Tburne
asked on
When some users access a terminal server using remote desktop the desktop does not load.
I made the changes to the following registry keys of my terminal server:
HKEY_LOCAL_MACHINE\SOFTWAR E\ACCPAC International, Inc.
HKEY_CLASSES_ROOT
Once I had given a user admin rights to the HKEY_CLASSES_ROUTE it removed all the administrators... luckily I was able to manually change the permissions back to how they were before I made changes. However the user in question cannot access the terminal server via remote desktop, the user logs in but the desktop doesn't load - he just gets a blue screen. When I log into the same server using remote desktop it works fine. I have successfully accessed other terminal servers with the users account, the problem is isolated to the server I made changes to.
Will re-installing terminal services be the best way to resolve this?
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_CLASSES_ROOT
Once I had given a user admin rights to the HKEY_CLASSES_ROUTE it removed all the administrators... luckily I was able to manually change the permissions back to how they were before I made changes. However the user in question cannot access the terminal server via remote desktop, the user logs in but the desktop doesn't load - he just gets a blue screen. When I log into the same server using remote desktop it works fine. I have successfully accessed other terminal servers with the users account, the problem is isolated to the server I made changes to.
Will re-installing terminal services be the best way to resolve this?
This user is the only non-admin user who has this problem?
How to give NON administrators Terminal Service (Remote Administration)
This must be done on a server to server level, If you require a lot of users create a GROUP called TSRemoteUsers in active directory and add your users into the group, then carry out the steps below. Ill assume we are only dealing with a couple of users.
Ill also assume you have Terminal Services (Administration Mode) installed and running on the server, if not open control panel >add remove Programs >windows componants >Terminal Services, When Prompted ENSURE "Remote Administration" is selected.
1. Using an admin account open a remote admin session to the server in question.
2. CLick Start >Programs >Administrative Tools >Terminal Services Configuration
3. CLick Connections
4. In the right hand pane RIGHT CLICK the RDP-TCP connector and select properties
5. On the permissions tab click "ADD"
6. Add your user/group in here and select the appropriate level of access.
If it aint working ensure you not in application mode (Unless you have to be!!)
Change Between Remote Administration and Application Server Mode
http://support.microsoft.com/default.aspx?scid=kb;EN-US;238162
This must be done on a server to server level, If you require a lot of users create a GROUP called TSRemoteUsers in active directory and add your users into the group, then carry out the steps below. Ill assume we are only dealing with a couple of users.
Ill also assume you have Terminal Services (Administration Mode) installed and running on the server, if not open control panel >add remove Programs >windows componants >Terminal Services, When Prompted ENSURE "Remote Administration" is selected.
1. Using an admin account open a remote admin session to the server in question.
2. CLick Start >Programs >Administrative Tools >Terminal Services Configuration
3. CLick Connections
4. In the right hand pane RIGHT CLICK the RDP-TCP connector and select properties
5. On the permissions tab click "ADD"
6. Add your user/group in here and select the appropriate level of access.
If it aint working ensure you not in application mode (Unless you have to be!!)
Change Between Remote Administration and Application Server Mode
http://support.microsoft.com/default.aspx?scid=kb;EN-US;238162
ASKER
That's correct. I created another user to test and the new user who's a "non-admin" has the same problem.
I'm guessing that your "fix" to HKEY_CLASSES_ROOT propragated down and removed access to some keys for non-admin users. Did you do a reg backup before the initial change? How similar are the other servers to the one with the problem?
ASKER
Hi PeterLong,
I've followed your steps, tried loggin in as the user afterwards and still just get the blue screen.
I'm running terminal services in Application Server Mode.
I've also tried loggin in with another user, same issue!
I've followed your steps, tried loggin in as the user afterwards and still just get the blue screen.
I'm running terminal services in Application Server Mode.
I've also tried loggin in with another user, same issue!
ASKER
Hi Quetzal,
I agree with you.. that was my initial thinking, problem is a don't have a backup.. stupid mistake I know!! I have another server which is similar but by no means identical.. What if I try re-instasll TS on the server?
I agree with you.. that was my initial thinking, problem is a don't have a backup.. stupid mistake I know!! I have another server which is similar but by no means identical.. What if I try re-instasll TS on the server?
ASKER
Are there any other suggestions??
