Problem with policy issue on Server 2016 Essentials

Question

Ok, I have two separate domains that were setup the same way, they prevously had Server SBS installed, and at some point migrated to Server 2016 Essentials. Fast forward a couple of years and I took over the networks and when trying to enable remote desktop on various clients on either network I ran into an issue. The option in settings in greyed out and cannot be changed.

 After working for months with various MS engineers thru an old Action Pack subscription and not finding a better solution. I discovered that if I took a client system completely off of of the domain, and then turned on or off the remote desktop connection and then rejoined the domain the client system would work as expected.  This wasn't a great solution, but under windows 10 it was at least a work around. Eventually the MS engineers got too busy to respond to my requests and just ignored the case. 

 Fast forward to the days of Windows 11, and now the old solution doesn't work.  I'm certain this is some policy that is a leftover from the SBS days, but I cannot find it to solve the problem.  I desperately need to be able to enable rdp on my client systems.   

 I'm open to any and all suggestions.  

Answer 1

Hello Jeff Perkins,

In reevaluating your case, the reason your previous workaround of disjoining and rejoining the domain failed on Windows 11 is almost certainly related to how modern Windows builds evaluate legacy WMI filters. Old SBS domains heavily utilized WMI filtering to target specific OS versions like Windows 7 or Windows 8. Windows 11 evaluates these legacy OS version queries differently than Windows 10 did, frequently causing these hidden, restrictive legacy policies to apply unexpectedly and lock the local UI.

You should open the Group Policy Management Console and create a new GPO specifically for your modern endpoints. Navigate to Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host, and then Connections. Explicitly set the policy "Allow users to connect remotely by using Remote Desktop Services" to Enabled. To guarantee this overrides the old SBS settings, link this new policy directly to the Organizational Unit containing your Windows 11 machines and set the link state to Enforced. This forces the policy to win any conflict resolutions against the legacy SBS templates.

To handle any lingering registry tattooing from the old environment, you must also ensure the local system is clearing out orphaned policies. If the UI remains greyed out after the enforced GPO applies, access the registry on an affected client and navigate to HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services. If you see legacy entries there, delete the Terminal Services key entirely. Furthermore, verify that HKLM\System\CurrentControlSet\Control\Terminal Server has the fDenyTSConnections DWORD set to 0. Running a standard gpupdate /force after clearing those keys will pull down your newly enforced policy, cleanly enabling RDP without requiring you to remove machines from the domain.

Hope this answer brought you some useful information. If it has, please consider accepting the answer so that other people sharing the same issue would benefit too. Thank you :)

VP

Answer 2

Hello Jeff Perkins,

The root cause is a legacy Group Policy Object (GPO) leftover from the Small Business Server (SBS) environment. The "greyed out" behavior in Windows settings is the definitive indicator that a "Winning GPO" is overriding local administrator control. This is a configuration drift issue common in SBS-to-Standard migrations, specifically regarding the "Windows SBS Client" policy templates that persist aggressively.

To resolve this permanently, you must isolate the specific policy rather than applying broad strokes. Execute gpresult /h C:\Support\RDP_Report.html from an elevated command prompt on an affected Windows 11 client to generate a precise policy resultant set. Open the report and locate the winning GPO under Computer Details > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections. The specific setting locking your UI is "Allow users to connect remotely by using Remote Desktop Services." You must edit the identified GPO in the Group Policy Management Console (GPMC) and change this setting to "Not Configured" to restore local control, or "Enabled" to force RDP on while keeping the UI greyed out.

Furthermore, Windows 11 strictly enforces Network Level Authentication (NLA) and Firewall profiles. In the same GPO path, verify that "Require user authentication for remote connections by using Network Level Authentication" is not conflicting with your client capabilities. You must also validate the "Windows Defender Firewall: Allow Inbound Remote Desktop exceptions" setting under Computer Configuration > Administrative Templates > Network > Network Connections > Windows Defender Firewall > Domain Profile. If this is not explicitly enabled with the correct scope (e.g., localsubnet), the RDP listener will be active but unreachable. Finally, if gpupdate /force does not resolve the issue, inspect HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services for a "tattooed" registry value named fDenyTSConnections; if it exists with a value of 1 without an active GPO enforcing it, delete the key manually.

Hope you found something useful in the answer. If it helped you get more insight into the issue, please consider accepting it. Thank you and have a nice day!

VP

Answer 3

It sounds like you're dealing with a policy issue that may be affecting the ability to enable Remote Desktop on your client systems. Here are some steps you can take to troubleshoot and potentially resolve the issue:

1. Check Group Policy Settings: Since you mentioned that this may be a leftover policy from the SBS days, it's important to check the Group Policy settings that might be applied to the client systems. You can do this by:
   • Opening the Group Policy Management Console (GPMC) on the domain controller.
   • Navigating to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
   • Ensure that the group you want to allow Remote Desktop access is included in the Allow logon through Remote Desktop Services policy.
2. Local Security Policy: On the client machines, you can also check the Local Security Policy by running secpol.msc and navigating to the same path as above. Ensure that the user or group is included in the relevant policies.
3. Remote Desktop Users Group: Make sure that the user accounts you are trying to grant access to are members of the Remote Desktop Users group. You can check this by opening lusrmgr.msc on the client machine.
4. Registry Check: If the above steps do not resolve the issue, you may want to check the registry settings related to Remote Desktop. Look for the following registry key:
   • HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server and ensure that the fDenyTSConnections value is set to 0.
5. Network Level Authentication (NLA): Ensure that NLA is configured correctly. If necessary, you can temporarily disable NLA to see if that resolves the issue. This can be done through the registry or Group Policy.
6. Reapply Group Policies: After making changes, ensure you run gpupdate /force on the client machines to apply the new policies.

If these steps do not resolve the issue, you may want to consider reviewing any additional security restrictions that may have been implemented during the migration from SBS to Server 2016 Essentials.

---

References:

• Troubleshooting access denied and user not authorized issues in Microsoft Remote Desktop Services
• "The system administrator has restricted the types of logon" error when connecting to a computer