Hi,

We have this OO flow for C: clean-up. However for ESX servers, the OO flow always fails. Just checked the log & found this. Could see few access not granted

______

WriteData (or AddFile): Not granted
AppendData (or AddSubdirectory or CreatePipeInstance): Not granted
WriteEA: Not granted
ReadAttributes: Granted by ACE on parent folder D:(A;;0x1301bf;;;BA)
WriteAttributes: Not granted

______

Kindly suggest what to do ?

Well, this is the event from the log::

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/26/2015 10:49:01 PM
Event ID: 4656
Task Category: File System
Level: Information
Keywords: Audit Failure
User: N/A
Computer: inkerperum01
Description:
A handle to an object was requested.

Subject:
Security ID: ****\a16992167-3
Account Name: a16992167-3
Account Domain: ****
Logon ID: 0x36c0a555

Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\ServerManager.msc
Handle ID: 0x0

Process Information:
Process ID: 0x2c50
Process Name: C:\Windows\System32\mmc.exe

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttributes

Access Reasons: READ_CONTROL: Granted by D:(A;;0x1200a9;;;BA)
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BA)
WriteData (or AddFile): Not granted
AppendData (or AddSubdirectory or CreatePipeInstance): Not granted
WriteEA: Not granted
ReadAttributes: Granted by ACE on parent folder D:(A;;0x1301bf;;;BA)
WriteAttributes: Not granted

Access Mask: 0x120196
Privileges Used for Access Check: -
Restricted SID Count: 0

Hi All,

I'm having issues with a RDS 2012 R2 Server Farm we have.

I have 4 servers in the farm and about 100 users accessing the farm.

The issue is that when users connect (random users) it tells them that the server is busy and to re try.

Looking at the servers connections within the connection broker I can not see any connection for them.

If I look at the users connected on each of the servers I see lots of blank users all with 4 processes still active,  a right click sign off will not remove these.

The 4 processes are always the same 

1. Desktop Window Manager

2. Windows Logon Application

3. Client Server Runtime Process

4. Windows Logon User Interface Host

If I connect to these sessions they are hung with "Please wait for Group Policy Client"

I have installed all available patches via Windows Update, Check out the GPO's Applied, Disabled the use of "Remote Desktop Services Profiles"

The only way I can clear these is to reboot the servers.

I have seen a lot of posts with issues like this in earlier versions, but cant seem to see a fix or patch for 2012 R2.

Any ideas?

Thanks in advance

Dale

My configuration

All servers - Windows 2012 R2.

One Connection Broker. Two collections with several RD Session Host servers. One Web Access server.

There is policy for RD Session hosts:

Restrict Remote Desktop Services users to a single Remote Desktop Services session: Enable

But from different RD clients I can launch two sessions on different RD session host servers from the same RD collection.

How to disable multiple remote desktop sessions per user per RD collection?

After deploying a new desktop collection (Win7) if I log into any one of the virtual desktops at the Hyper-V Console (2012 R2) I am seeing a "You must restart your computer to Apply these changes" prompt.  When I click restart and log back in I see this prompt.  When I log out of the console the virtual desktop reverts back to the snapshot and the process starts all over.   Any ideas?

We have a Remote Desktop server running 2012 R2 and we don't want to use Easy Print. I've Disabled the Easy Print option in Group Policy in Computer and Users and added the drivers to the server. When I login, nothing gets created and I see lots of Event 603 in the PrintService Logs

Orange County District Attorney

(setting the stage)
Workstation:  Windows 7 Enterprise SP1, member of Domain A, up to date on security patches
Server:  Windows Server 2008 R2 Standard, Domain Controller of Domain B, up to date on security patches
Middleware:  ActivIdentity ActivClient (v7.0.2.408) - installed on workstation and server

Hi Everyone,

I've got an interesting question/problem, I'm hoping someone else out there has run up against.  We've been tasked with trying to enable PIV authentication via RDP so our domain admins can use their PIV card to log into remote boxes, and not a username/password.  There is currently no trust relationship between domain A and domain B in my set up.  The server is not running Remote Desktop Gateway.  It is configured to use TLS 1.0 security layer and FIPS compliant encryption level.  It is also configured to require NLA and is using a domain controller certificate issued by a 3rd party CA.

I have taken my PIV authentication certificate and have mapped it to my account in domain B (so the altSecurityIdentities attribute is now populated).  After a lot of Googling, I found that I had to set the registry key "UseSubjectAltName" (located under HKLM\SYSTEM\CurrentControlSet\services\kdc) to 0.  I also needed to set two Group Policy settings "Allow certificates with no extended key usage certificate attribute" and "Allow user name hint".  After I set these settings, and imported the necessary certificates to the NTAuth Store and Trusted Root Certification Authorities, I still couldn't RDP from my workstation to the server using my PIV card with the name hint ofuserid@domain.name.gov.  I would get an error message saying "The specified user name does not exist.  Verify the user name and try logging in again.  If the problem continues, contact your system administrator or technical support.".  After a lot of troubleshooting, I discovered that if I turn off NLA on the server, I can type in my PIN anduserid@domain.name.gov into the RDP window on my workstation, it would then launch an RDP session where it would make me type in my PIN and name hint once again.  After I type everything in a second time, the server will load my desktop and I can proceed as normal.

