THIS PETRI IT ARTICLE IS ESSENTIAL FOR TRACKING A WINDOWS 2008 RDP ISSUE DOWN:
OTHER INFORMATION THAT MAY HELP
There are lots of factors that may lead to this issue. I list some common ones below for your reference. Please check them one by one and provide the corresponding results.
1)Windows Firewall Service stopped
Due to the security concern, Windows Server 2008 will block to establish remote desktop connection if the Windows Firewall service is stopped on the it. If you disable Windows Firewall Service, please enable it in the Service console of Windows Server 2008.
In addition, if you hope to close Windows Firewall, you can use the following command to disable it all:
Netsh advfirewall set allprofiles state off
2) Permission
A user needs to have the following rights to establish a remote desktop connection to a Windows Server 2003 terminal server:
1. Allow log on through Terminal Services
2. Rdp-Tcp connection “User Access” and “Guest Access” permissions
3. “Allow logon to Terminal Server” in the user property
Please perform the following steps to check them one by one to check permissions:
Step 1: Allow logon through Terminal Services
-------------------------------------------
To connect to terminal server properly, users need to be granted the "Allow logon through Terminal Services" right. If the server is a domain controller, users also need to have "Allow logon locally" right. I understand that you have checked the local access policy rights. Please also check the group policies that are applied to the domain or OU as they have higher priority and will override the configuration of local policy.
Logon as administrator, click Start -> Run, type "rsop.msc" in the text box, and click OK.
Locate the [Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment] item.
Check the "Allow log on locally" item to see whether this policy is defined. If so, the "Source GPO" column displays the policy that defines this policy. Please ensure "Administrators", "Remote Desktop Users", "Backup Operators", "Account Operators", "Print Operators", "Server Operators" are granted this right. If it is different, please configure the corresponding policy to grant the permission.
Check the "Allow log on through Terminal Services" item to see whether this policy is defined. If so, the "Source GPO" column displays the policy that defines this policy. Please ensure "Administrators", "Remote Desktop Users", and any other desired users are granted this right. If it is different, please configure the corresponding policy to grant the permission.
Check the "Deny log on locally" item to see whether this policy is defined. If so, the "Source GPO" column displays the policy that defines this policy. Please ensure that the user or any user groups that remote user belongs to is not included in this right. If so, please modify the corresponding policy to remove them.
Check the "Deny log on through Terminal Services" item to see whether this policy is defined. If so, the "Source GPO" column displays the policy that defines this policy. Please ensure that the user or any user groups that remote user belongs to is not included in this right. If so, please modify the corresponding policy to remove them.
Click Start -> Run, type "cmd" in the text box, and click OK.
Run the following command to refresh policy on both the domain controller and the terminal server:
Gpupdate /force
Wait for a while so that the group policy is replicated and then try to connect to the server again.
Step 2: Allow logon to Terminal Server
------------------------------------
To grant a user these permissions, start either the Active Directory Users and Computers snap-in or the Local Users And Groups snap-in, open the user’s properties, click the Terminal Services Profile tab, and then click to select the Allow logon to Terminal Server check box.
Step 3: Check TS permission
----------------------------
I understand that you may have checked this setting. Just for your reference, please double check this setting again:
Open the Terminal Services Configuration snap-in.
Right click the Rdp-Tcp item, and click Properties.
In the Permissions tab, click "Advanced".
Click the "Default" button to set the permission to the default state.
Close the RDP-Tcp Properties dialog.
Reopen it to ensure that Remote Desktop Users group has "User Access" and "Guest Access" permission, Administrators has Full Control permission, and there are NO deny entries.
Click OK.
If this issue still persists, please provide me the following information:
What is exact error message word by word when failing to remotely logon Window server 2008?
Please install Telnet Server feature on the server and use Windows XP client to run the following command and test whether 3389 port is normal:
telnet :3389