If you add the user, temporarily of course, to the local administrators, does it work or do you still have the problem?
WRT reinstalling TS....with so many things dependent upon the ROOT hive, I'm thinking that not getting on TS is just the tip of the iceberg of things you will find wrong. If no backup, I think that your ultimate shortest path will end up being a rebuild (sorry).
ASKER
I tried by adding the user to the domain admin but that didn't work! So re-installing TS willnot work?
I really need to avoid rebuilding this machine, I have not found any other problems with the server or it's applications.
I really need to avoid rebuilding this machine, I have not found any other problems with the server or it's applications.
Are you 100% sure this is user related, and not client machine related?
Does anything load on the screen such as the menu bar at the bottom, or is the whole screen blank?
Do you have any remote control software installed on the machine?
Do you have any IE Policies setup for the users that are logging on?
Does anything load on the screen such as the menu bar at the bottom, or is the whole screen blank?
Do you have any remote control software installed on the machine?
Do you have any IE Policies setup for the users that are logging on?
ASKER
I'm 99% sure this is user related, the user is able tolog onto our other TS servers.
Nothing loads on the screen, it's blank!
Do you mean Remote control software on the users machine?
No policies that I'm aware of...
Nothing loads on the screen, it's blank!
Do you mean Remote control software on the users machine?
No policies that I'm aware of...
so, the administrator acct works, but no user acct works even with part of domain admins...right? Take your test user acct and make it a member of all the groups that the admin acct is in. Does that user acct work then?
I hear ya about that rebuild. Let's see what we can do.
I hear ya about that rebuild. Let's see what we can do.
ASKER
I added the user to the only group that I think is missing... 'domain admin' but still no luck!
Let's knock out that last 1%. On the client computer with a user account that does not work, test the administrator account.
Black screen, got it.
I meant on the server, but I guess either one. For instance, do you have PC Anywhere, or Unicenter's Remote Control Option, or any other product like those installed on either?
The reason I mentioned an IE policy is because we had a similar problem with users logging on to their local computers that is similar. Desktop would never load. It was due to an IE policy that we were enforcing in conjunction with it being their first logon and a specific service pack level.
Black screen, got it.
I meant on the server, but I guess either one. For instance, do you have PC Anywhere, or Unicenter's Remote Control Option, or any other product like those installed on either?
The reason I mentioned an IE policy is because we had a similar problem with users logging on to their local computers that is similar. Desktop would never load. It was due to an IE policy that we were enforcing in conjunction with it being their first logon and a specific service pack level.
When you repaired the permissions, did it involve setting permissions directly to "administrator" (or whatever the name of the admin acct) versus an admin group?
Does the user acct belong to only the same groups as the administrator? (I'm trying to eliminate the possibility that the user acct belongs to a group that the admin acct does not.)
Does the user acct belong to only the same groups as the administrator? (I'm trying to eliminate the possibility that the user acct belongs to a group that the admin acct does not.)
Are you sure you only changed Registry permissions and not any file level permissions? Just checking.
ASKER
When I repaired the permissions, I set them back to the administrator/admin account.
The user doesen't belong to the same group as the admin, i have tried adding the user to the local admin group with no success!
I only changed the registry permission back, not the file permissions.
robrandon - I do have remote admin istalled.
I don't think it's related to IE policies, the users could access the server using remote desktop before I made changes to the registry, ulless the changes I made affected the IE policies..
The user doesen't belong to the same group as the admin, i have tried adding the user to the local admin group with no success!
I only changed the registry permission back, not the file permissions.
robrandon - I do have remote admin istalled.
I don't think it's related to IE policies, the users could access the server using remote desktop before I made changes to the registry, ulless the changes I made affected the IE policies..
What are the existing permissions on the HKEY_CLASSES_ROOT?
Does System have any type of access?
Does System have any type of access?
Setup permissions as follows and test:
Administrators: Full Control/Read
Everyone:Read
System: Full Control/Read
Test and let me know if that works out. Make sure permissions propagate to lower levels.
Administrators: Full Control/Read
Everyone:Read
System: Full Control/Read
Test and let me know if that works out. Make sure permissions propagate to lower levels.
