Strange behavior with ADDS on Hyper-V

2

I'm currently doing some tests with Active Directory Domain Services using a DC (Windows Server 2016) and two clients (both W10) all running on Hyper-V (internal network).

To what I have understood so far, when selecting "Connect" on a VM in Hyper-V, it uses RDP protocol to connect the user to the VM.

Starting on that, I had to create an OU containing both W10 clients, and creating a GPO allowing everyone to connect to these computers through RDP.

I have allowed "Everyone" under the policy : 

Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User rights assignment/Allow log on through Remote Desktop Services

This is the behavior encountered after applying the policies

  1. An authorized user attempts to log in
  2. An error message appears "The requested session access is denied"
  3. The computer automatically reboots after clicking OK
  4. The exact same user re-tries to log in
  5. He successfully access to his session

This occurs every time the VM is restarted.

My question is : is there something I can do to bypass this error screen before a user logs in ?

Arthur Attout

Posted 2017-12-15T13:05:15.787

Reputation: 73

I'm not real clear on what you are experiencing. When using Hyper-V you connect to a VM and you are presented with a standard windows login screen. Please describe exactly, step by step what you are doing and seeing. 1) when are you trying to login? Do you see the standard windows login screen first? 2) after typing in the username/password on this standard login screen? 3) what computer reboots? The Host? The Guest? If this happens every time the VM is restarted, then how do you ever login, because according to you the computer reboots at step 3 which would put you back at step 1. – Appleoddity – 2017-12-19T04:42:13.073

The exact steps are described in my post. 1) The normal login screen is prompted,the credentials are entered. 2) An error message appears (the requested session is denied). 3) The computer reboots after clicking OK. 4) The user logs in 5) The access is granted – Arthur Attout – 2017-12-19T15:09:31.717

Just to confirm, which version of Windows 10 are these running? Home? Pro? Enterprise? Were they upgraded at any point? – Appleoddity – 2017-12-19T17:19:37.923

Make sure the user you are trying to login with is a member of the "Remote Desktop Users" group on each Win 10 machine. Confirm that there are no errors in the event log during startup that would be impacting communication with the domain controller. – Appleoddity – 2017-12-19T17:22:26.033

Both local policies on client computers allow "Everyone" to open a session using Remote Desktop, so I think this is enough for the first part. For the log error, I ran several trials that unfortunately did not show any error during login startup .. – Arthur Attout – 2017-12-19T20:56:24.200

No. It’s not enough. It is a requirement they be in the Remote Desktop users group. https://support.microsoft.com/en-us/help/954369/error-message-when-you-use-remote-desktop-connection-to-connect-to-a-w

– Appleoddity – 2017-12-19T21:00:13.490

1After adding the desired group in Remote Desktop users group, running GPupdate and rebooting clients, the issue still remains – Arthur Attout – 2017-12-19T21:19:57.977

1) How have you confirmed that the VM is rebooting after the first/failed logon attempt? Is event 6006 logged in the System log, confirming the computer actually shut down? 2) To which VMs are you trying to logon from the Hyper-V host? The DC VM? The Windows 10 client VMs? Do the user(s) you're using to logon the DC have Administrative rights (because by default only Admins can logon a DC) 3) Does removing the changes you made to the Local Security Policy resolve the problem? – I say Reinstate Monica – 2017-12-21T16:59:22.820

14) What version of Windows is the Hyper-V Host running? 5) What happens if you disable enhanced session mode on the host and VM? (Please be sure to [edit] your question with the responses to commenter's questions, then ping them to let them know you've updated it.) – I say Reinstate Monica – 2017-12-21T17:03:57.107

The issue disappeared after I unchecked the enhanced session mode. If you post it as an answer, I will accept it – Arthur Attout – 2017-12-21T18:58:00.360

Answers

1

Disable Enhanced Session Mode on the Hyper-V Host

Enhanced Session Mode uses Remote Desktop Services to establish a connection between the Hyper-V host and guest VM. As a result, users connecting in this manner need the Allow log on through Remote Desktop Services user right on the guest VM. If enabled, this mode allows resources in the VM to be redirected to the Host such as remote audio, printers, etc. However this is an optional feature that can be disabled.

You can disable Enhanced Session Mode on the Hyper-V host as follows:

  1. In Hyper-V Manager, select the host's computer name.
  2. In Actions, select Hyper-V settings.

  3. Under Server, select Enhanced session mode policy. enter image description here

  4. Clear the Allow enhanced session mode check box.

  5. Under User, select Enhanced session mode.
    enter image description here
  6. Clear the Allow enhanced session mode check box.

Disabling Enhanced Session Mode causes the Hyper-V host to revert to its default connection behavior which does not require any special configuration on the guest machine.

Additional Information

Microsoft added Enhanced Session Mode to Hyper-V starting with Windows Server 2012 R2. If enabled, connections from the Hyper-V host to supported Windows-based VMs is done via Remote Desktop Services. As a result, users connecting from the host must be granted the Allow log on through Remote Desktop Services user right. Administrators are granted this right by default. Non-admins are commonly granted this right by being made a member of the VM's Remote Desktop Users group.

I say Reinstate Monica

Posted 2017-12-15T13:05:15.787

Reputation: 21 477

0

Windows has some strange requirements that non-admin users be a member of the local Remote Desktop Users group, despite some of the other policies that you may have adjusted.

Try adding your users to that group and try again.

Appleoddity

Posted 2017-12-15T13:05:15.787

Reputation: 9 360

Permission to logon remotely is granted via the Allow log on through Remote Desktop Services User Right. By default, both the local Administrators and Remote Desktop Users groups are granted this right. So technically even an Administrator could not be able to logon remotely if the right were modified, or its opposite Deny log on through Remote Desktop Services were configured to block Administrators.

– I say Reinstate Monica – 2017-12-21T16:49:50.103

Asked: 2017-12-15T13:05:15.787

Viewed: 1 241 times

Active: 2017-12-22T18:37:13.677