Otdfbt

Row vectors and column vectors (Mathematica vs Matlab)

A Latin text with dependency tree

how to find out if there's files in a folder and exit accordingly (in KSH)

Can I bring back Planetary Romance as a genre?

Is every story set in the future "science fiction"?

Was the Highlands Ranch shooting the 115th mass shooting in the US in 2019

Is it a good idea to copy a trader when investing?

How can it be that ssh somename works, while nslookup somename does not?

How can I test a shell script in a "safe environment" to avoid harm to my computer?

Is there an application which does HTTP PUT?

if i accidentally leaked my schools ip address and someone d doses my school am i at fault

Pre-1993 comic in which Wolverine's claws were turned to rubber?

Is there any evidence to support the claim that the United States was "suckered into WW1" by Zionists, made by Benjamin Freedman in his 1961 speech

Are double contractions formal? Eg: "couldn't've" for "could not have"

Best species to breed to intelligence

Can you turn a recording upside-down?

How can Sam Wilson fulfill his future role?

What does the "DS" in "DS-..." US visa application forms stand for?

Is there a need for better software for writers?

Are wands in any sort of book going to be too much like Harry Potter?

Is there an idiom that means "revealing a secret unintentionally"?

How long can fsck take on a 30 TB volume?

Why use steam instead of just hot air?

resoldering copper waste pipe

Remote Desktop to 80% of my servers do no longer work (“User account restriction”) from just one of my PCs

Remote desktop connection drops before login can appeardeploying AV via GPO only to workstationsRemote Desktop won't launch program upon user loginRemote Desktop Username Logon Failure - Remote Desktop only Passes local Account Domain - Win 7 ProUSB Barcode scanners Redirect order RDP on windows 2008r2Windows 7 Current Active Session - No user logged inUnable to RDP to a remote server — my user just stopped workingHow to lock down local server account while permitting Remote Desktop in Windows 2008 SP2 and run scheduled task?Remote Desktop Jump Using Different Licence ServersHow do I change encryption from RC4 to AES in order to allow RDP to my remote servers?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

1

I came into work last week, checked my first ticket (easy to fix one), RDP'd into the server needed for this and the login did not work. After clicking 'connect' I got the "Unable to Log You on Because of an Account Restriction" message. Checked another server (all machines are 2008R2/2012R2), the same message. No, I do not habe an empty password, not using network auth, my clint is Windows 10 (1607).

Here is what I did:

• Used another client (Win10.1607), same ou, same setup. Can perfectly login from anywhere to anywhere (so I am asuming it's no my user account or a GPO)


• Checked servers: I can RDP into all my DC's and a few other machines (2008R2/2012R2), looks random to me (all server in the same OU, no special software installed)


• Deleted the mstsc cache (%appdata%..localMicrosoftTerminal Server Client* )


• Cleaned up HCUSOFTWAREMicrosoftTerminal Server Client


• Watched the eventlogs: nothing. Absolutely nothing. So I assume it's my client, not the servers. But I can RDP into all my servers at home and in another (customers) network ...


• Checked date/time on client/server (0.0002ms apart)


• Checked account restrictions on ma account (neither time nor machine restrictions are present)


• Checked if logon at the console works (vm/ilo): works perfectly fine with my credentials


• Checked if Share-Access would work (\servershare): Does not work, I am seeing the same error message. Works from clientB, but not from alientA.


• When doing the same thing from one of the 'working' machines (sever or client), everything is fine.

Any Ideas where to look for this? It is haunting me into my sleep :-(

Updates: Surely I checked the local policies on the server(s). any changes would have surprised me - there are a lot of servers. Also checked the clients GPO, nothing.

windows active-directory remote-desktop rdp

share|improve this question

edited Sep 27 '16 at 13:53

bjoster

asked Sep 27 '16 at 11:39

bjosterbjoster

1,9711919

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Try logging on with a different account.
  
  – Greg Askew
  Sep 27 '16 at 11:45
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  First, a good sleep is required for solving stuff... Anyway, maybe there's a local GPO that blocks it (allowdeny remotenetwork access under security settings). Can you post results of 'gpresult /h gpresoprt.html'?
  
