Windows Server 2012 标准 RDS 访问被域用户拒绝

Windows Server 2012 标准 RDS 访问被域用户拒绝

我最近遇到了一个问题,用户无法再登录 RDS 服务器。他们收到“访问被拒绝”的提示。

在此处输入图片描述

如果我将它们添加到域管理员,他们就可以毫无问题地继续使用。我已经检查过了Local Security Policy > Local Policies > User Rights Assignments > All log on through Remote Desktop Services。它已分配了适当的组。我甚至添加了域用户以包括所有人,但除非用户属于域管理员组,否则他们仍然会被拒绝访问。

我检查了事件日志,与安全日志相关的仅有的 2 个事件是 2 个 4634 事件,它们都表示帐户已注销。一个是登录类型 3,另一个是登录类型 10。

对于导致该问题的原因您有什么想法吗?

答案1

域管理员始终拥有远程桌面登录权限,但其他用户需要明确授予此权限。听起来您的域用户可能已从本地权限组中删除。

检查地点:

  • 确保域用户已添加到 RDS 服务器的“远程桌面用户”本地安全组。
  • 打开远程桌面会话主机配置并检查 RDP-Tcp 连接的属性。确保没有人修改此位置的安全性。安全选项卡仍应包括“远程桌面用户”,其中允许“用户访问”和“访客访问”。
  • 仍在 RDP-Tcp 属性对话框中,确保安全层设置为“协商”并且加密级别为“客户端兼容”,除非您需要将其设置得更高。
  • 检查 GPResult 是否存在以下内容:
    • Allow log on through Remote Desktop Services应设置为Administrators, Remote Desktop Users
    • Deny log on through Remote Desktop Services应设置为Guests,理想情况下为Local account, Guests
    • Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Session Host > Connections > *Allow users to connect remotely by using Remote Desktop Services*应设置为Not configuredEnabled

答案2

尝试一下发布在访问被拒绝 - 远程桌面

将远程桌面服务服务登录设置为网络服务

在此处输入图片描述

答案3

我已经花了两天时间寻找这个问题的解决方案,但它不是 gpo 问题或证书问题,而是网络策略问题,我在 NPAS 控制台中禁用了它,用户可以访问我的远程应用程序,我希望这可以帮助大家,谢谢大家

答案4

我建议重启 RDS 上的远程桌面授权服务(如果已经正常运行,则不要触碰任何其他东西,这意味着您的设置没问题)并尝试重新连接。如果一切正常,我建议使用以下 ps1 脚本检查并将计数器重置到您的 RDL

远程桌面许可 - 点击查看图片

## This Script is intended to be used for Querying remaining time and resetting Terminal Server (RDS) Grace Licensing Period to Default 120 Days.
## Developed by Prakash Kumar ([email protected]) May 28th 2016
## www.adminthing.blogspot.com
## Disclaimer: Please test this script in your test environment before executing on any production server.
## Author will not be responsible for any misuse/damage caused by using it.

Clear-Host
$ErrorActionPreference = "SilentlyContinue"

## Display current Status of remaining days from Grace period.
$GracePeriod = (Invoke-WmiMethod -PATH (gwmi -namespace root\cimv2\terminalservices -class win32_terminalservicesetting).__PATH -name GetGracePeriodDays).daysleft
Write-Host -fore Green ======================================================
Write-Host -fore Green 'Terminal Server (RDS) grace period Days remaining are' : $GracePeriod
Write-Host -fore Green ======================================================  
Write-Host
$Response = Read-Host "Do you want to reset Terminal Server (RDS) Grace period to Default 120 Days ? (Y/N)"

if ($Response -eq "Y") {
## Reset Terminal Services Grace period to 120 Days

$definition = @"
using System;
using System.Runtime.InteropServices; 
namespace Win32Api
{
    public class NtDll
    {
        [DllImport("ntdll.dll", EntryPoint="RtlAdjustPrivilege")]
        public static extern int RtlAdjustPrivilege(ulong Privilege, bool Enable, bool CurrentThread, ref bool Enabled);
    }
}
"@ 

Add-Type -TypeDefinition $definition -PassThru

$bEnabled = $false

## Enable SeTakeOwnershipPrivilege
$res = [Win32Api.NtDll]::RtlAdjustPrivilege(9, $true, $false, [ref]$bEnabled)

## Take Ownership on the Key
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod", [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
$acl = $key.GetAccessControl()
$acl.SetOwner([System.Security.Principal.NTAccount]"Administrators")
$key.SetAccessControl($acl)

## Assign Full Controll permissions to Administrators on the key.
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("Administrators","FullControl","Allow")
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)

## Finally Delete the key which resets the Grace Period counter to 120 Days.
Remove-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod'

write-host
Write-host -ForegroundColor Red 'Resetting, Please Wait....'
Start-Sleep -Seconds 10 

  }

Else 
    {
Write-Host
Write-Host -ForegroundColor Yellow '**You Chose not to reset Grace period of Terminal Server (RDS) Licensing'
  }

## Display Remaining Days again as final status
tlsbln.exe
$GracePost = (Invoke-WmiMethod -PATH (gwmi -namespace root\cimv2\terminalservices -class win32_terminalservicesetting).__PATH -name GetGracePeriodDays).daysleft
Write-Host
Write-Host -fore Yellow =====================================================
Write-Host -fore Yellow 'Terminal Server (RDS) grace period Days remaining are' : $GracePost
Write-Host -fore Yellow =====================================================

## Cleanup of Variables
Remove-Variable * -ErrorAction SilentlyContinue

相关内容