Windows Server 2012 标准 RDS 访问被域用户拒绝

Question 1

域管理员始终拥有远程桌面登录权限，但其他用户需要明确授予此权限。听起来您的域用户可能已从本地权限组中删除。

检查地点：

确保域用户已添加到 RDS 服务器的“远程桌面用户”本地安全组。
打开远程桌面会话主机配置并检查 RDP-Tcp 连接的属性。确保没有人修改此位置的安全性。安全选项卡仍应包括“远程桌面用户”，其中允许“用户访问”和“访客访问”。
仍在 RDP-Tcp 属性对话框中，确保安全层设置为“协商”并且加密级别为“客户端兼容”，除非您需要将其设置得更高。
检查 GPResult 是否存在以下内容：
- Allow log on through Remote Desktop Services应设置为Administrators, Remote Desktop Users。
- Deny log on through Remote Desktop Services应设置为Guests，理想情况下为Local account, Guests。
- Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Session Host > Connections > *Allow users to connect remotely by using Remote Desktop Services*应设置为Not configured或Enabled。

Answer

域管理员始终拥有远程桌面登录权限，但其他用户需要明确授予此权限。听起来您的域用户可能已从本地权限组中删除。

检查地点：

确保域用户已添加到 RDS 服务器的“远程桌面用户”本地安全组。
打开远程桌面会话主机配置并检查 RDP-Tcp 连接的属性。确保没有人修改此位置的安全性。安全选项卡仍应包括“远程桌面用户”，其中允许“用户访问”和“访客访问”。
仍在 RDP-Tcp 属性对话框中，确保安全层设置为“协商”并且加密级别为“客户端兼容”，除非您需要将其设置得更高。
检查 GPResult 是否存在以下内容：
- Allow log on through Remote Desktop Services应设置为Administrators, Remote Desktop Users。
- Deny log on through Remote Desktop Services应设置为Guests，理想情况下为Local account, Guests。
- Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Session Host > Connections > *Allow users to connect remotely by using Remote Desktop Services*应设置为Not configured或Enabled。

Question 2

尝试一下发布在访问被拒绝 - 远程桌面

将远程桌面服务服务登录设置为网络服务

Answer

尝试一下发布在访问被拒绝 - 远程桌面

将远程桌面服务服务登录设置为网络服务

Question 3

我已经花了两天时间寻找这个问题的解决方案，但它不是 gpo 问题或证书问题，而是网络策略问题，我在 NPAS 控制台中禁用了它，用户可以访问我的远程应用程序，我希望这可以帮助大家，谢谢大家

Answer

我已经花了两天时间寻找这个问题的解决方案，但它不是 gpo 问题或证书问题，而是网络策略问题，我在 NPAS 控制台中禁用了它，用户可以访问我的远程应用程序，我希望这可以帮助大家，谢谢大家

Question 4

我建议重启 RDS 上的远程桌面授权服务（如果已经正常运行，则不要触碰任何其他东西，这意味着您的设置没问题）并尝试重新连接。如果一切正常，我建议使用以下 ps1 脚本检查并将计数器重置到您的 RDL

远程桌面许可 - 点击查看图片

## This Script is intended to be used for Querying remaining time and resetting Terminal Server (RDS) Grace Licensing Period to Default 120 Days.
## Developed by Prakash Kumar ([email protected]) May 28th 2016
## www.adminthing.blogspot.com
## Disclaimer: Please test this script in your test environment before executing on any production server.
## Author will not be responsible for any misuse/damage caused by using it.

Clear-Host
$ErrorActionPreference = "SilentlyContinue"

## Display current Status of remaining days from Grace period.
$GracePeriod = (Invoke-WmiMethod -PATH (gwmi -namespace root\cimv2\terminalservices -class win32_terminalservicesetting).__PATH -name GetGracePeriodDays).daysleft
Write-Host -fore Green ======================================================
Write-Host -fore Green 'Terminal Server (RDS) grace period Days remaining are' : $GracePeriod
Write-Host -fore Green ======================================================  
Write-Host
$Response = Read-Host "Do you want to reset Terminal Server (RDS) Grace period to Default 120 Days ? (Y/N)"

if ($Response -eq "Y") {
## Reset Terminal Services Grace period to 120 Days

$definition = @"
using System;
using System.Runtime.InteropServices; 
namespace Win32Api
{
    public class NtDll
    {
        [DllImport("ntdll.dll", EntryPoint="RtlAdjustPrivilege")]
        public static extern int RtlAdjustPrivilege(ulong Privilege, bool Enable, bool CurrentThread, ref bool Enabled);
    }
}
"@ 