  – EliadTech
  Sep 27 '16 at 11:47
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @GregAskew: does not work either (eg 'administrator', the default and first domain admin). Not from this client. Works from other clients/servers.
  
  – bjoster
  Sep 27 '16 at 12:27
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @EliadTech: my client is not member of the domain, so my report is rather short. The gpresult of the server(s) are somewhat larger, but due to the intimate details I am not allowed to post it completely. I checked the resultset before (using rsop.msc) and found nothing (no User/Group restrictions). Do you have any special places I should have look at?
  
  – bjoster
  Sep 27 '16 at 12:31
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  You can RDP to and from servers and desktops that belong to the domain. You cannot RDP from this PC1 that is in workgroup mode. Is there a different PC2 that is also in workgroup that you can try to RDP from?
  
  – Clayton
  Sep 27 '16 at 13:16
  

  
  
  
  

 | 
show 11 more comments

0

1

I came into work last week, checked my first ticket (easy to fix one), RDP'd into the server needed for this and the login did not work. After clicking 'connect' I got the "Unable to Log You on Because of an Account Restriction" message. Checked another server (all machines are 2008R2/2012R2), the same message. No, I do not habe an empty password, not using network auth, my clint is Windows 10 (1607).

Here is what I did:

• Used another client (Win10.1607), same ou, same setup. Can perfectly login from anywhere to anywhere (so I am asuming it's no my user account or a GPO)


• Checked servers: I can RDP into all my DC's and a few other machines (2008R2/2012R2), looks random to me (all server in the same OU, no special software installed)


• Deleted the mstsc cache (%appdata%..localMicrosoftTerminal Server Client* )


• Cleaned up HCUSOFTWAREMicrosoftTerminal Server Client


• Watched the eventlogs: nothing. Absolutely nothing. So I assume it's my client, not the servers. But I can RDP into all my servers at home and in another (customers) network ...


• Checked date/time on client/server (0.0002ms apart)


• Checked account restrictions on ma account (neither time nor machine restrictions are present)


• Checked if logon at the console works (vm/ilo): works perfectly fine with my credentials


• Checked if Share-Access would work (\servershare): Does not work, I am seeing the same error message. Works from clientB, but not from alientA.


• When doing the same thing from one of the 'working' machines (sever or client), everything is fine.

Any Ideas where to look for this? It is haunting me into my sleep :-(

Updates: Surely I checked the local policies on the server(s). any changes would have surprised me - there are a lot of servers. Also checked the clients GPO, nothing.

windows active-directory remote-desktop rdp

share|improve this question

edited Sep 27 '16 at 13:53

bjoster

asked Sep 27 '16 at 11:39

bjosterbjoster

1,9711919

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Try logging on with a different account.
  
  – Greg Askew
  Sep 27 '16 at 11:45
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  First, a good sleep is required for solving stuff... Anyway, maybe there's a local GPO that blocks it (allowdeny remotenetwork access under security settings). Can you post results of 'gpresult /h gpresoprt.html'?
  
  – EliadTech
  Sep 27 '16 at 11:47
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @GregAskew: does not work either (eg 'administrator', the default and first domain admin). Not from this client. Works from other clients/servers.
  
  – bjoster
  Sep 27 '16 at 12:27
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @EliadTech: my client is not member of the domain, so my report is rather short. The gpresult of the server(s) are somewhat larger, but due to the intimate details I am not allowed to post it completely. I checked the resultset before (using rsop.msc) and found nothing (no User/Group restrictions). Do you have any special places I should have look at?
  
  – bjoster
  Sep 27 '16 at 12:31
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  You can RDP to and from servers and desktops that belong to the domain. You cannot RDP from this PC1 that is in workgroup mode. Is there a different PC2 that is also in workgroup that you can try to RDP from?
  
  – Clayton
  Sep 27 '16 at 13:16
  

  
  
  
  

 | 
show 11 more comments

I came into work last week, checked my first ticket (easy to fix one), RDP'd into the server needed for this and the login did not work. After clicking 'connect' I got the "Unable to Log You on Because of an Account Restriction" message. Checked another server (all machines are 2008R2/2012R2), the same message. No, I do not habe an empty password, not using network auth, my clint is Windows 10 (1607).

