We recently encountered an issue where Terminal Services was installed on a Domain Controller, and an administrator would try and use the ‘Connect To’ feature built into Terminal Services Manager, but would result in error. Whenever an administrator tried to ‘Connect To’ a Terminal Server user session, the administrator would be prompted to enter the end user’s password, and after doing so, an error message would pop up informing the administrator that a ‘wrong password was entered’, and event ID 1326 was logged in the application event log. The administrator in question had tried all sorts of group memberships and GPO configurations, but all resulted in failure.
Although not reported by Microsoft as a problem (pretty much no info on the net), through some testing, we were able to ascertain that the problem was being caused by permissions and restrictions, more than likely because of the server being a domain controller. The test results concluded that if the end user was an ‘administrator’, the ‘Connect To’ feature worked perfectly in Terminal Services Manager, which gave us a flash back of the ‘Windows 2000, Log on Locally’ privilege. Of course, ever since Windows 2003, there’s been the introduction of the ‘Remote Desktop Users’ group, that by default, is not granted the ‘Log on Locally’ privilege (although it allows you to connect to the server with a TS client). As soon as we granted the ‘Remote Desktop User’s group the ‘log on locally’ privilege in the Default Domain Controller’s Group Policy object…BAM!…everything was working with ‘as expected’ functionality.
Thanks to Avi for the write up ๐