. There are no messages in the event logs. The session I am trying to remote control is a RemoteApp sitting on another workstation 3 feet away. The login it is using works fine with RemoteApp or a full RDP session either way. I currently am having NO problems connecting from any client to the server. Only from a remote session trying to remote control any other session.

I can do CMD, shadow (id number), and take control of any valid session that way but since this will be used by managers to train others that's not an option for them.

In the Default Domain Policy GPO and the Default Domain Controllers Policy I have enabled:

Computer Configuration/Administrative Templates/Windows Components/Terminal Services/Terminal Server/Connections
Policy: Set rules for remote control of Terminal Services user sessions
Setting: Full Control without user's permission

User Configuration/Administrative Templates/Windows Components/Terminal Services/Terminal Server/Connections
Policy: Set rules for remote control of Terminal Services user sessions
Setting: Full Control without user's permission

In the Local Group Policy Editor (gpedit.msc) I enabled:

In Terminal Services Configuration (properties for RDP-Tcp) I have permissions set on the Security tab for Domain Admins and Remote Dekstop Users. The users in question are all in the Remote Desktop Users group. The Remote Control tab shows the proper group policy setting of full control without user's permission.

Local Security Policy user rights assignments are all good for actually connecting as users. Nothing there that I can tell that allows or disallows the remote control sessions.

Each user I have tried this with I have edited their ADUC properties to be sure that Enable remote control is checked, require user's permission is not checked, and interact with the sesson is checked.

Any ideas?

↧

RD session broker will not work with desktop sessions

September 14, 2014, 8:25 pm

≫ Next: SERVER CONFIGURATION - PROBLEM SETTING UP LICENSE SERVER

≪ Previous: Access Denied trying to Remote Control a user session

One RD Broker 2012 R2 and 2 Session Host Servers.

When I connect using rd web using IE I can be logged into the web interface (on broker where role installed) and then able to use the desktop icon to gain access to the desktop session. I check the collection and I can see the login has been moved to one of the two host servers and logged in correctly so the redirection between broker and hosts are working correctly.

But when I try and use the remote desktop connection app, please farm name and connect, I am asked for the username\password, agree to the certificate but I receive the message that 'might not have permissions to log in remotely' it looks to me it's trying to log into the RD Broker and not being redirected.

I look at the logs on the broker and they are

Remote Desktop Connection Broker Client failed to redirect the user. Error Null

Why can the broker redirect the RD web connection but not the RDP connection? No firewalls on and everything configured correctly that I know.

↧

SERVER CONFIGURATION - PROBLEM SETTING UP LICENSE SERVER

September 2, 2014, 1:19 am

≫ Next: User Profile Disks require SMB 3.0?

≪ Previous: RD session broker will not work with desktop sessions

I HAVE SETUP WINDOWS SERVER 2012 IN A PC AND MADE IT MEMBER OF THE DOMAIN. I HAVE INSTALLED RD LICENSE SERVER AND RD GATEWAY SERVER TO THE SAME SERVER. I ALSO CONFIGURED THE LICENSING MODE TO 'PER USER' AND HAVE INSTALLED USER CAL (FOR 50 USERS). STILL IT DISPLAYS A MESSAGE ON STARTUP THAT REMOTE DESKTOP LICENSING MODE IS NOT CONFIGURED.

IS THIS COULD BE AN ISSUE OF CERTIFICATES OR TRUSTS?

↧

User Profile Disks require SMB 3.0?

September 15, 2014, 1:44 am

≫ Next: Run specific published app in one collection using different credentials

≪ Previous: SERVER CONFIGURATION - PROBLEM SETTING UP LICENSE SERVER

Hi all,

I have some netapp space available for User profile disks, the netapp does not support SMB 3.0 and when I try and apply the setting i get an RPC error:

0x800706BA

Similar to this thread here which suggested SMB3 was required.

http://social.technet.microsoft.com/Forums/windowsserver/en-US/5a4e6fb8-ad10-4ac1-b3ac-55d414b3fb17/got-rpc-server-is-unavailable-error-when-configuring-user-profile-disk-to-use-a-samba-share?forum=winserverTS

So would like clarification, is SMB 3.0 a requirement?

