Cannot login via RDC to Windows Server 2008 R2 x64 with Domain Admin accounts
I lack the GPO experience which might help me solve this problem, so please bear with me as I walk through my issue. We had a former Windows Server 2003 R2 x86 PDC in place which was having issues. While the domain admin account could login via RDC, accounts which were added later could not. I checked the Allow Logon Locally and Allow Logon Through Remote Desktop Services local policy objects and they have a truncated list of users assigned and I was unable to edit it. We installed the 2008 R2 x64 DC, promoted it, and demoted the old server in preparation to bring it up as a 2008 R2 DC as well. In retrospect, this was likely not a smart move because it simply replicated the faulty GPO issues and now no domain admins can login via RDC. While its not a critical issue in that we can still login via the console, it is hampering certain aspects of system management. One very odd aspect of this issue is that I am able to login to all other servers in our domain with the domain admin accounts. I can login to the Exchange server, the Terminal Server, our SharePoint server, and our various storage and application servers. This issue only resides on the DC (formerly DCs). Very strange. The error we get when attempting to login is as follows:To log on to this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Administrators group have this right. If you are not a member of the Administrators group or another group that has this right, or if the Administrators group does not have this right, you must be granted this right manually.So, I decided to sit down and work through the issue to see where the fault lay. I've gotten about as far as I can get when it comes to the Group Policy Object manager in 2008. It states that the local policy is subordinate to the domain GPO, and it has errors which tell me to look at the winlogon.log file in %WINDIR%\security\logs. Here's what I get and I'm not sure where to go from here:Process GP template gpt00000.dom. This is not the last GPO.-------------------------------------------Tuesday, January 26, 2010 11:28:07 AM Copy undo values to the merged policy. ----Un-initialize configuration engine... Process GP template gpt00001.inf. This is the last GPO : domain policy is ignored on DC.-------------------------------------------Tuesday, January 26, 2010 11:28:09 AM ----Un-initialize configuration engine...-------------------------------------------Tuesday, January 26, 2010 11:28:09 AM----Configuration engine was initialized successfully.---- ----Reading Configuration Template info... ----Configure User Rights... Configure S-1-5-20. remove SeChangeNotifyPrivilege.Error 50: The request is not supported. Configuring some user rights for this account is not supported. Re-attempting configuration by ignoring unsupported operation errors. remove SeChangeNotifyPrivilege.Configuring SeChangeNotifyPrivilege for this account is not supported. Configure S-1-5-19. remove SeChangeNotifyPrivilege.Error 50: The request is not supported. Configuring some user rights for this account is not supported. Re-attempting configuration by ignoring unsupported operation errors. remove SeChangeNotifyPrivilege.Configuring SeChangeNotifyPrivilege for this account is not supported. Configure S-1-5-21-536183437-266220080-3287936078-1141. Configure S-1-5-32-549. Configure S-1-5-32-551. Configure S-1-5-32-544. Configure S-1-5-21-536183437-266220080-3287936078-1142. Configure S-1-5-21-536183437-266220080-3287936078-1004. Configure S-1-5-21-536183437-266220080-3287936078-1001. Configure S-1-5-21-1067990213-3551302916-3756577773-500. Configure S-1-5-21-536183437-266220080-3287936078-1140. Configure S-1-5-32-554. Configure S-1-5-11. Configure S-1-5-21-536183437-266220080-3287936078-1003. Configure S-1-1-0. Configure S-1-5-21-536183437-266220080-3287936078-1610. Configure S-1-5-21-536183437-266220080-3287936078-1005. Configure S-1-5-21-536183437-266220080-3287936078-1132. Configure S-1-5-21-536183437-266220080-3287936078-1006. Configure S-1-5-32-555. Configure S-1-5-32-550. Configure S-1-5-21-536183437-266220080-3287936078-500. Configure S-1-5-32-548. Configure S-1-5-21-536183437-266220080-3287936078-1609. Configure S-1-5-9. Configure domain admin.Error 1332: No mapping between account names and security IDs was done. Cannot find domain admin. Configure S-1-5-21-536183437-266220080-3287936078-1125. Configure S-1-5-21-536183437-266220080-3287936078-1119. User Rights configuration was completed with one or more errors. ----Configure Security Policy... Configure password information. Configure account force logoff information. System Access configuration was completed successfully. Configure machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel. Configure machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature. Configure machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature. Configure machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal. Configure machine\system\currentcontrolset\services\ntds\parameters\ldapserverintegrity. Configuration of Registry Values was completed successfully. Audit/Log configuration was completed successfully. Kerberos Policy configuration was completed successfully. ----Configure available attachment engines... Configuration of attachment engines was completed successfully. ----Un-initialize configuration engine...************************** Error 0 to send control flag 1 over to server. Make a local copy of \\virtualit.local\sysvol\virtualit.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.GPLinkDomain GPO_INFO_FLAG_BACKGROUND ) Make a local copy of \\virtualit.local\sysvol\virtualit.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )------------------------------------------------------------------Any thoughts on this problem? I'd very much like to go back to being able to remote into these systems. Thanks!Tyler * Tyler Regas | MSP Administrator | General Nerd * MSPBoards.com | http://www.mspboards.com * Servicing The Managed Service Provider Community
January 27th, 2010 3:48am