My question is, is there a way to accomplish the end result of using a smart card to RDP to a server in a different domain (no trust relationship), and have NLA enabled.  Disabling NLA "works", but I don't think my I.T. Security folks are going to go for that as an option.

Thanks in advance for any suggestions!

-Matt

We have a 2012 server with RDWeb, RDGateway, and RDCB roles installed:  gw.domain.LOCAL

We then have another 2012 server that is a RDSH: rd1.domain.LOCAL

The gateway server has a wildcard cert installed for *.domain.COM and I have installed RDCB HA and set the HA name to rd.domain.COM which is the same hostname being externally used by clients to connect to RDweb/RDGateway.

So now if I log in from a Windows 8 machine, or from my Surface RT, it is seamless and opens without issue...

But if I log in from a Windows 7 machine, after clicking Connect I get prompted to authenticate again (despite having already authenticated via RDWeb) and then I get a warning popup letting me know that there is a certificate mismatch and the computer name is rd1.domain.LOCAL...  Why is the name of the actual RDSH server getting shown to the client at all, shouldn't that be hidden?

Going to test from an XP machine and a Mac now, but any ideas on why the Win7 box can't seamlessly connect would be great...

Thanks!

Wes

Hello, 

We just built out Server 2012 STD and will reside it in DMZ along with not joining it to our domain. After we ran Qualys PCI scan, we found an issue with SSL Certificate - Signature Verification Failed Vulnerability port 3389/tcp over SSL. On 2008 R2, we put a cert on RDP-TCP properties to resolve this issue. However, on 2012 I cannot find the same way to do that since no terminal services are installed as built in. 

I found the article below, but the standard deployment option/quick start are not available on non domain joined server like we have.

http://social.technet.microsoft.com/Forums/en-US/winserver8gen/thread/8efe05de-b596-4180-bc41-3f98008b555f/

Is there a way I can make the similar process we did on 2008 R2 for this new server 2012 std ?

Hello,

My name is pankaj, we have facing  critical issue on my one of Terminal Server.

I have multiple Terminal Servers and all are the members of our Domain, but one Terminal server they have created problem.when users are deleted the files and folder it not going recycle bin its deleted permanently.

But when we have created new users or login with administrator account then all is working fine.

 This is server 2008r2 Standard 64 bit version.

Please some one help me.

Pankaj Kumar

• MS license server with Windows 2008 R2, installed and activated Terminalserver license server, installed 25 TS User CALS for 2008 (and 702 CALS for 2003)
  The License server security group Group Policy setting hasn't been enabled.
• MS license server with Windows 2003, installed and activated Terminalserver license server (Domain license server), installed 702 CALS for 2003
• Terminal server Windows 2008 (plus Citrix XenApp 5 FP2)
• Windows XP SP2 client

• The Terminalserver is configured to use User CALS, the user CALS for 2008 have been applied to the license server.
• The Windows 2008 License server has been specified by configuring License Server discovery mode for the terminal server in the Terminal Services Configuration tool. The Licensing Diagnosis tool reports the server a fine also showing the available Windows 2008 per user CALS. The 2003 server is also reported with the hint of the old version.
• We also added the server as preferred license server in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Parameters\LicenseServers.

• Logon is only possible with mstsc /admin, otherwise the error "A device attached to the system is not functioning" is shown. After logon a small window on the systray informs the server could not locate a valid license server. But the Licensing Diagnosis tool reports the licensing server correctly.
• After every reboot the terminalserver shows the message: Citrix license error "A problem with Terminal Services functionality has been corrected on the server running XenApp. The correction involves changes to the registry. Please reboot the server."
• If we restart the Terminalservices manually after the reboot everything works fine.

I have trouble to create and use certificate in my VDI deployment. First, I was having trouble to create certificate as .pfx, as RDS requires it, not .cer, but then I figured out to enable "export Private key", and I got .pfx. Now when I try to assign the cert do VDI deployment, it basically does nothing. It rolls out certificate, but status doesn´t change.

These are the steps how I try to accomplish this:

1. In CA, I create template with Client + Server Authorization
2. I issue the template to CA.
3. In RDS VDI host, I enroll the certificate.
4. In RDS VDI host, I export this cert as .pfx.
5. In RDS Deployment properties, I try to apply the cert, but the status does not change. (stays as not configured)

Am I doing something wrong here? I have some experience of managing CA, but not sure always what I´m doing :)

I am having the below problem with RDP connection in my Windows 10. Please help.

error as

VBScript: Remote Desktop Connection

this wizard cannot configure Remote Desktop Connections Settings. Make sure that the client version of Remote Desktop Protocol (RDP) 6.0 or later is installed on this computer.

I have already updated the compatibility settings. but there is no changes..