I have managed to setup a file share on a windows 2012r2 box on storage which does not support SMB3.0 and it works... I don't know if windows is doing something funky in the back end to make it work though.

Thanks

↧

Run specific published app in one collection using different credentials

September 8, 2014, 4:13 am

≫ Next: Printers of other users visible and show up multiple times under the control panel

≪ Previous: User Profile Disks require SMB 3.0?

Hi,

I have a collection of published apps using rdweb with apps accessed by and run by a user in a group. I was wondering how i can allow one of the apps in the users rdweb to be launched using alternate credentials.

I.e. i log on as userA. I get my list of allowed apps in RDWeb. Among those apps is an app, let's call it AppX. I want that app to be launched using credentials of a user account named userB.

I know this is possible using citrix xenapp on server 2008 R2. Can it be done on native RDS 2012 R2 (no citrix)?

This posting is provided "AS IS" with no warranties or guarantees and confers no rights

↧

Printers of other users visible and show up multiple times under the control panel

May 14, 2014, 6:57 am

≫ Next: RDS terminal services users automatic logsoff

≪ Previous: Run specific published app in one collection using different credentials

Hello,

I currently have a very interesting problem:

Some (not all) printers show up multiple times on every user session on the specific terminal server. This behavior show up on both of the 2 servers. Also the printer only shows up multiple times under the control panel, but not in the printer dialog.

The users are not part of either printer operators, Administrator or Power Users.

The servers are Windows Server 2012.

I cannot find a reason for this after some hours with my friend Google.

Does someone have any idea how to fix this?

Thanks in advance

Paul

↧

RDS terminal services users automatic logsoff

September 15, 2014, 3:54 am

≫ Next: Window Server 2012 Remote Desktop CALs and Setup Questions

≪ Previous: Printers of other users visible and show up multiple times under the control panel

Please help or advice ; when trying to logon on RDS terminal Services on windows server 2008 r2 it automatically logsoff, it shows welcome,applying user settings, preparing desktop and logoff.

↧

Window Server 2012 Remote Desktop CALs and Setup Questions

September 15, 2014, 12:21 am

≫ Next: Ts Sever 2008

≪ Previous: RDS terminal services users automatic logsoff

I'm using Window Server 2012, and have purchase Windows Server 2012 RDS User CAL x 10, after install the RDS CAL license to RD Licensing Manager, it can show Total licenses is 10 & Available is 10 (I think its complete install the license). When we use remote desktop to login to server, it still only accept 2 con-current user to login. What am I missing?

The procedure for install the "Remote Desktop Service" that only "Remote Desktop Licensing", the other "Remote Desktop Connection Broker", "Remote Desktop Gateway", Remote Desktop Session Host", "Remote Desktop Virtualization Host", & "Remote Desktop Web Access" haven't installed. Does need install it? Thanks Help.

↧

Ts Sever 2008

September 15, 2014, 10:53 am

≫ Next: Dropping Remote connection due to second monitor?

≪ Previous: Window Server 2012 Remote Desktop CALs and Setup Questions

Boa tarde

Tenho um servidor com Windows server 2008 32bit e uma máquina cliente windows 7 32bit, onde nessa máquina cliente está instalado uma impressora EPSON LX350, quando efetuo a conexão remota o easy printer cria a impressora no Server, até aí tudo tranquilo, mas quando faço uma impressão de pagina de teste do servidor a impressão saí toda borrada, façõ a mesma impressão direto da máquina cliente onde está instalada a impressora e saí perfeita a impressão. Como posso consertar?

↧

Dropping Remote connection due to second monitor?

September 15, 2014, 1:18 pm

≫ Next: RDS and SID error with two-way trust

≪ Previous: Ts Sever 2008

I have discovered that while working on my desktop, while having a connection open to my server 2012, I keep dropping the connection. What I've discovered is that as long as i work on the primary monitor on my desktop, and then open the remote connection to work on the server, the connection stays alive. When I work on the secondary monitor, for as little as a few minutes, and go back to the primary monitor and expand the server window, the connection has timed out and it reconnects on 1 of 20 try's.

