We came across this RDS access right / authorization anomaly two days ago.
A user in the AD wanted to open an RDS session in a server (let's call it serverA) which is Windows Server 2012 R2. He got the following message:
"The connection was denied because the user account is not authorized for remote login."
This is normal because his AD account was not a member of "Remote Desktop Users" group in serverA.
I then added his AD account into the group. *Four hours later*, when he tried to open an RDS session again, he still got the same error message!
I have gone through everything, every group, etc but I could not find the reason. Then I took another computer, told him to log in and then told him to open an RDS session from there to the same serverA. This time it worked! And almost immediately
when he tried to open the RDS session again from his
own computer, that worked too!
What the hack is this anomaly? Was there a workaround without having to have another computer to open RDS session first?
I think if he had closed and re-opened Windows session in his own computer, that would have worked too. But of course, he had too many programs running at that time that it was impossible for him to logout & login again.
And I also think this issue is similar to "network shared folder still rejects access" issue:
simply put, it's like this: a user was rejected when he tried to access some network folder without authorization. Then the access was later on granted by domain admin but all his attempts to access the same folder are rejected. He has to reopen his Windows session to get around this.
Are these two issues all related to problem in Kerberos?