question

TarasR-4995 avatar image
0 Votes"
TarasR-4995 asked TarasR-4995 answered

Remote Desktop Services Properties - Access is denied

Hello, Could you please share your thoughts what can be the nature of that issue?
Descriptions:
There is AD OU1 and the container on it: OU1/Test1.
There are about 30 users accounts in OU1/Test1 and they have the same GPO and permissions granted for AD "Group1" within that container:
- delegated: "Group1" full access to all accounts.
- delegated: "Read and write Account Restrictions".
- all accounts have the attribute "admincount=0".
- full access to the attributes :
- msTSProfilePath
- msTSHomeDirectory
- msTSHomeDrive
- msTSAllowLogon

Issue:
1. using an account belonging to "Group1" I have full access to half of 30 accounts INCLUDE the access to the accounts attribute "Remote Desktop Services Properties. - there is NO issue.
2. using an account belonging to "Group1" I have full access to half of 30 accounts EXCLUDE the access to the accounts attribute "Remote Desktop Services Properties - Access is denied".

What's wrong can be here?
Thank you

remote-desktop-services
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HI
Is there any update about your issue?

0 Votes 0 ·
TarasR-4995 avatar image
0 Votes"
TarasR-4995 answered

Hello, JiaYou-MSFT
Sorry for my belated answer and the information you posted here.
I'm not able to take a screenshot for my case - but Group1 has full access to the OU1/Test1 - Properties-security - full access to the object and all descendant object.
With an account belong to Group1 I have access to the "Remote Desktop Services Properties" for some of the accounts in OU1/Test1 but with the same account belong to Group1 I don't have access to the "Remote Desktop Services Properties" for some accounts in OU1/Test1 (and in that case, I can modify other attributes of the accounts which I don't have access to "Remote Desktop Services Properties").
All accounts have the same winning GPO and permission for Group1.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JiaYou-MSFT avatar image
0 Votes"
JiaYou-MSFT answered JiaYou-MSFT edited

HI


"Group1" within that container:
- delegated: "Group1" full access to all accounts.
- delegated: "Read and write Account Restrictions".
1.Could you please share us the pictures about these steps?


  • full access to the attributes :

  • msTSProfilePath

  • msTSHomeDirectory

  • msTSHomeDrive

  • msTSAllowLogon

2.Do you mean I only set "read msTSAllowLogon","read msTSHomeDrive","read msTSHomeDirectory","msTSProfilePath" for 30 users like below picture?
117441-20.png


20.png (80.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.