Hello,

I currently have a very interesting problem:

Some (not all) printers show up multiple times on every user session on the specific terminal server. This behavior show up on both of the 2 servers. Also the printer only shows up multiple times under the control panel, but not in the printer dialog.

The users are not part of either printer operators, Administrator or Power Users.

The servers are Windows Server 2012.

I cannot find a reason for this after some hours with my friend Google.

Does someone have any idea how to fix this?

Thanks in advance

Paul

I run remote desktop (using IP address of the remote computer) and get error:

"Remote desktop connection.  An internal error has occurred."

It used to work flawlessly and all of a sudden quit working.

Please advise.

Remoter server：08 R2

Client ：windows8.1

Hello. I have deployed a number of server 2012 r2 machines and I have been experiencing a problem with remote desktop. All servers are DC and one of which is the RD licensing server (I'll call it machine A, the rest as B and C). In order for remote desktop service to function, I need to physically go to machine A and logon as admin. If no one is logged in on machine A as admin, I cannot remote into any of the servers, but in different fashion.

For machine A, a message pops up saying "Remote Desktop can't connect to the remote computer for one of these reasons: ..." before I get to type in my username and password.

For the other servers, I get to type in my user name and password, but it says "Access is denied" after loading a while, possibly because the serves cannot communicate with machine A which houses the RD licensing server.

I also tried to logon to machine A, then remote into machine B and C, then logout of machine A. The connection to B and C didn't drop, but they cannot see machine A online and complains RD will stop working in 98 days because RD licensing server is missing.

So, it appears to me that machine A goes offline once I logout as admin. The issue suddenly appears in one morning, I am wondering if anyone has seen ti or has a fix for this. Thank you.

Dominic

I've seen a lot of discussions about this in this forum, but I'm not able to get this to work. 

I've got a single server with all of the RD roles installed on it with valid licenses. It's behind a router with a single static IP address assigned to the WAN interface with ports 3391-UDP and 443-TCP forwarded to my internal local static IP on my Windows Server 2012 R2 machine. It is part of local domain, let's call it, "server1.domain.local."

Connections from within my local network to https://server1.domain.local/RDWeb allow a published application to run properly. 

When I look at the Deployment Properties of RD Web Access Server it points to an non-editable entry called, https://server1.domain.local/RDWeb, not my external FQDN

I used the, "Change published FQDN for Server 2012 or 2012 R2 RDS Deployment" https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80 to see if that helps, but it doesn't seem to work. The local value still shows up in the Deployment Properties of RD Web Access Server.

I am likely to be unable to set up a public network interface with the external FQDN on it, namely remote1.domain.com as an example. I need to keep the server behind the firewall and continue using port forwarding with NAT.

When I connect to https://remote1.domain.com/RDWeb I can see the published apps. I've had various failures from this point on. Right now I'm getting, RemoteApp Disconnected" User account not authorized, or computer not authorized, or incompatible method. 

I have a public Cert that works fine. The same cert was used for all 4 required roles. I created a .pfx exported from IIS for this purpose with a third party certificate authority. 

I also tried setting up an mstsc connection with the public external FQDN used as a gateway. This fails, too. 

I used the Add Roles and Features, RDS installation, Quick, Session-based to set this all up. 

I thought maybe my Gateway just wasn't working properly. I uninstalled it, rebooted, and re-installed it. No joy. 

Domain Users can access RDS via mstsc locally. 

I can't figure out where to look next. 

I thought this would be instructive:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/67dfab70-7e10-4e0b-a3c8-63ce776f2355/how-do-i-change-the-url-to-the-remote-web-access-server-in-windows-server-2012?forum=winserverTS

However I'm still getting nowhere. 

If you have any suggestions, please be specific and clear. I expect I'm missing something. For example someone posted this at the previously mentioned page, "1. Please configure the RD Gateway FQDN in deployment settings so that it is set to the external address for your server, for example, remote.yourdomain.com."

Obviously, if I could do that I might not have a problem, but how does one do that in my circumstance? 

Help.

Thanks,

Steven

Hi, 

Would like to know if  we can Create a Pooled Virtual Desktop Collection with a sys prepped template of server OS like Windows Server 2012 R2

in Windows Server 2012 R2 RDS VDI Enviornment? We have seen it successful with Client OS like Win 7 Win 8 etc but fails for Server OS.

Kindly confirm.

We currently have 2008R2 Per User licenses on a 2008R2 Licensing server.  We only have (200)2008R2 Per User RDS CALs and we have more than 200 users who have connected because we have people who have come/gone from the company and we have no managed the licenses.  from the company and connected without and issues because 2008R2 Per Users RDS did not seem to care about enforcement.  We now are going to upgrade our licensing to 2012R2, but there are a couple of questions.

1. First step sounds like to migrate the license over to a 2012R2 RDS Licensing server.  Will this step cause any kind of enforcement on our RDS?

2. Do 2012R2 RDS Per User licenses have strict enforcement?

Thanks,

Dave