Unable to take RDP through local admin account

  • 561 Views
  • Last Post 12 July 2019
yogeshcittu posted this 14 June 2019

HI Folks,
We are not able to login with local admin account for our servers through RDP. Whereas from VMconsole we are able to login
Tried to move the server to workgroup then it works through RDP.
This is due to GPO setting that is being applied but not sure which setting is causing this issue.
Allow log on locally and allow logon through remote desktop services are being enabled through GPO and administrators group is part of it.
Any thoughts or directions would be helpful for me

Order By: Standard | Newest | Votes
kurtbuff posted this 14 June 2019

On Thu, Jun 13, 2019 at 5:25 PM Yogesh cittu wrote:

show

aakash posted this 14 June 2019

Check the setting “Deny access to this computer from the network” at “Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | User Rights Assignment”.  If

you have either “NT AUTHORITY\Local account and member of Administrators group”, or simply “NT AUTHORITY\Local account”, then you have a GP that is applying some mitigation measures to prevent lateral movement by local accounts.  Although you are allowing

admins to connect as you mentioned below, this Deny rule supersedes the Allow rule.

 

Note that “Deny access to this computer from the network” applies since with modern versions of Windows with Network Level Authentication (NLA), it also needs this right to be able to RDP to

an endpoint.

 

-Aakash Shah

 

show

MattStork posted this 14 June 2019

Firewall? Group Policy can set firewall rules.

Test-NetConnection -CommonTCPPort RDP -ComputerName ServerNameHere
-Matt

show

yogeshcittu posted this 14 June 2019

Hi All,
/admin switch for mstsc? doesnt works
Deny access to this computer from the network” at “Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | User Rights Assignment 
Only Guest account is added in the list
 Test-NetConnection -CommonTCPPort RDP -ComputerName ServerNameHere
Test gives me success results.
ANy other thoughts or GPO settings to be checked 


show

kurtbuff posted this 14 June 2019

"Deny access to this computer from the network” at “Computer
Configuration | Policies | Windows Settings | Security Settings |
Local Policies | User Rights Assignment "

Which of your GPOs contains that setting?

Kurt

show

PARRIS posted this 14 June 2019

Are you utilising .\Administrator to logon?








 

Regards,

 

Mark Parris

BSc (Hons) | MBCS


Mobile: +44 7801 690596


E-mail: mark@xxxxxxxxxxxxxxxx

show

yogeshcittu posted this 14 June 2019

It’s a custom Gpo applied to windows 2016 server.
Deny policy is enabled but only guest account is added 
On Sat, 15 Jun 2019 at 2:33 AM, Kurt Buff - GSEC, GCIH <kurt.buff@xxxxxxxxxxxxxxxx> wrote:
"Deny access to this computer from the network” at “Computer


Configuration | Policies | Windows Settings | Security Settings |


Local Policies | User Rights Assignment "



Which of your GPOs contains that setting?



Kurt


show

yogeshcittu posted this 14 June 2019

Nope...use servername\administrator through RDP
On Sat, 15 Jun 2019 at 3:09 AM, Mark Parris <mark@xxxxxxxxxxxxxxxx> wrote:










Are you utilising .\Administrator to logon?








 

Regards,

 

Mark Parris

BSc (Hons) | MBCS


Mobile: +44 7801 690596


E-mail: mark@xxxxxxxxxxxxxxxx

show

ken posted this 16 June 2019

What is in the Security Event Log, when the RDP logon is denied?

 

show

yogeshcittu posted this 18 June 2019

unknown user name or bad password with below error codes              Status:                                

0xC000006D



             

Sub

Status:                         

show

jeremyts posted this 19 June 2019

So it works with the local administrator “.\Administrator”, just not a domain account?

 

And is this across all servers?

 

Cheers,

Jeremy

 

show

yogeshcittu posted this 19 June 2019

Nope...it works with local account,   .\administrator from vm console but doesn’t work through rdp when logging in as servername\administrator for all servers   Placed within an ou.
On Wed, 19 Jun 2019 at 7:41 AM, Jeremy Saunders <jeremy@xxxxxxxxxxxxxxxx> wrote:
















So it works with the local administrator “.\Administrator”, just not a domain account?