I am wired into the modem/router, and this does not drop the connection with my other office's connection to the server 2012, but they do not use multiple monitors on their desktop.

Any suggestions?

↧

RDS and SID error with two-way trust

December 6, 2012, 7:28 am

≫ Next: Windows 8 can not connect RemoteApp on W2K12 RDS, but Windows 7 can connect. Why?

≪ Previous: Dropping Remote connection due to second monitor?

Hey there.. weird one here.. I am testing RemoteApps with Server 2012. All is fine except for when I try and grant access to user in another forest where we have a two-way\forest transitive trust. The error is below.. What is interesting is the trust works fine otherwise. For example, if I try and add a user to the local admin group on the server it works great.. I can even authenticate via RDweb portal from a user in the trusted domain.. any ideas?

↧

Windows 8 can not connect RemoteApp on W2K12 RDS, but Windows 7 can connect. Why?

September 10, 2014, 5:33 am

≫ Next: Embedded RDP to my html page

≪ Previous: RDS and SID error with two-way trust

Hi!

Windows 8 can not connect RemoteApp (W2K12 RDS), but Windows 7 can connect. Why?

External and internal DNS name is different, the public Cert is mapped to RD Web Access and a RD GateWay Role.
The internal cert (issued by enterprise ca) is mapped to RD Connection Broker roles (SSO and Publishing).
These certifications also be installed on client computers (Personal and Trusted Root Certification Authorities).
The internal CA revocation list is publicated to a website and this web site is accessible from internet. Ports (3389,3391,443) forwarded to RDS server.

On windows 7 everything works fine, but Windows 8 can not connect to Remote Apps. Windows 8 can connect to RDS server via Remote Desktop Connection.

The error:

Win8AppVError

Thank you for your answers.

↧

Embedded RDP to my html page

September 15, 2014, 9:21 pm

≫ Next: 2012 R2 RDP Bug... will it ever be fixed?

≪ Previous: Windows 8 can not connect RemoteApp on W2K12 RDS, but Windows 7 can connect. Why?

Hello All,

I am trying to create a 'quick link' html page for my support team, in which I planned to include internal links as well as an embedded RDP client on the HTML page itself. I used the Microsoft provided code for the facility. However, if I enter the server address and click the connect button, nothing happens.

Would be thankful if someone could provide a fully functional code for this facility. Thanks!

↧

2012 R2 RDP Bug... will it ever be fixed?

September 9, 2014, 6:15 am

≫ Next: Terminal server in a workgroup , client computer in a domain

≪ Previous: Embedded RDP to my html page

Hi.

When I try to connect from any of our windows7/8/8.1 clients to our 2012 R2 Terminalserver, I get the same problem as described here http://social.technet.microsoft.com/Forums/windows/en-US/fab6f026-86c2-47e0-b485-2ac40623051f/remote-desktop-denies-login?forum=w8itprosecurity Error: "The system administrator has limited the computers you can log on with"

---

Problem environment:

Server 2012 R2 "with update", also updated.

the account used for rdp logon may NOT logon locally to the workstation he is trying to connect from. So the problem only arises when a user uses a different user account for RDP logon to a 2012 /2012R2 server.

---

This is definitely a bug. Will it ever be fixed? It has been there since server 2012 came out! This is serious as it has various implications. For example we have customers using our terminal server via VPN. We don't even know their computer names, so we cannot possibly grant them logon privileges to those machines' names. Only workaround is to allow those users which they use for connecting to logon to all machines in the domain which is a no-go security wise (although it is the default!).

Is the problem clear to you? I know it is hard to understand.

↧

Terminal server in a workgroup , client computer in a domain

September 14, 2014, 5:32 am

≫ Next: Remote Desktop Gateway, can't connect from RDP 8.0 (Server 2012)

≪ Previous: 2012 R2 RDP Bug... will it ever be fixed?

Hi Everyone !

I have a 2008 r2 Server on a workgroup , and needed it to be a terminal server and cant add it to a domain for applicaiton reasons, the client computer that have to connect to the terminal are in my domain so as i have installed rds cals per device and as i have read it should work when i connect with local server credentials , but it does'nt . (also have some per user cals for any case) , any ideas ?

