Hi there,My company currently running on Windows 2003 domain. Recently I set up a Windows 2008 server and enabled remote desktop before I joined it to the domain and the RDP worked fine. Once I joined the server to current domain, everytime I tried to RDP to it using domain admin account, it will say "Access Denied". This keeps happening even I quit the domain. The following is the security event log, please help. Many many many thanksLog Name: SecuritySource: Microsoft-Windows-Security-AuditingDate: 8/02/2010 12:21:26 PMEvent ID: 4634Task Category: LogoffLevel: InformationKeywords: Audit SuccessUser: N/AComputer: servername.domainDescription:An account was logged off. Subject: Security ID: domain\admin Account Name: admin Account Domain: domain Logon ID: 0x3390617 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> <EventID>4634</EventID> <Version>0</Version> <Level>0</Level> <Task>12545</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2010-02-08T01:21:26.968Z" /> <EventRecordID>22928</EventRecordID> <Correlation /> <Execution ProcessID="656" ThreadID="2944" /> <Channel>Security</Channel> <Computer>servername.domain</Computer> <Security /> </System> <EventData> <Data Name="TargetUserSid">S-1-5-21-1229971350-4004265806-3589855178-1107</Data> <Data Name="TargetUserName">admin</Data> <Data Name="TargetDomainName">domain</Data> <Data Name="TargetLogonId">0x3390617</Data> <Data Name="LogonType">3</Data> </EventData></Event>

Make sure terminal server service is running.You might also try;PortQryUI - User Interface for the PortQry Command Line Port Scannerhttp://www.microsoft.com/downloads/details.aspx?familyid=8355E537-1EA6-4569-AABB-F248F4BD91D0&displaylang=enPort Reporter (PortRptr.exe)http://www.microsoft.com/downloads/details.aspx?familyid=69BA779B-BAE9-4243-B9D6-63E62B4BCD2E&displaylang=enAlso;Try connecting via IP address to rule out DNS issue.Can you start the client RDP on the server and connect to itself?Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows]

Make sure terminal server service is running.You might also try;PortQryUI - User Interface for the PortQry Command Line Port Scannerhttp://www.microsoft.com/downloads/details.aspx?familyid=8355E537-1EA6-4569-AABB-F248F4BD91D0&displaylang=enPort Reporter (PortRptr.exe)http://www.microsoft.com/downloads/details.aspx?familyid=69BA779B-BAE9-4243-B9D6-63E62B4BCD2E&displaylang=enAlso;Try connecting via IP address to rule out DNS issue.Can you start the client RDP on the server and connect to itself? Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows] Tried IP address, Access is DeniedTried client RDP on the server and connect to itself, Access is DeniedIs it because something wrong with the old 2003 DC?

Check security policyControl Panel|Admin Tools|Local Security Policy|Security Settings|Local Policies|User Rights Assignment|Allow Log on through Remote Desktop Services(also check Deny Log on through Remote Desktop Services)Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows]

Check security policyControl Panel|Admin Tools|Local Security Policy|Security Settings|Local Policies|User Rights Assignment|Allow Log on through Remote Desktop Services(also check Deny Log on through Remote Desktop Services) Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows] Sorry, didn't work....

What does this mean? What did you find?Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows]

What does this mean? What did you find? Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows] Allow Log on through Remote Desktop Services has remote desktop user group in it and I added my account manually as well, nothing in Deny option, then I tried RDP again, still Access is DeniedSorry for my English...

Should also have local administrators group. Also check Access this computer from network policy.Did you restart the server? Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows]

Should also have local administrators group. Did you restart the server? Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows] it has local admin group, tried using local admin account as well, server rebooted several times, no luck

Also check Access this computer from the network policy.Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows]

Is there anything I need to check/change on Winodws 2003?

In regards to what?Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows]

In regards to what? Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows] Since I can RDP to the Windows 2008 server before it joined the domain, but can't afterwards..

Also check Access this computer from the network policy. Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows] Checked, includes Administrators, everyone,.. the setting seems to be fine, still no luck

The checkbox in My Computer properties is checked for Allow connections from computers running any version....., yes?Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows]

The checkbox in My Computer properties is checked for Allow connections from computers running any version....., yes? Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows] Yes, that's the current choice. Just find out my Windows 7 desktops has the same problem, when I tried RDP to a desktop running Winodws 7, Access is Denied happens as well ...

