Remote Desktop Services Properties - Access is denied

TarasR 1 Reputation point
2021-07-22T22:18:39.773+00:00

Hello, Could you please share your thoughts what can be the nature of that issue?
Descriptions:
There is AD OU1 and the container on it: OU1/Test1.
There are about 30 users accounts in OU1/Test1 and they have the same GPO and permissions granted for AD "Group1" within that container:

  • delegated: "Group1" full access to all accounts.
  • delegated: "Read and write Account Restrictions".
  • all accounts have the attribute "admincount=0".
  • full access to the attributes :
  • msTSProfilePath
  • msTSHomeDirectory
  • msTSHomeDrive
  • msTSAllowLogon

Issue:

  1. using an account belonging to "Group1" I have full access to half of 30 accounts INCLUDE the access to the accounts attribute "Remote Desktop Services Properties. - there is NO issue.
  2. using an account belonging to "Group1" I have full access to half of 30 accounts EXCLUDE the access to the accounts attribute "Remote Desktop Services Properties - Access is denied".

What's wrong can be here?
Thank you

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,549 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Andy YOU 3,076 Reputation points
    2021-07-23T09:35:48.077+00:00

    HI


    "Group1" within that container:

    • delegated: "Group1" full access to all accounts.
    • delegated: "Read and write Account Restrictions".
      1.Could you please share us the pictures about these steps?

    • full access to the attributes :
    • msTSProfilePath
    • msTSHomeDirectory
    • msTSHomeDrive
    • msTSAllowLogon

    2.Do you mean I only set "read msTSAllowLogon","read msTSHomeDrive","read msTSHomeDirectory","msTSProfilePath" for 30 users like below picture?
    117441-20.png

    0 comments No comments

  2. TarasR 1 Reputation point
    2021-07-27T15:39:24.087+00:00

    Hello, JiaYou-MSFT
    Sorry for my belated answer and the information you posted here.
    I'm not able to take a screenshot for my case - but Group1 has full access to the OU1/Test1 - Properties-security - full access to the object and all descendant object.
    With an account belong to Group1 I have access to the "Remote Desktop Services Properties" for some of the accounts in OU1/Test1 but with the same account belong to Group1 I don't have access to the "Remote Desktop Services Properties" for some accounts in OU1/Test1 (and in that case, I can modify other attributes of the accounts which I don't have access to "Remote Desktop Services Properties").
    All accounts have the same winning GPO and permission for Group1.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.