Windows 2008 R2 terminal server - desktop you are trying to open is unavailable

Cerulean

Cerulean

[H]F Junkie
Joined
Jul 27, 2006
Messages
9,476
Greetings,

We have a 2008 R2 terminal server that we use for connecting our Intermec CK3 handhelds. Since the beginning of time all the user accounts used for these handheld computers (username in the format of hh###, i.e. hh081) have been a member of the local Administrators group. Why? Because without it, when you try to RDP into the server from one of these Intermec CK3 handheld computers (Windows Mobile 6.1 OS), you get a popup error message at the 'Welcome' or 'Logging in...' screen (remote image coming from the server) with a window title of Connection Error and a message of The desktop you are trying to open is currently unavailable. Contact your administrator to confirm that the correct settings are in place for your client connection.. I get the same message if I attempt to RDP from my work laptop instead of the Intermec CK3 handheld.

On the server, the local Remote Desktop Users group has a domain security group "COMPANY\Intermec_HH_Users" as a member. This security group on the domain has all the hh### accounts as members. But this still gives the "The desktop you are trying to open is currently unavailable" error message when trying to get in under one of the hh### accounts.
 
check the security properties of the RDP-Tcp connection?
Administrative Tools -> Remote Desktop Services -> Remote Desktop Session Host Configuration -> right-click on RDP-Tcp -> Properties -> Security tab
Make sure the Remote Desktop Users group has Allow for User Access and Guest Access
 
j-sta said:
check the security properties of the RDP-Tcp connection?
Administrative Tools -> Remote Desktop Services -> Remote Desktop Session Host Configuration -> right-click on RDP-Tcp -> Properties -> Security tab
Make sure the Remote Desktop Users group has Allow for User Access and Guest Access
Click to expand...

This and add those users to the remote desktop user group.
 
This probably isn't a security group issue. You get an entirely different error that is actually quite clear as to the problem, if it's a security group issue.

Instead, check the profiles. Sometimes when a profile becomes corrupt it will refuse to allow the user to login, not even with a temp profile. Delete the profile of one of the users, try logging in and see if that fixes it.

Remember with 2008+/windows 7, you can't just nuke the user's folder from c:\users, you have to use the MMC to delete the profile.

( be sure to check the event log too, as it will often have quite detailed information as to why things aren't working. )
 
XOR != OR said:
This probably isn't a security group issue. You get an entirely different error that is actually quite clear as to the problem, if it's a security group issue.

Instead, check the profiles. Sometimes when a profile becomes corrupt it will refuse to allow the user to login, not even with a temp profile. Delete the profile of one of the users, try logging in and see if that fixes it.

Remember with 2008+/windows 7, you can't just nuke the user's folder from c:\users, you have to use the MMC to delete the profile.

( be sure to check the event log too, as it will often have quite detailed information as to why things aren't working. )
Click to expand...

He is adding them to the admin group, by default, unless you are admin, it won't let you in which means that he needs to grant those users or the group to remote log in rights. By the sounds of it, he has never had these users logged in unless in the admin group, so a corrupted profile doesn't seem likely.

Check group policy editor (gpedit.msc) under Computer Config > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Find the entry for "Allow log on through remote desktop services" and "deny log on through remote desktop services", and see if the groups in question are in these categories.

If an active directory environment, add "domain users" to the allowed group and boom, should work. I have a few groups I add users to such as shop floor, office, or vip and use these groups to apply permissions not only to allow remote log in but also to files/directories.
 
sc0tty8 said:
He is adding them to the admin group, by default, unless you are admin, it won't let you in which means that he needs to grant those users or the group to remote log in rights. By the sounds of it, he has never had these users logged in unless in the admin group, so a corrupted profile doesn't seem likely.
Click to expand...
*shrug* I know, but that error message doesn't indicate it's a security issue.* It does indicate some underlying fault with the login process, and the number 1 culprit there is always profile corruption.

* - which is not to say I didn't notice the admin group thing. Bad mojo there. When you create a RD server, the Remote Desktop users group gets created and assigned login rights, so just throwing the users/groups in that group should resolve any "Can't login because of security" issues.
 
XOR != OR said:
*shrug* I know, but that error message doesn't indicate it's a security issue.* It does indicate some underlying fault with the login process, and the number 1 culprit there is always profile corruption.

* - which is not to say I didn't notice the admin group thing. Bad mojo there. When you create a RD server, the Remote Desktop users group gets created and assigned login rights, so just throwing the users/groups in that group should resolve any "Can't login because of security" issues.
Click to expand...

Werd on the latter. Never EVER put a user in any type of admin role unless you are knowing what you(and them) are doing! Going full retard to make it work is short-sighted. Perhaps on 1 user to "test". Admin rights for users is asking for trouble.

for example, on 1 terminal server, once in a blue moon some pdf's will kill the print spooler. My highest print users have access to a batch file as well as system files so they can effectively stop the spooler, the batch file dumps the shd files, the starts the spooler.

I have 2 log ins I use to verify before applying to users, 1 is a "shop floor" user, and 1 is an "office staff" user. Saves your bacon.
 
sc0tty8 said:
Check group policy editor (gpedit.msc) under Computer Config > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Find the entry for "Allow log on through remote desktop services" and "deny log on through remote desktop services", and see if the groups in question are in these categories.
Click to expand...
Deny log on through Remote Desktop Services has Ctx_Streaming, but Citrix isn't installed anymore on the server.

Allow log on through RDS had Administrator and Remote Desktop Users.
 
Cerulean said:
Deny log on through Remote Desktop Services has Ctx_Streaming, but Citrix isn't installed anymore on the server.

Allow log on through RDS had Administrator and Remote Desktop Users.
Click to expand...

Who is in your remote desktop group? Populate this group and everything should be happy.
 
Cerulean said:
Deny log on through Remote Desktop Services has Ctx_Streaming, but Citrix isn't installed anymore on the server.

Allow log on through RDS had Administrator and Remote Desktop Users.
Click to expand...

perhaps there are Citrix left-overs causing the issue.

When you do a google search on the error message you posted on the OP, pretty much every result has to do with Citrix; whether it be Presentiation Server, Metaframe, or XenApp.
 
Has RDP worked since removing Citrix? If you ripped out Citrix you may be better off rebuilding the server.
 
sc0tty8 said:
Are they also members of the deny group? Remove the deny group.
Click to expand...
The error message you would get if this were a security issue would be something along the lines of "The connection was denied because the user account is not authorized for remote login".

OP: It's not a security issue. There is a fault with your login process. Check your event logs, look for the fail message and backtrack it from there.
 
You must log in or register to reply here.
Back
Top