I'm facing a challenge with a few small sites where we demoted a machine that used to be both a Domain Controller and a File Server. Now, these servers are only functioning as file servers. The problem arises because only domain admins can log in to these servers remotely. Our second line support team should have access, but they keep getting an error indicating they lack the rights to sign in through remote desktop services. They are part of the local administrators group and the Remote Desktop Users group, yet the access issue persists. Since this problem occurs for all four demoted servers, I believe it's related to their prior status as domain controllers. I've tried explicitly making the support staff admins, but the error remains. I've done some research, and most fixes I found involved DNS misconfigurations post-demotion, but this isn't the case here. Domain admins can log in without any issues, and there are no general connectivity problems for users accessing files. Any suggestions on how to resolve this?
3 Answers
Have you checked the Local Security User Rights Assignment? It's likely that the configuration was set by the 'Default Domain Controllers' GPO. Even after moving the servers from that OU, you’d need to explicitly set 'Allow Log on Locally' or 'Allow Log on through Remote Desktop' for the local security policy. When you demote a DC, it gets moved to the 'Computers' OU, which defaults to allowing only Domain Admins as local admins with remote access. So, you might want to look into that.
Absolutely agree here! With file servers, I'd recommend starting fresh with a new setup and migrating VHDs over. It’ll save you time in the long run, and you can easily re-establish your shares.
Do the users in question happen to belong to the Schema Admin or Enterprise Admin groups? That could also be influencing their access rights.
I've encountered similar issues with demoted domain controllers where user rights from the previous DC status linger. Make sure to check the local security policies, specifically 'Allow log on through Remote Desktop Services' and 'Deny log on through Remote Desktop Services'. Former DCs often have outdated policies affecting local group memberships. The consistent issue across your four servers suggests a lingering policy rather than a permissions issue, so it’s worth investigating.
This put me on the right path! I noticed there was an explicit deny for the second line support group in the Local Security settings. It seems the policy might have applied on individual DCs rather than the OU level. I'll investigate further today. Thanks for the hint!