Windows Server 2008 R2 user dial-in tab error - windows-server-2008-r2

I have no problem creating a new user in AD on my Windows Server 2008 R2, but when I go to edit the dial-in properties I receive the following error: "Could not load dial-in profile for this user because: Access Denied".
Remote Registry Service is running and both HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg and HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths have read permissions for Local Service account.
Any help would be appreciated.
Thanks,
Sandro

Related

Azure VM: the user account used to connect to remote PC did not work

I have an Azure Virtual Machine connected with Azure Active Directory. A user from this AD is added to this machine as an admin. Other people can successfully RDP to the machine with this user's credential, but I get error saying "The user account used to connect to remote PC did not work. Try again". Well, I am trying the whole day. Does anyone know what can cause this?
The fun fact is, I can RDP to the machine using the local admin, but again it fails with AD user.
I tried connecting with Microsoft Remote Desktop for Mac, mstsc for Windows and with Remote Desktop Connection Manager. The same result everywhere.
I tried different usernames format:
alex.sikilinda#mydomain.com - other people can successfully login using this format
AzureAD\alex.sikilinda#mydomain.com - for windows client getting the same error, for Microsoft Remote Desktop for Mac getting "Your session ended because of an error. If this keeps happening, contact your network administrator for assistance. Error code: 0x807"
AzureAD\AlexSikilinda mstsc error - "Remote machine is AAD joined. If you are signing in to your work account, try using work email instead", Mac - "Your session ended because of an error. If this keeps happening, contact your network administrator for assistance. Error code: 0x807"
Microsoft Remote Desktop for Mac version 10.2.3 (1343)
Windows 10 version 16299 (also tried with 1803 on another machine, the same result).
I also came across the same error for the win10 that is AAD join, and I tried the following way to solve this:
Change VM Remote desktop settings same as the picture
Create a new RDP config file
Open mstsc.exe, click on Show Options and then click Save As(give it a new name such as AzureAD_RDP, save it somewhere easy to find).
Open the saved file using Notepad. Verify that the following two lines are present, if not, add them, and save.
enablecredsspsupport:i:0
authentication level:i:2
RDP to the target VM
Open the RDP config file that you just edited, enter the IP address of the VM, do not enter any username, and then connect.
Here you could use AzureAD\UPN or username to log in.
I haven't tried disabling the NLA (and wouldn't recommend), however in my case was the legacy MFA getting in the way of getting into the VM, even if only enabled for the account, and not forced.
In my case, we're using the Conditional Access with MFA, but we have to exclude the VM from the cloud apps (Azure Windows VM Sign-In), because we're not using Windows Hello (thanks Microsoft for a half baked solution!).
See Login to Windows virtual machine in Azure using Azure Active Directory authentication for more details.

Application Pool Identity Windows Server 2008R2 Acces is Denied to network shared folder on Windows Server 2003

I have application that is hosted on Windows Server 2008 R2. Application is running under IIS Application Pool Identity. When i try to import some xml file through application to network shared folder (which is on windows server 2003) i have a message "Acces is denied to....".
I know i can fix this by having same user on both machines, and running application pool with that user instead of Application Pool Identity, but that's not ok for me :(
I also gave all sorts of permisions to all sorts of users (IIS_USRS IIS AppPool*Application Pool Name*, etc..) but nothing helped.
MY QUESTION :
Is it possible to write in network shared folder (on windows server 2003 without IIS - file server) through application which is running unser IIS Application Pool Identity ?
THANKS IN ADVANCE !!!!
When using the built-in application pool identity, any calls across the network are made using the computer account. You should be able to assign the computer account rights to the network share and NTFS to accomplish this.

IIS Permission Denied 70 error when CGI attempts to Instantiate InternetExplorer.Application

Context: Windows Server 2012 R2 (Azure VM)
IIS: 8.5
The CGI application is a 32bit EXE. It calls the MSScript object to evaluate a JScript script. The JScript attempts to instantiate InternetExplorer.Application. The attempt fails consistently with an permissions error 70.
What is the reason for this and what must I do to get it working? If it really is a permissions error, which permissions need to be adjusted?
MORE DETAIL
This is from the Event Viewer (Local), System tab in Windows Logs:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0002DF01-0000-0000-C000-000000000046}
and APPID
{E4803A36-7232-4AC0-A6AF-29D59EBCC303}
to the user NT AUTHORITY\IUSR SID (S-1-5-17) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
YET MORE
A posting on Answers suggests changing the owner of IE from Trusted Installer to Administrator. Is this the answer for me?
In the past when I have seen this the issue was the Application Pool I was using was not correctly set to enable the 32-bit Application. Once this was modified, going to the advanced settings of the App Pool, it resolved my issue. I am not sure if the application you are running is dependent upon the App Pool but that is where I would start looking.

Administrative rights are required to profile IIS -dot trace

I'm trying to profile a remote Azure web site using dotTrace Perfomance standalone program, but I get "Administrative rights are required to profile IIS" error message under "Application options" when connect to Remote Computer URL, I running dottrace in a Windows 7 computer and using "run as administrator " option.
Any idea what the problem could be?
If you work with Azure Virtual Machine where you launch IIS and your application, you can either install dotTrace and then profile everything locally on the virtual machine, or copy remote agent there and then profile from the local machine remotely.
If you have Azure Website, then it will be impossible to profile it via dotTrace.

Move teamlab from a server to another and got a security error

I have teamlab running very well on a godaddy virtual dedicated server and I am now moving to Azure VM server, I copied all teamlab files to this new server and ran the teamlab service, but when I open the website I get this error:
Security Exception
Description: The application attempted to perform an operation not
allowed by the security policy. To grant this application the
required permission please contact your system administrator or change
the application's trust level in the configuration file.
Exception Details: System.Security.SecurityException: Invalid username
or password.
I compared all IIS config on both servers and they are both the same now, what should I check else to run this?
Note old server IIS7.5 new server IIS8

Resources