我最近遇到了一个问题,用户无法再登录 RDS 服务器。他们收到“访问被拒绝”的提示。
如果我将它们添加到域管理员,他们就可以毫无问题地继续使用。我已经检查过了Local Security Policy > Local Policies > User Rights Assignments > All log on through Remote Desktop Services
。它已分配了适当的组。我甚至添加了域用户以包括所有人,但除非用户属于域管理员组,否则他们仍然会被拒绝访问。
我检查了事件日志,与安全日志相关的仅有的 2 个事件是 2 个 4634 事件,它们都表示帐户已注销。一个是登录类型 3,另一个是登录类型 10。
对于导致该问题的原因您有什么想法吗?
答案1
域管理员始终拥有远程桌面登录权限,但其他用户需要明确授予此权限。听起来您的域用户可能已从本地权限组中删除。
检查地点:
- 确保域用户已添加到 RDS 服务器的“远程桌面用户”本地安全组。
- 打开远程桌面会话主机配置并检查 RDP-Tcp 连接的属性。确保没有人修改此位置的安全性。安全选项卡仍应包括“远程桌面用户”,其中允许“用户访问”和“访客访问”。
- 仍在 RDP-Tcp 属性对话框中,确保安全层设置为“协商”并且加密级别为“客户端兼容”,除非您需要将其设置得更高。
- 检查 GPResult 是否存在以下内容:
Allow log on through Remote Desktop Services
应设置为Administrators, Remote Desktop Users
。Deny log on through Remote Desktop Services
应设置为Guests
,理想情况下为Local account, Guests
。Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Session Host > Connections > *Allow users to connect remotely by using Remote Desktop Services*
应设置为Not configured
或Enabled
。
答案2
答案3
我已经花了两天时间寻找这个问题的解决方案,但它不是 gpo 问题或证书问题,而是网络策略问题,我在 NPAS 控制台中禁用了它,用户可以访问我的远程应用程序,我希望这可以帮助大家,谢谢大家
答案4
我建议重启 RDS 上的远程桌面授权服务(如果已经正常运行,则不要触碰任何其他东西,这意味着您的设置没问题)并尝试重新连接。如果一切正常,我建议使用以下 ps1 脚本检查并将计数器重置到您的 RDL
## This Script is intended to be used for Querying remaining time and resetting Terminal Server (RDS) Grace Licensing Period to Default 120 Days.
## Developed by Prakash Kumar ([email protected]) May 28th 2016
## www.adminthing.blogspot.com
## Disclaimer: Please test this script in your test environment before executing on any production server.
## Author will not be responsible for any misuse/damage caused by using it.
Clear-Host
$ErrorActionPreference = "SilentlyContinue"
## Display current Status of remaining days from Grace period.
$GracePeriod = (Invoke-WmiMethod -PATH (gwmi -namespace root\cimv2\terminalservices -class win32_terminalservicesetting).__PATH -name GetGracePeriodDays).daysleft
Write-Host -fore Green ======================================================
Write-Host -fore Green 'Terminal Server (RDS) grace period Days remaining are' : $GracePeriod
Write-Host -fore Green ======================================================
Write-Host
$Response = Read-Host "Do you want to reset Terminal Server (RDS) Grace period to Default 120 Days ? (Y/N)"
if ($Response -eq "Y") {
## Reset Terminal Services Grace period to 120 Days
$definition = @"
using System;
using System.Runtime.InteropServices;
namespace Win32Api
{
public class NtDll
{
[DllImport("ntdll.dll", EntryPoint="RtlAdjustPrivilege")]
public static extern int RtlAdjustPrivilege(ulong Privilege, bool Enable, bool CurrentThread, ref bool Enabled);
}
}
"@
Add-Type -TypeDefinition $definition -PassThru
$bEnabled = $false
## Enable SeTakeOwnershipPrivilege
$res = [Win32Api.NtDll]::RtlAdjustPrivilege(9, $true, $false, [ref]$bEnabled)
## Take Ownership on the Key
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod", [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
$acl = $key.GetAccessControl()
$acl.SetOwner([System.Security.Principal.NTAccount]"Administrators")
$key.SetAccessControl($acl)
## Assign Full Controll permissions to Administrators on the key.
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("Administrators","FullControl","Allow")
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)
## Finally Delete the key which resets the Grace Period counter to 120 Days.
Remove-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod'
write-host
Write-host -ForegroundColor Red 'Resetting, Please Wait....'
Start-Sleep -Seconds 10
}
Else
{
Write-Host
Write-Host -ForegroundColor Yellow '**You Chose not to reset Grace period of Terminal Server (RDS) Licensing'
}
## Display Remaining Days again as final status
tlsbln.exe
$GracePost = (Invoke-WmiMethod -PATH (gwmi -namespace root\cimv2\terminalservices -class win32_terminalservicesetting).__PATH -name GetGracePeriodDays).daysleft
Write-Host
Write-Host -fore Yellow =====================================================
Write-Host -fore Yellow 'Terminal Server (RDS) grace period Days remaining are' : $GracePost
Write-Host -fore Yellow =====================================================
## Cleanup of Variables
Remove-Variable * -ErrorAction SilentlyContinue