When I try to RDP into a Server 2008 Terminal Server, I get a message that says "Access Denied" and an OK button. I setup the licensing mode correctly (per user) and also have setup to allow all remote connections. I get the following in the security event log:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 28/06/2012 12:01:16
Event ID: 4656
Task Category: File System
Level: Information
Keywords: Audit Failure
User: N/A
Computer: FQDN COMPUTER
Description:
A handle to an object was requested.
Subject:
Security ID: DOMAIN\ACCOUNT
Account Name: ACCOUNT
Account Domain: DOMAIN
Logon ID: 0xbbe3f
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\ServerManager.msc
Handle ID: 0x0
Process Information:
Process ID: 0x60c
Process Name: C:\Windows\System32\mmc.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttributes
Access Reasons: READ_CONTROL: Granted by D:(A;;0x1200a9;;;BA)
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BA)
WriteData (or AddFile): Not granted
AppendData (or AddSubdirectory or CreatePipeInstance): Not granted
WriteEA: Not granted
ReadAttributes: Granted by ACE on parent folder D:(A;;0x1301bf;;;BA)
WriteAttributes: Not granted
Access Mask: 0x120196
Privileges Used for Access Check: -
Restricted SID Count: 0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4656</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2012-06-28T15:01:16.975080700Z" />
<EventRecordID>1535565</EventRecordID>
<Correlation />
<Execution ProcessID="540" ThreadID="556" />
<Channel>Security</Channel>
<Computer>FQDN COMPUTER/Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-205301047-3902605089-2438454170-21511219</Data>
<Data Name="SubjectUserName">ACCOUNT</Data>
<Data Name="SubjectDomainName">DOMAIN</Data>
<Data Name="SubjectLogonId">0xbbe3f</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\Windows\System32\ServerManager.msc</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%1538
%%1541
%%4417
%%4418
%%4420
%%4423
%%4424
</Data>
<Data Name="AccessReason">%%1538: %%1801 D:(A;;0x1200a9;;;BA)
%%1541: %%1801 D:(A;;0x1200a9;;;BA)
%%4417: %%1805
%%4418: %%1805
%%4420: %%1805
%%4423: %%1811 D:(A;;0x1301bf;;;BA)
%%4424: %%1805
</Data>
<Data Name="AccessMask">0x120196</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="RestrictedSidCount">0</Data>
<Data Name="ProcessId">0x60c</Data>
<Data Name="ProcessName">C:\Windows\System32\mmc.exe</Data>
</EventData>
</Event>
Any ideas?
Best Answer
Looks like it is trying to open server manager when you first login, but the user doesn't have permission to do so.
Is the user logging in a local administrator on the server?
In server manager, click "Do not show me this console at logon" on the first screen.