↧

Remote Desktop Gateway, can't connect from RDP 8.0 (Server 2012)

February 10, 2013, 8:38 pm

≫ Next: How to uninstall RDS user cals from RD licensing manager?

≪ Previous: Terminal server in a workgroup , client computer in a domain

I'm racking my brain, I've done this before but I'm doing this in another lab environment . Non-Domain computers (Outside) trying to RDP in via the Gateway (Domain-Internal is working). Certs aren't an issue as they're installed, I've tried it multiple ways, but for now I'm using the self signed generated via the RD Gateway manager. I can go to https://rdgatewayurl/rpc and authenticate and get a blank page (external and internal).

New Domain, 2k8R2 Functional Level, no real GP customization at all, except not requiring NLA and enabling RDP on the internal "servers" in a specific OU. My Account has Admin privileges on all the servers in question.

Another stupid question: This should also work with just the RD Gateway role installed, right? I've tried it both ways with no luck.

RD Gateway is logging Event 4625 in the Security Log. I feel like this should be obvious but my brain is fried.

An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: myadminaccount@somedomain.com
Account Domain:

Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000035B
Sub Status: 0x0

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: EXTCOMP
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process:
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

↧

How to uninstall RDS user cals from RD licensing manager?

September 12, 2014, 5:19 am

≫ Next: Terminal Server profiles path between Server 2008

≪ Previous: Remote Desktop Gateway, can't connect from RDP 8.0 (Server 2012)

I have installed to many RDS user cals on our RD licens manager by accident.

How do I reduce/remove the number of licenses in the RD licensing manager, Win server 2008 R2?

Regards SL

↧

Terminal Server profiles path between Server 2008

September 16, 2014, 6:18 am

≫ Next: Everyday around 3 to 4 PM all RDP sessions (around 50) getting disconnected

≪ Previous: How to uninstall RDS user cals from RD licensing manager?

My existing Citrix farm has published desktops on Server 2008 x86 SP1, and the new farm I'm building is based on Server 2008 R2 x64. I can't get the x64 servers to use the same path as the x86 servers, despite having the same GPO's.

Both have the same GPO linked: under Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Session Host/Profiles, the path is set to \\server\share\%username%.

When a user who doesn't have a profile logs in to a Server 2008 x86 server, after they log out their profile is uploaded to the share as \\server\share\username.V2. When a user logs into Server 2008 R2, it doesn't pull their username.V2 profile and instead creates a new one as \\server\share\username\username.domain.V2.

Please help me get the x64 R2 servers to use the existing TS profiles.

↧

Everyday around 3 to 4 PM all RDP sessions (around 50) getting disconnected

September 16, 2014, 7:36 am

≫ Next: Uninstall keyboard layout from user profile

≪ Previous: Terminal Server profiles path between Server 2008

Hi,

We have a Windows 2008 R2 Terminal Server (workgroup) with SQL Server and C# application installed on the same terminal server.

Around 50 users access this terminal server. Since 15 days, everyday between 3PM to 4 PM, all the 50 user sessions gets dicsonnected at the same time and without anything done on the server, users can RDP again and work without any problems.

Verified event logs, terminal server logs, network, firewall, router etc. everything is working fine.

Only thing observed is, when RDP sessions gets disconnected, we see PING time out.

Any help to address this issue is appreciated.

Raghuveer.

↧

Uninstall keyboard layout from user profile

September 16, 2014, 8:46 am

≫ Next: VDI Deployment - Server 2012 R2

≪ Previous: Everyday around 3 to 4 PM all RDP sessions (around 50) getting disconnected

Hello All,

On a Windows Server 2008 R2 system running as a Remote Desktop Session Host (with Dell/Quest vWorkspace) I have an issue where somehow people have had the Chinese PRC language automatically selected. These people are not people that would even have that language installed on their local systems - so the IgnoreRemoteKeyboardLayout registry setting would not be of much use (I have applied it either way).

The system at one time had a need for some people to have the ability to select that language within the language bar; however, now that is no longer the case. I do not have the keyboard set to launch automatically for individual users. How can I get rid of that language as one of the keyboards available to them?

Thanks

↧