Hi, According to the output of the winlogon.log, it seems the User Rights Assignment policies are not configured correctly. Configure domain admin. Error 1332: No mapping between account names and security IDs was done. Cannot find domain admin. As you mentioned that only domain controllers encounter the issue, I think the cause is that you tried to grant the domain admins the Allow log on through Terminal Services right by configuring a GPO applied to domain controllers, but you typed an incorrect name of the group. Assume that you configure the policy in Default Domain Controllers Policy, please refer to the following steps to correct the setting: 1. Open Group Policy Management (gpmc.msc) on a domain controller. 2. In Group Policy Management console, expend to Domains\<your DomainName>\Domain Controllers, right-click Default Domain Controllers Policy and then click Edit. 3. In Group Policy Management Editor console, expend to Computer Configuration\Policies\Windows Settings\Local Policies\User Rights Assignment, double-click the policy Allow log on through Terminal Services in the right panel. 4. Remove the entry domain admin in the list, then click Add User or Group, click Browse, type Domain Admins in the box, click Check Names, and then click OK three times to apply the change. 5. On the domain controllers, run gpupdate /force to apply the policy and check if you can logon the domain controller with domain admins via RDP. If the issue persists, please run gpresult /H GPReport.html on the domain controller and upload the html file to the following space for research: https://sftasia.one.microsoft.com/ChooseTransfer.aspx?key=3f8c2318-7e7a-4d15-9047-74f39cb8ef77 Password: ^SYE)g^$5b_^O Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
January 28th, 2010 4:54am

Hi,How's everything going? We've not heard back from you in a few days and wanted to check if the suggestion has helped. If you need any further assistance, please do not hesistate to respond back.Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.
February 2nd, 2010 10:20am

Joson,Apologies for the delayed response. We have lots of things to take care of around here :) I believe I have uploaded the file as requested. The policy was not defined, but I defined it anyway and forced a GP update. That did not change anything. I hope that something can be determined from the GPResult.html file. Thanks!Tyler * Tyler Regas | MSP Administrator | General Nerd * MSPBoards.com | http://www.mspboards.com * Servicing The Managed Service Provider Community
Free Windows Admin Tool Kit Click here and download it now
February 3rd, 2010 12:42am

Hi, According to the gpreuslt, the following users/groups should be able to logon the DC via RDP: · Cwa*** · VIR***\Administrator · VIR***\ang** · VIR***\CWA**** · VIR***\jma**** Please confirm if the domain admins is included in the list above. Meanwhile, please help check if you can logon this DC remotely with VIR***\Administrator? Thanks. I look forward to your response.This posting is provided "AS IS" with no warranties, and confers no rights.
February 3rd, 2010 5:48am

Joson,I'm glad you received the file. I had a feeling you might not have based on some odd behavior from the tool. That aside, this is the information which I have on my end, as well. The list you so kindly obfuscated is incorrect, and I've been aware of this for a while, but have been unable to modify it. I'm pretty sure this is the source of our issues. For a long time the primary Administrator account was, indeed, able to login, but recently cannot according to the guy who uses that account. I have never been able to login using my domain admin account, as it has never appeared in this list. The JMA account is no longer in use, and it was demoted to basic user and domain user status. I reset its password and tried logging into PDC, and it failed. I added that account to the Domain Admins group, and it logged in perfectly. Apparently the issues lies in why this object cannot be updated and why it doesn't contain the Domain Admins group. I hope that additional information helps :) Thanks for your help!!Tyler * Tyler Regas | MSP Administrator | General Nerd * MSPBoards.com | http://www.mspboards.com * Servicing The Managed Service Provider Community
Free Windows Admin Tool Kit Click here and download it now
February 3rd, 2010 8:39pm

