I just set up a Windows Server 2008 R2 domain controller. Since the reboot of the domain controller I have been unable to RDP to the domain controller with my Admin account. I get this message:
To log on to this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote Desktop Users group or another group that has this right, you must be granted this right manually.
- The account is a member if Domain Admins, which is a member of Remote Desktop Users.
- I made the account directly a member of Remote Desktop Users on the Domain Controller itself, and still couldn't login getting the same message.
- I am able to login locally to the Domain Controller using the same account.
- RSOP run on the Domain Controller shows that Allow log on through Remote Desktop Services right is assigned to Remote Desktop Services
- RSOP shows that the Deny login on through Remote DEsktop Services is Not Defined.
What am I missing here? The same account can log in to other Windows Server 2008 R2 Domain Controllers fine.
Update: found this technet article which discusses various error messages to do with login and why they appear. Looking at the settings for RDP-Listener I see that there is a local group called Remote Desktop Users on the server, but the domain group is not listed. A local Administrators group still exists too. On other Domain Controllers the Domain version of the group is listed.
Best Answer
If you have access to local user accounts and groups then the machine is not a domain controller. Try removing the Active Directory role and add it back.
However, nothing worries me more than a DC that had problems during setup. I highly recommend running dcpromo to remove this server from AD, then wiping the VM and starting over from scratch. And definitely DO NOT sysprep a copy of another DC to start a new DC from.