During deployment of a new application, we have been running into strange issues trying to run processes with certain domain accounts. Looking through the machine settings the only difference we could see between the affected accounts and accounts that work is that the affected accounts are added directly to the local administrators group and the accounts that work are added through AD security groups.
Seeing this i decided to mess around with the account membership of the local administrators group. I found that if i place the account into an AD group that is a member of the local administrators group the account can no longer connect to the server through RDP (after a reboot of the server); however I can connect to the server locally and do indeed have full administrator privileges on the server. If i move the user back to being defined as a direct member of the local administrators group I can RDP again. All accounts are domain accounts; some accounts work and some accounts do not. All remote desktop settings are default including Local Security Policies.
Works
- Local\Administrators
- Domain\AffectedAccount
- Domain\UnaffectedAccount
- Domain\Group
- Domain\UnaffectedAccount
Does Not Work
- Local\Administrators
- Domain\Group
- Domain\AffectedAccount
- Domain\Group
I believe this issue affects more than just RDP, however this is a pretty obvious condition produced by the underlying issue.
My initial thought point to how the machines were provisioned. We clone out machines through VMware 5.1 and do not perform sysprep on the machines after cloning. After researching this further it appears that sysprep is indeed not required but still recommended.
Searching around for a couple days has not yielded any useful results. There is also nothing useful in the event logs of the server.
Has anyone encountered this issue before?