Here is what I did:

• Used another client (Win10.1607), same ou, same setup. Can perfectly login from anywhere to anywhere (so I am asuming it's no my user account or a GPO)


• Checked servers: I can RDP into all my DC's and a few other machines (2008R2/2012R2), looks random to me (all server in the same OU, no special software installed)


• Deleted the mstsc cache (%appdata%..localMicrosoftTerminal Server Client* )


• Cleaned up HCUSOFTWAREMicrosoftTerminal Server Client


• Watched the eventlogs: nothing. Absolutely nothing. So I assume it's my client, not the servers. But I can RDP into all my servers at home and in another (customers) network ...


• Checked date/time on client/server (0.0002ms apart)


• Checked account restrictions on ma account (neither time nor machine restrictions are present)


• Checked if logon at the console works (vm/ilo): works perfectly fine with my credentials


• Checked if Share-Access would work (\servershare): Does not work, I am seeing the same error message. Works from clientB, but not from alientA.


• When doing the same thing from one of the 'working' machines (sever or client), everything is fine.

Any Ideas where to look for this? It is haunting me into my sleep :-(

Updates: Surely I checked the local policies on the server(s). any changes would have surprised me - there are a lot of servers. Also checked the clients GPO, nothing.

windows active-directory remote-desktop rdp

share|improve this question

edited Sep 27 '16 at 13:53

bjoster

asked Sep 27 '16 at 11:39

bjosterbjoster

1,9711919

share|improve this question

edited Sep 27 '16 at 13:53

bjoster

asked Sep 27 '16 at 11:39

bjosterbjoster

1,9711919

share|improve this question

edited Sep 27 '16 at 13:53

bjoster

asked Sep 27 '16 at 11:39

bjosterbjoster

1,9711919

asked Sep 27 '16 at 11:39

bjosterbjoster

1,9711919

asked Sep 27 '16 at 11:39

bjosterbjoster

1,9711919

1 Answer
1

active

oldest

votes

0

The solution in my case was the option "Restrict delegation of Credentials to remote Servers".

Basically, there is a new Group policy settings that can prevent a system to pass credentials to a remote server. This was exactly the issue. you can find this setting in your lokal oder domain group policy under:

Computer Configuration > Administrative Templates > System > Credential Delegation 

share|improve this answer

answered Oct 11 '16 at 12:30

bjosterbjoster

1,9711919

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f805573%2fremote-desktop-to-80-of-my-servers-do-no-longer-work-user-account-restriction%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

The solution in my case was the option "Restrict delegation of Credentials to remote Servers".

Basically, there is a new Group policy settings that can prevent a system to pass credentials to a remote server. This was exactly the issue. you can find this setting in your lokal oder domain group policy under:

Computer Configuration > Administrative Templates > System > Credential Delegation 

share|improve this answer

answered Oct 11 '16 at 12:30

bjosterbjoster

1,9711919

add a comment | 

0

The solution in my case was the option "Restrict delegation of Credentials to remote Servers".

Basically, there is a new Group policy settings that can prevent a system to pass credentials to a remote server. This was exactly the issue. you can find this setting in your lokal oder domain group policy under:

Computer Configuration > Administrative Templates > System > Credential Delegation 

share|improve this answer

answered Oct 11 '16 at 12:30

bjosterbjoster

1,9711919

add a comment | 

The solution in my case was the option "Restrict delegation of Credentials to remote Servers".

Basically, there is a new Group policy settings that can prevent a system to pass credentials to a remote server. This was exactly the issue. you can find this setting in your lokal oder domain group policy under:

Computer Configuration > Administrative Templates > System > Credential Delegation 

share|improve this answer

answered Oct 11 '16 at 12:30

bjosterbjoster

1,9711919

Computer Configuration > Administrative Templates > System > Credential Delegation 

share|improve this answer

answered Oct 11 '16 at 12:30

bjosterbjoster

1,9711919

answered Oct 11 '16 at 12:30

bjosterbjoster

1,9711919

answered Oct 11 '16 at 12:30

bjosterbjoster

1,9711919