ASKER
I've permissions for HKEY_CLASSES_ROUTE are already set correctly, I changed them back manually before except I didn't reset the permissions to child objects. I have tried to reset the permissions to child objects but get the following message:
'Registry Editor could not set the security in the key currently selected, or some of the its subkeys'
Is this part of the problem?
'Registry Editor could not set the security in the key currently selected, or some of the its subkeys'
Is this part of the problem?
Interesting. I think it may be. Select the HKEY_CLASSES_ROOT hive and go to the permissions again. Click ADVANCED. Select Administrators and choose VIEW/EDIT. Give "Allow" on all checkboxes and set the "Apply onto" to "This key and subkeys". Do the same for System. For the Everyone group, only check "Allow" for Query Value, Enumerate Subkeys, Notify, and Read Control. Also set it for "This key and subkeys". Click OK. Then click the checkbox, Reset Permissions...., and click Apply.
If you still get the error, you are going to have to make whatever account you are using the "owner" of each part of the hive that gives you a problem, and then set the permissions correctly.
I'm not sure, but you may be able to set whatever account you are using as an Owner, and replace that on the subkeys. This is on the Owner tab after you select the ADVANCED button on the Permissions tab. Then you can probably apply the required permissions throughout the hive as above, and won't get the error.
Let me know if you have problems settings the permissions or if this resolves your prob.
If you still get the error, you are going to have to make whatever account you are using the "owner" of each part of the hive that gives you a problem, and then set the permissions correctly.
I'm not sure, but you may be able to set whatever account you are using as an Owner, and replace that on the subkeys. This is on the Owner tab after you select the ADVANCED button on the Permissions tab. Then you can probably apply the required permissions throughout the hive as above, and won't get the error.
Let me know if you have problems settings the permissions or if this resolves your prob.
ASKER
robrandon,
I have checked the permissions for the accounts you suggested and they were already set. I reset the permission to all accounts except the 'Everyone' account. I also changed the ownership, and replaced them on the subkeys but still can't reset the permissions for 'Everyone'
This could be the problem..
I have checked the permissions for the accounts you suggested and they were already set. I reset the permission to all accounts except the 'Everyone' account. I also changed the ownership, and replaced them on the subkeys but still can't reset the permissions for 'Everyone'
This could be the problem..
Again, this is very strange. You can change the permissions for groups other than the Everyone group succesfully? Maybe remove the everyone group and then re-add it. Each time, make sure the permissions filter down.
ASKER
I have removed 'Everyone' from the permissions but now when I try add them again I get the following message: 'unable to display the user selection dialog (null)'
I have taken a backup of the registry key, so can recover.. but surely this shouldn't happen?
I have taken a backup of the registry key, so can recover.. but surely this shouldn't happen?
ASKER
As soon as I logged off and back in again 'Everyone' re-appeared in the permissions list.
ASKER
What permissions should 'creator owner' have?
ASKER
'Authenticated Users' has the same problem as 'Everyone' all others are ok..
My Creator Owner shows up in the list but does not have permissions applied to it.
Check the permissions on the HKEY_CLASSES_ROOT\VideoRen der.... just a long shot.
Check the permissions on the HKEY_CLASSES_ROOT\VideoRen
ASKER
Have you checked the permissions in advanced for you Creator Owner? Mine say no permissions but in advanced it has full Control!!
I have the following keys for VideoRender: 'VideoRenderCtl.VideoRende rCtl' & 'VideoRenderCtl.VideoRende rCtl.1' do I change both?
I have the following keys for VideoRender: 'VideoRenderCtl.VideoRende
ASKER
what do I change them to or what should they be set to?
ASKER
Thanks for all your help..
I managed to resolve the issue by deleting the users roaming profile on the TS server. When the user tried to access the server via TS again his profile was re-created and allowed him to login.
Thanks again!!
experts-exchange rocks!!
I managed to resolve the issue by deleting the users roaming profile on the TS server. When the user tried to access the server via TS again his profile was re-created and allowed him to login.
Thanks again!!
experts-exchange rocks!!
I thought you had created a new user and had the same problem? That account should not have had a profile on the server to begin with. Maybe some of the changes that were made inbetween did the trick? Anyway, good to hear.
ASKER
I had created a new user, and you are right, logically it doesn't make sense... but it's working now..
Thanks again!
Thanks again!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.