Hi, To ensure that I understand the issue correctly, I would like to confirm the following information: How many domain controllers are there in the domain? Two? Are all domain controllers running Windows Server 2008 R2 now? Do all domain controllers in the domain encounter this issue? >> The list you so kindly obfuscated is incorrect, and I've been aware of this for a while, but have been unable to modify. Do you mean that you cannot configure the “Allow log on through Remote Desktop Services” policy in Default Domain Controller Policy? According to your previous reply “The policy was not defined, but I defined it anyway and forced a GP update” and the gpreport.html file shows that the policy is configured in Default Domain Controller Policy, I think you are able to configure the policy in the GPO. If there is anything I have misunderstood, please correct me. If you are talking about the Local Security Policy, then it is normal that you cannot change the policy in Local Security Policy console because the Local Security policy is overwritten by the domain policy. >> For a long time the primary Administrator account was, indeed, able to login, but recently cannot according to the guy who uses that account. Do you mean the account VIR***\Administrator listed in “Allow log on through Remote Desktop Services” policy? If so, please open the Remote Desktop Session Host Configuration console (tsconfig.msc) on the DC, right-click RDP-Tcp in the middle panel, click Properties, select Security tab, and then confirm if VIR***\Administrators group has User Access and Guest Access permission. >> I have never been able to login using my domain admin account, as it has never appeared in this list. Can you configure the “Allow log on through Remote Desktop Services” policy in Default Domain Controller Policy and add the domain admin account in the list? >> The JMA account is no longer in use, and it was demoted to basic user and domain user status. I reset its password and tried logging into PDC, and it failed. I added that account to the Domain Admins group, and it logged in perfectly. Apparently the issues lies in why this object cannot be updated and why it doesn't contain the Domain Admins group. When you say “logged in” here, do you mean log on through remote desktop service (RDP)? Or log on locally? What does “this object” stand for? Is it the “Allow log on through Remote Desktop Services” policy? Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.
February 4th, 2010 5:34am

I'm not sure what happened, and that makes me nervous, but I've managed to repair the issue. As I was reading through your questions and checking on items, I went back to the Default Domain Controller Policy to check what was in the Allow log on through Remote Desktop Services policy object, and this time it was editable. Again, I'm not sure what changed, but I removed the accounts which were not supposed to be there anymore and added the Domain Admins group. I then tried to login via RDP and it worked. My account had never worked remotely accessing any DC. I always had to login at the console. Now it works :) Thanks for working through this with me, Joson! I have little doubt at all that something in your instructions was the key to the solution. :)Tyler * Tyler Regas | MSP Administrator | General Nerd * MSPBoards.com | http://www.mspboards.com * Servicing The Managed Service Provider Community
Free Windows Admin Tool Kit Click here and download it now
February 4th, 2010 7:24pm

Hi,Glad to hear that you have resolved the issue. If you need further assistance in the future, please do not hesitate to post in our forums.Have a nice day.This posting is provided "AS IS" with no warranties, and confers no rights.
February 5th, 2010 9:11am

Much appreciated! The only thing I regret in all of this, and this seems to be common with MS systems and software, there is no clear fix here. There are processes, sure, and I followed them, but there wasn't one single thing which literally fixed it. Something happened and there was no indication that it did. Its too bad. If someone else has this problem, they won't have a clear-cut path the solution. I hope that whatever it was doesn't happen to someone else :) Tyler * Tyler Regas | MSP Administrator | General Nerd * MSPBoards.com | http://www.mspboards.com * Servicing The Managed Service Provider Community
Free Windows Admin Tool Kit Click here and download it now
February 5th, 2010 10:19pm

Well, I am fighting the same thing. i go to right click to select edit, and it is not available.
February 11th, 2010 7:22am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics