question

staypuft-3072 avatar image
0 Votes"
staypuft-3072 asked JiaYou-MSFT edited

GPO for locking RDP computer

I am having trouble with a remote computer locking the screen all the time, or even logging the user account out (from an RDP session). Couple questions;

  • I can see the event logs, but I can't see what caused the account to lock out. are there event logs (debug logs) that may give me more info on why the session locked the desktop?

  • I checked my GPO's but does anyone have a complete list of all the GPO's that can lock a desktop session?? What I THINK I have found and checked is RDP time out, loopback processing, and screen saver.

  • How would you go about trouble shooting something like this?

BONUS [fake] Points - After an RDP session locks, I can't paste the password in the login box. DRIVING ME CRAZY. This is true even after a rebuild of my workstation, so I am guessing this is a bug??

windows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JiaYou-MSFT avatar image
0 Votes"
JiaYou-MSFT answered JiaYou-MSFT edited

HI

1.Could you please run winver in CMD on both local win10 and remote win10 then look the OS version?

2.Do you have account was locked out issue or logon screen can not be locked out issue?
A user account was locked out
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740

3.When issue happen, did you install any update patch recently?
we can enter get-hotfix in powershell on remote PC, then check it.

4.When issue happen, please write down the detial issue time, are there any logs on remote client at issue time?

event viewer\windows logs\
security
application
system


Event Viewer – Applications and Services Logs -Microsoft-Windows-RemoteApp and Desktop Connections_Admin
Event Viewer – Applications and Services Logs -Microsoft-Windows-RemoteApp and Desktop Connections_operational
Event Viewer – Applications and Services Logs -Microsoft-Windows-remoteassistance
Event Viewer – Applications and Services Logs -Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Admin
Event Viewer – Applications and Services Logs -Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational
Event Viewer – Applications and Services Logs -Microsoft-Windows-RemoteDesktopServices-remotefx-synth3dvsc
Event Viewer – Applications and Services Logs -Microsoft-Windows-RemoteDesktopServices-remotefx-vm-kernel-mode-transport
Event Viewer – Applications and Services Logs -Microsoft-Windows-RemoteDesktopServices-remotefx-vm-user-mode-transport
Event Viewer – Applications and Services Logs -Microsoft-Windows-RemoteDesktopServices-SessionServices_Operational


Event Viewer – Applications and Services Logs -Microsoft-Windows-TerminalServices-clientactivexcore
-rdpclient/analytic
-rdpclient/operational
Event Viewer – Applications and Services Logs -Microsoft-Windows-TerminalServices-local sessionmanager
Event Viewer – Applications and Services Logs -Microsoft-Windows-TerminalServices-remoteconnectionmanagement

Event Viewer – Applications and Services Logs -Microsoft-Windows-TerminalServices-remoteconnectionmanagement

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

staypuft-3072 avatar image
0 Votes"
staypuft-3072 answered JiaYou-MSFT edited

I am happy to provide the information you are requesting, but I am not sure of the need. I am just wondering all the GPO's that can cause this behavior. Anyway, here is your requested info;

Locked into server remotely at 10:52. system locked at 11:02 (july20)

1) Winver of server 2019 ver 1809 build 17763.199
Winver of workstation Windows 10 21H1 (OS Build 19043.985)

2) No, the user account is not locked out

3) No recent hotfix or patches (system is fully patched)

4) Event Logs 11:02 July 20, 2021
---security - 6 events happened between 11:01 and 11:02 (in order 4672,4624,4627,4634,4673(fail), 4673(fail)) 4634 is a logoff event [recall, the system LOCKS, it is not logged off]. A reveiw does not show anything i can see that woudl indicat a LOCK, or why/cause.
---application - no events within 2 minutes
---system - no events within 2 minutes


Event Viewer – Applications and Services Logs -Microsoft-Windows-RemoteApp and Desktop Connections_Admin ZERO
Event Viewer – Applications and Services Logs -Microsoft-Windows-RemoteApp and Desktop Connections_operational*ZERO
Event Viewer – Applications and Services Logs -Microsoft-Windows-remoteassistance
ZERO
Event Viewer – Applications and Services Logs -Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Admin
ZERO
Event Viewer – Applications and Services Logs -Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational
(LOTS HERE)
Event Viewer – Applications and Services Logs -Microsoft-Windows-RemoteDesktopServices-remotefx-synth3dvsc
ZERO
Event Viewer – Applications and Services Logs -Microsoft-Windows-RemoteDesktopServices-remotefx-vm-kernel-mode-transport
ZERO
Event Viewer – Applications and Services Logs -Microsoft-Windows-RemoteDesktopServices-remotefx-vm-user-mode-transport
ZERO
Event Viewer – Applications and Services Logs -Microsoft-Windows-RemoteDesktopServices-SessionServices_Operational -
7 here, all the same, ERROR =The RDP display control module failed to change the session monitor layout. The operation failed with error code 0xFFFFFFFF.*


Event Viewer – Applications and Services Logs -Microsoft-Windows-TerminalServices-clientactivexcore*ZERO
-rdpclient/analytic
ZERO? Unable to find
-rdpclient/operational
ZERO unable to find
Event Viewer – Applications and Services Logs -Microsoft-Windows-TerminalServices-local sessionmanager
2 EVENTS (40 and 24) Session 2 has been disconnected, reason code 0
Event Viewer – Applications and Services Logs -Microsoft-Windows-TerminalServices-remoteconnectionmanagement
ZERO
Event Viewer – Applications and Services Logs -Microsoft-Windows-TerminalServices-remoteconnectionmanagement
ZERO*



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HI

1.Where is the issue terminal server 2019 VM, in hyper-v or Azure?
2."This is true even after a rebuild of my workstation"
Do you mean you clean install win10 OS for your workstation?

I guess Event id 4627 may be reason.we can try to find one normal domain account then compare which difference about user groups between the normal domain account and issue domain account.

4627(S): Group membership information.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4627

3.Does current issue happen on any users' RDP session(include local admin account and domain admin account) ? Does the same issue happen on any users' local console session?

4We can try to move one test issue terminal server 2019 VM to one separate OU, if we remote access it by using domain admin account
and local admin respectively, will the same issue happen? It will check if the domain computer policy or user policy affect our issue.

0 Votes 0 ·