Windows – Unable to RDP as a Domain User

active-directoryremote desktopremote-accessvpnwindows

I am facing a problem remoting into a machine using a Domain account.

Problem Facts :

  1. The Host VM's are hosted by Company A (read Domain A). The VM's have a local administrator as well Domain 'A' based User accounts who are on "Administrators" on the VM's.
  2. I belong to a Company B (Domain B).
  3. I use a VPN provided by Company A to have access to their network.
  4. I was previously able to use mstsc from Computer on Domain B to remote into any of VM's on Domain A.
  5. Recently Company A migrated their Domain A into Domain Z.
  6. Now I am not able to remote from a computer on Domain B into a VM on Domain Z using my Domain 'Z' user account, however, I am able to login using the local user account. The error for Domain Account is generic credentials not valid.
  7. My domain 'Z' accounts are working when I remote access another VM (say VM1) using my domain account after logging into a VM2 as local admin. (VM 1 & 2 are on the Domain Z)
  8. The problem in step 6 & 7 only SEEM to occur in environment at Domain Based environment. (Domain B where my local machine is located on and Domain C where another company user is facing the same issue as me).
  9. When trying from a local machine with windows freshly installed (no domain, no AV, default OS options) over Company A provided VPN, everything works fine i.e can remote into VM using Domain Accounts.
  10. Windows 7 Enterprise as Guest. Windows 7 , 2008 R2 , 8.1 as guest VMs. 11. On guest machine, tried deactivating firewall, stopping Forefront security app and removing machine from Domain and connecting to internet directly, but still it was not connecting. (maybe some group policy is causing the issue and removing from domain does not deactivate the policy. The surprising factor was people from Company C were also facing the same issue).

How Can I troubleshoot this issue ?

Best Answer

Remote Desktop requires several things to function. You mentioned some, but there are others.

  1. Communications: Port 3389 should be open and available between the client and the server (RDP host). This means traditional firewalls as well as Windows firewall rules.
  2. Policies: Local and GPO policies need to be set to allow remote access. The fact that you can connect with a local account means that access is generally allowed (policies don't can what account you use to connect).
  3. "Allowed" Users: By default, local administrators (and domain users granted local admin rights) are allowed to connect via RDP. However, you can add other non-admin users as well.

Based on your description, I would guess that #3 is the culprit. Your new Domain Z account lacks the "Logon Remotely" right. This can be assigned via GPO or local policy. See here for more information.

Related Topic