Event ID - 1016

Event Id1016
SourceMicrosoft-Windows-TerminalServices-SessionBroker
DescriptionThe TS Session Broker service denied the remote procedure call (RPC) from an unauthorized computer %1.
Event InformationAccording to Microsoft :
Cause :
This event is logged when the TS Session Broker service denied the remote procedure call (RPC) from an unauthorized computer.
Resolution :
Add the terminal server to the Session Directory Computers group
To resolve this issue, add the computer account for the terminal server to the Session Directory Computers local group on the TS Session Broker server.
Important : If the computer that was denied access is not part of a terminal server farm that is serviced by the TS Session Broker server where the condition was logged, no further action is required.
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To add the computer account for the terminal server to the Session Directory Computers local group:
  1. On the TS Session Broker server, open the Local Users and Groups snap-in. To open Local Users and Groups, click Start, click Run, type lusrmgr.msc, and then click OK.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. In the left pane, click Groups.
  4. In the right pane, right-click the Session Directory Computers group, and then click Properties.
  5. Click Add.
  6. In the Select Users, Computers, or Groups dialog box, click Object Types.
  7. Select the Computers check box, and then click OK.
  8. Locate and then add the computer account for the terminal server that will use the TS Session Broker server.
  9. Click OK to close the Select Users, Computers, or Groups dialog box, and then click OK to close the Session Directory Computers Properties dialog box.
Verify :
To verify that the Session Directory Computers local group on the TS Session Broker server is configured correctly, ensure both of the following:
  • The Session Directory Computers local group exists on the TS Session Broker server.
  • The computer accounts of the terminal servers that use the TS Session Broker server are members of the group.
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To check the configuration of the Session Directory Computers local group:
  1. On the TS Session Broker server, open the Local Users and Groups snap-in. To open Local Users and Groups, click Start, click Run, type lusrmgr.msc, and then click OK.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. In the left pane, click Groups. Ensure that the Session Directory Computers group is listed.
  4. In the right pane, right-click the Session Directory Computers group, and then click Properties.
  5. Under Members, ensure that the computer accounts for all the terminal servers that use the TS Session Broker server are listed.
Reference LinksEvent ID 1016 from Source Microsoft-Windows-TerminalServices-SessionBroker

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.
 Refresh