 

And is this across all servers?

 

Cheers,

Jeremy

 

show

PARRIS posted this 19 June 2019

So this reads like either an Allow or Deny log on via RDP is kicking in.

 

The VMWare console is working as it is being treated as a Console logon and not being evaluated as RDP.

 

Mark

 

 

 

 

 

Regards,

 

Mark

 

Mark Parris

BSc (Hons). MBCS. MCMI.


Identity & Technology Management.

Tel: +44 (0)7801 690596


Email: mark@xxxxxxxxxxxxxxxx



http://www.bullhorn.com/BullhornPageContent/4538/LinkedIn%20autosig.png  http://www.bullhorn.com/BullhornPageContent/4538/Twitter%20Autosig.png

 

show

yogeshcittu posted this 19 June 2019

Yeah..only RDP doesn’t work.
On Wed, 19 Jun 2019 at 1:40 PM, Mark Parris <mark@xxxxxxxxxxxxxxxx> wrote:
















So this reads like either an Allow or Deny log on via RDP is kicking in.

 

The VMWare console is working as it is being treated as a Console logon and not being evaluated as RDP.

 

Mark

 

 

 

 

 

Regards,

 

Mark

 

Mark Parris

BSc (Hons). MBCS. MCMI.


Identity & Technology Management.

Tel: +44 (0)7801 690596


Email: mark@xxxxxxxxxxxxxxxx



http://www.bullhorn.com/BullhornPageContent/4538/LinkedIn%20autosig.png  http://www.bullhorn.com/BullhornPageContent/4538/Twitter%20Autosig.png

 

show

PARRIS posted this 19 June 2019

So if you run a gpresult / h from the client what does it tell you?





 

Regards,

 

Mark Parris

BSc (Hons) | MBCS


Mobile: +44 7801 690596


E-mail: mark@xxxxxxxxxxxxxxxx

show

ken posted this 23 June 2019

0xC000006D = “The attempted logon is invalid. This is either due to a bad username or authentication information.”

0xC0000064 = “The specified account does not exist.”

 

What is odd is that you can logon at the console. If a GPO were denying RDP logon, you’d typically get a different error message.

 

Are you sure the local Administrator account hasn’t been renamed? (though that does not explain how you’re able to logon at the VMWare console…)

 

Regards

Ken

 

 

show

yogeshcittu posted this 23 June 2019

Local administrator has been renamed through GPO, and it’s reflecting on the client.Im trying to login with the renamed local admin account.That works in console but not through RDP.
On Sun, 23 Jun 2019 at 10:49 AM, Ken Schaefer <ken@xxxxxxxxxxxxxxxx> wrote:
















0xC000006D = “The attempted logon is invalid. This is either due to a bad username or authentication information.”

0xC0000064 = “The specified account does not exist.”

 

What is odd is that you can logon at the console. If a GPO were denying RDP logon, you’d typically get a different error message.

 

Are you sure the local Administrator account hasn’t been renamed? (though that does not explain how you’re able to logon at the VMWare console…)

 

Regards

Ken

 

 

show

kurtbuff posted this 23 June 2019

That is odd indeed.

We've renamed the local administrator account through a GPO on our
workstations, and have no problems using RDP with those accounts using
the LAPS password.

Kurt

show

Mahdi posted this 24 June 2019

Check something.

  • in 'RD Session Host Configuration'
  • go to properties of 'RDP-Tcp' connection
  • 'General' tab
  • What is the status of 'Encryption'?

If that is 'FIPS' and your encyprion level is using a method which is not FIPS complaint, that will fail. 

jeremyts posted this 12 July 2019

Was researching something today and came across a reg value called “IgnoreRegUserConfigErrors”. Have a Google and see if it’s possibly

related to your issue. I thought it was interesting and worth mentioning.

 

Cheers,

Jeremy

 

show

Close