I'm having an issue that I can't seem to find any reference to anywhere.
Our client has two servers. One is Server 2003 and is running AD, the other is 2008R2 and is running terminal services.
When I create a new user in AD, if I set the option in AD to allow remote control, do not require permission and interact and I set these options before the first time the user logs into the terminal then I can remote control that user's session without a problem.
However, if I leave the defaults in AD to allow remote control but require the user's permission and the user logs into the terminal the first time with permissions set like that then forever more I can never remote into that user's sessions. Changing the options in AD later to not require user's permission no longer helps. When I try to remote into that user's session the user does not get a pop-up requesting permission, rather I just get an Access Denied message. If I try to shadow via an elevated command prompt I get error 317. I haven't been able to find any differences in GP or the registry between users that I can shadow and those I can't. Some setting specific to each user is getting set on first login that can't seem to be undone by changing the settings in AD. Where might I find this?
Thanks!