0

The problem

Opening RDP sessions to servers from accounts with logon-to restrictions no longer work. When they try they get a message from the RDP client:

"The system administrator has limited the computers you can log on with. Try logging on at a different computer. If the problem continues, contact your system administrator or technical support."

Background

The servers are accessed by an external consultant who vpns in and opens an RDP session to the servers. The consultants account is a member of the admistrators group on the boxes in question.

In the domain account used by the consultant I added a restriction under user account > Account tab > logon to button. Here I added the server nodenames.

This has been working fine for a couple of years. The consultant only connects every few months so this could have been broken for some time.

What I've tried

  • Removing and re-adding the servers to the list.
  • Adding the accounts to the local security policy > local policy > assigned user rights > permit login via RDP (I'm translating those texts as server is not english language)

None of those changes had any effect.

Workaround

To allow them to log via RDP in I've had to remove the logon-to restriction on their account object. If I change the account to permit logging onto any machine, the problem disappears.

Other info

  • The servers are all running Windows 2019
  • All are fully patched up until a few weeks ago.
  • The user account can login via the console with the restriction in place.
  • I have to add the user account to the local admin group of any machines they are accessing and so they can't access any others but I'd prefer to have the extra restriction active.

Is anyone aware of a breaking change in one of the recent CU packs which affects this functionality?

Improve this question
4
  • The system administrator has limited the computers you can log on with that is an attribute of the account.` Here I added the server nodenames. how many and what is the total length of the attribute? The attribute has a relatively short length. None of the other things you are doing will affect this.
    – Greg Askew
    Nov 10 at 12:28
  • There were only two server names in the list, so pretty short. I tried removing both and adding just one back in, but the result was the same
    – Ian Murphy
    Nov 13 at 11:11
  • In that case you may want to report it as a defect. Not sure how much traction you would get as nearly everyone uses groups to control access.
    – Greg Askew
    Nov 13 at 12:26
  • You may want to try that without NLA. When this logon failure occurs, an event id 533 event should be logged on the target. NLA may affect what that target is. If one of the two hosts is logging an event id 533, it's a defect. If it is another host, that would explain the failure.
    – Greg Askew
    Nov 13 at 12:57

1 Answer 1

Reset to default
0

It’s a weird thing, but to connect via Remote Desktop you also need the Log On To field to contain the name of the client you are connecting from (as well as the server name).

Find out the consultant %COMPUTERNAME% and add it to the Log On To field.

https://woshub.com/restrict-workstation-logon-ad-users/

Improve this answer
3
  • This is weird. I configured this several years ago and tested it at the time as I didn't want them to be able to log into any other servers. Its been working ever since. The user involver hasn't connected very often, but they have connected. Last week they tried to connect for the first time in a few months and they couldn't. Nothing has changed either on the server or on the users account in a long time.... except patching windows. I've never known their workstation name.
    – Ian Murphy
    Nov 13 at 11:15
  • If NLA is enabled, it certainly is worth checking if the workstation is where the event id 533 event ( User Not Allowed To Logon At This Computer) is logged. Regardless, if it isn't being logged on the expected target, the logon to workstations attribute is effectively useless/doesn't do anything. Probably better to create a new domain local group and add that to the target hosts Remote Desktop Users group of the two hosts.
    – Greg Askew
    Nov 13 at 14:13
  • Here's another link discussing the logon to interactions with NLA. serverfault.com/a/953040/20701
    – Greg Askew
    Nov 13 at 14:41

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .