Solved

Why all of a sudden are my users unable to remotely connect to servers?  Getting all sorts of error messages.

Posted on 2004-04-07
17
184 Views
Last Modified: 2010-03-18
I've got Terminal Server (not licensed yet) running on 1 server out of 2 in my AD domain.  This server is used primarily for VPN services and has been up and running for a good 20 or so days no problems.  

I got an email from a user saying he can't login now and is getting 'The local policy of this system does not permit you to logon interactively'.  Funny, I can connect via VPN fine and remote to my other server machine fine, but whenever I try to connect to the VPN server either directly or from my other machines via Remote Desktop, I get similar messages.  'Do not have privelages to access...' 'no permissions...'  yadda, yadda, yadda.  I'm the Domain Admin, so how don't I have permissions to access this machine?  Furthermore, I have not done anything to it to at all to possibly cause these messages.  I've yet to physically go to the office to logon, but I should be able to access this machine somehow remotely am I wrong?  This VPN server is also my BDC so I've checked my accounts via my PDC to make sure all the users have access and they do.

What needs to be done for my users to get back into the Remote Desktop game?
0
Comment
Question by:yoyz
  • 7
  • 7
17 Comments
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10774015
1/. Get those licenses. :)

2/. Have you modified any group or local policies on the machine? You will most likely have to go to it locally as you have lost your remote ability but go to Start==>Run==>gpedit.msc

Check the following in gpedit.msc

+ Computer Configuration
  + Windows Settings
     + Security Settings
        + Local Policies
          + User Rights Assignment

Things to look for here are "Access this computer from the network.", "Deny Access to this computer from the network", "Deny logon through Terminal Services" & "Log on Locally",
0
 

Author Comment

by:yoyz
ID: 10774037
Ok, so could it be a problem if I don't have licenses?  I mean I thought you have like 90 days or something?  

On your other note, everything was working fine so I don't understand why things would just stop working like that, I haven't tooled around with any policy settings... but I'll check nonetheless.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10774061
Yea you wouldn't think so. But I have been in a situation with a group policy changing more than once which no one had changed. :) Just kind of got messed up I guess. :)

How long have you been running Terminal Services? Can you just add the licenses in Terminal License Manager now and buy later?
0
 

Author Comment

by:yoyz
ID: 10776768
So is there anything I can do right now to get these guys up and running without licensing.  We are working on that.
0
 

Author Comment

by:yoyz
ID: 10776794
Also, I've looked at a bunch of Security Bulletins and tried some things that didin't work on my PDC, do I physically need to make domain policy edit's on my BDC where Terminal Server is running or will it replicate over from my PDC to BDC eventually?
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10777522
They will replicate to the BDC as they are domain-wide policies. Take a look at it first. It might be okay anyway and not need any change. I just wanted you to check to make sure it hadn't got screwed up.
0
 

Author Comment

by:yoyz
ID: 10777692
Ok, here's the deal.  I remoted in to my PDC and changed the Allow to log onto Terminal Services policy and log on locally policy's to reflect individual users rather than Groups.  It now works fine?!?  Should I alter this in any way by just adding another Remote Operators Group or something or is there a special group I can put them in first, then remote and add that group rather than having individual listings?
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:yoyz
ID: 10784748
On another note... all my users can log in via Terminal Services but me!!!  What the heck did I do.  I'm a domain admin and I can't log in, says I can't log in interactively. Any ideas?
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10784775
Ick....did you check to see if you removed the Administrator or Administrators group?
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10784794
By default Admninistrators should be in the "Allow logon through Terminal Services" box. And the only thing in "Deny Logon To Terminal Services" is "ASPNET".
0
 

Author Comment

by:yoyz
ID: 10785851
In my administrators group I have: (under builtin)

Domain Admins
Enterprise Admins
My Administrator account

In my Domain Admins Group I have: (under users)
My own account that I use to log in and do everything with and  that account only.  That account sits in the 'users' section of AD.

For 'Deny Logon to Terminal Services' I have nothing.
For 'Allow logon locally' all I have is Administrators
For 'Allow logon through Terminal Services' I have all my individual users that I created.  Those users WERE in the Domain Users group, but I removed them for troubleshooting purposes.
0
 

Author Comment

by:yoyz
ID: 10786284
I think I figured it out.  I had to add my account to the Administrators Group.  I then added Administrators to the Domain Admins Group.

So I figured that part out, my next question is when I log in as one of the users they have access to view a lot of admin tools, like AD Users and Computers, TS Manager, etc...  I don't want them viewing that stuff at all.  I want my users to be part of Domain Users group and to restrict stuff like that.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10788587
You could try adding the Domain Users back now......
0
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 250 total points
ID: 10788593
To further explain....sometines it has just been a matter of removing it and readding it to get something back to working.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now