Add-Type -TypeDefinition $definition -PassThru

$bEnabled = $false

## Enable SeTakeOwnershipPrivilege
$res = [Win32Api.NtDll]::RtlAdjustPrivilege(9, $true, $false, [ref]$bEnabled)

## Take Ownership on the Key
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod", [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
$acl = $key.GetAccessControl()
$acl.SetOwner([System.Security.Principal.NTAccount]"Administrators")
$key.SetAccessControl($acl)

## Assign Full Controll permissions to Administrators on the key.
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("Administrators","FullControl","Allow")
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)

## Finally Delete the key which resets the Grace Period counter to 120 Days.
Remove-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod'

write-host
Write-host -ForegroundColor Red 'Resetting, Please Wait....'
Start-Sleep -Seconds 10 

  }

Else 
    {
Write-Host
Write-Host -ForegroundColor Yellow '**You Chose not to reset Grace period of Terminal Server (RDS) Licensing'
  }

## Display Remaining Days again as final status
tlsbln.exe
$GracePost = (Invoke-WmiMethod -PATH (gwmi -namespace root\cimv2\terminalservices -class win32_terminalservicesetting).__PATH -name GetGracePeriodDays).daysleft
Write-Host
Write-Host -fore Yellow =====================================================
Write-Host -fore Yellow 'Terminal Server (RDS) grace period Days remaining are' : $GracePost
Write-Host -fore Yellow =====================================================

## Cleanup of Variables
Remove-Variable * -ErrorAction SilentlyContinue

Answer

我建议重启 RDS 上的远程桌面授权服务（如果已经正常运行，则不要触碰任何其他东西，这意味着您的设置没问题）并尝试重新连接。如果一切正常，我建议使用以下 ps1 脚本检查并将计数器重置到您的 RDL

远程桌面许可 - 点击查看图片

## This Script is intended to be used for Querying remaining time and resetting Terminal Server (RDS) Grace Licensing Period to Default 120 Days.
## Developed by Prakash Kumar ([email protected]) May 28th 2016
## www.adminthing.blogspot.com
## Disclaimer: Please test this script in your test environment before executing on any production server.
## Author will not be responsible for any misuse/damage caused by using it.

Clear-Host
$ErrorActionPreference = "SilentlyContinue"

## Display current Status of remaining days from Grace period.
$GracePeriod = (Invoke-WmiMethod -PATH (gwmi -namespace root\cimv2\terminalservices -class win32_terminalservicesetting).__PATH -name GetGracePeriodDays).daysleft
Write-Host -fore Green ======================================================
Write-Host -fore Green 'Terminal Server (RDS) grace period Days remaining are' : $GracePeriod
Write-Host -fore Green ======================================================  
Write-Host
$Response = Read-Host "Do you want to reset Terminal Server (RDS) Grace period to Default 120 Days ? (Y/N)"

if ($Response -eq "Y") {
## Reset Terminal Services Grace period to 120 Days

$definition = @"
using System;
using System.Runtime.InteropServices; 
namespace Win32Api
{
    public class NtDll
    {
        [DllImport("ntdll.dll", EntryPoint="RtlAdjustPrivilege")]
        public static extern int RtlAdjustPrivilege(ulong Privilege, bool Enable, bool CurrentThread, ref bool Enabled);
    }
}
"@ 

Add-Type -TypeDefinition $definition -PassThru

$bEnabled = $false

## Enable SeTakeOwnershipPrivilege
$res = [Win32Api.NtDll]::RtlAdjustPrivilege(9, $true, $false, [ref]$bEnabled)

## Take Ownership on the Key
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod", [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
$acl = $key.GetAccessControl()
$acl.SetOwner([System.Security.Principal.NTAccount]"Administrators")
$key.SetAccessControl($acl)

## Assign Full Controll permissions to Administrators on the key.
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("Administrators","FullControl","Allow")
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)

## Finally Delete the key which resets the Grace Period counter to 120 Days.
Remove-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod'

write-host
Write-host -ForegroundColor Red 'Resetting, Please Wait....'
Start-Sleep -Seconds 10 

  }

Else 
    {
Write-Host
Write-Host -ForegroundColor Yellow '**You Chose not to reset Grace period of Terminal Server (RDS) Licensing'
  }

## Display Remaining Days again as final status
tlsbln.exe
$GracePost = (Invoke-WmiMethod -PATH (gwmi -namespace root\cimv2\terminalservices -class win32_terminalservicesetting).__PATH -name GetGracePeriodDays).daysleft
Write-Host
Write-Host -fore Yellow =====================================================
Write-Host -fore Yellow 'Terminal Server (RDS) grace period Days remaining are' : $GracePost
Write-Host -fore Yellow =====================================================

## Cleanup of Variables
Remove-Variable * -ErrorAction SilentlyContinue

Windows Server 2012 标准 RDS 访问被域用户拒绝

答案1

答案2

答案3

答案4

相关内容