This should have worked out of the box. There's a chance this article may help.How do I restore security settings to the default settings?http://support.microsoft.com/kb/313222Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows]

This should have worked out of the box. There's a chance this article may help.How do I restore security settings to the default settings?http://support.microsoft.com/kb/313222 Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows] Tried, yet still no luck.I tried another thing, I created a seperate OU, under it I created a computer account for a new installed Windows 7 computer, blocked group policy inheritance, joined the domain, open RDP, Access is Denied, I'm going nuts now

is the terminal service window launching but when you enter your username and password into the prompt you are getting access denied? or are you not getting the TS window to launch at all? /richhttp://cbfive.com/blog

is the terminal service window launching but when you enter your username and password into the prompt you are getting access denied? or are you not getting the TS window to launch at all? /rich http://cbfive.com/blog The terminal service window launched and I can enter the username and password, after that, it gives me Access is Denied screen, thanks

Dave has had you check all of the same URAs that i would recommend as well. let's try to go straight to the source. launch tsconfig.msc from the 2008 machine. right-click on rdp-tcp and select properties. go to the security settings tab and review the ACL (make sure that there are no deny ACEs - by default, there are none). if there are, remove it, save your changes, close the console, and try RDP again. if there are not any deny ACEs then do me a favor and add your account explicitly and for troubleshooting, grant full control. again, save changes, close the console and try rdp. please respond to each of those individually to let us know if either (or neither) were successful. i have a blog upcoming about the relationship between URA and the RDP-TCP properties but it is a few weeks out yet. hth. /rich http://cbfive.com/blog

Dave has had you check all of the same URAs that i would recommend as well. let's try to go straight to the source. launch tsconfig.msc from the 2008 machine. right-click on rdp-tcp and select properties. go to the security settings tab and review the ACL (make sure that there are no deny ACEs - by default, there are none). if there are, remove it, save your changes, close the console, and try RDP again. if there are not any deny ACEs then do me a favor and add your account explicitly and for troubleshooting, grant full control. again, save changes, close the console and try rdp. please respond to each of those individually to let us know if either (or neither) were successful. i have a blog upcoming about the relationship between URA and the RDP-TCP properties but it is a few weeks out yet. hth. /rich http://cbfive.com/blog There is no deny ACE and I added the user account explicitly and granted full control, still no luck

I guess my problem is same as the one in the following link, don't know whether there is any solution yethttp://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/491cda2e-b015-4e20-bcd8-e749b87d7895

you have autoadminlogon setup on the w2k8 machine?http://cbfive.com/blog

you have autoadminlogon setup on the w2k8 machine? http://cbfive.com/blog If you mean the followingHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogonthe value is 0 for autoadminlogon

I set up a new Windows 2003 domain using VMWare, and joined a Windows 2008 virtual server to the domain, it doesn't have this problem. Anything I need to check on my current DC?

Yes, I've not had this problem with the few I've setup / worked with.Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows]

Any suggestion to what to check on DC? Thx

was that value ever set to '1' to your knowledge? that's the gist of that other post. i just attempted to repro it and was unable.http://cbfive.com/blog

no, never...

okay. i think it'd help if you can collect some logs. unfortunately, some of them are not the kind of logs that you can just post text from (procmon captures). can you run and send a procmon capture on the 2008 machine while attempting to logon from another machine? if so, filter the procmon capture to include registry and file system events. also, can you run gpresult /v on the 2008 server and send that output along as well? after looking at that data, we may want to get a network capture but we don't need that yet. one last question, i think from your posts above that you are but wanted to validate that you are attempting to test the RDP functionality on the 2008 server by connecting from another machine (eg an XP machine), correct? thx /rich http://cbfive.com/blog

Also note I asked OP test RDP client functionalitiy on server itself and this also failed.Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows]

yea, i'm honestly not sure if that should work. i know that in 2003 you could rdp into the same box that you were coming from but in the few tests that i have done, where everything else has worked (that is, rdp from any client os to my 2008 box), rdp to the same box i am coming from has not worked yet. i'll say, i haven't looked at that too hard yet as i didn't think this was an integral part of this issue. if i am misunderstanding that, i apologize and please let me know. if you know why to and from the same box doesn't work in 2008 i'd be interested to know. it'll save me some time from testing / researching it later on. thx. /richhttp://cbfive.com/blog

Sorry I was away for some days. How can I upload the log files?

you can send them to InitialAssist@cbfive.com. thx. /richhttp://cbfive.com/blog