Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Why all of a sudden are my users unable to remotely connect to servers?  Getting all sorts of error messages.

Posted on 2004-04-07
17
187 Views
Last Modified: 2010-03-18
I've got Terminal Server (not licensed yet) running on 1 server out of 2 in my AD domain.  This server is used primarily for VPN services and has been up and running for a good 20 or so days no problems.  

I got an email from a user saying he can't login now and is getting 'The local policy of this system does not permit you to logon interactively'.  Funny, I can connect via VPN fine and remote to my other server machine fine, but whenever I try to connect to the VPN server either directly or from my other machines via Remote Desktop, I get similar messages.  'Do not have privelages to access...' 'no permissions...'  yadda, yadda, yadda.  I'm the Domain Admin, so how don't I have permissions to access this machine?  Furthermore, I have not done anything to it to at all to possibly cause these messages.  I've yet to physically go to the office to logon, but I should be able to access this machine somehow remotely am I wrong?  This VPN server is also my BDC so I've checked my accounts via my PDC to make sure all the users have access and they do.

What needs to be done for my users to get back into the Remote Desktop game?
0
Comment
Question by:yoyz
  • 7
  • 7
17 Comments
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10774015
1/. Get those licenses. :)

2/. Have you modified any group or local policies on the machine? You will most likely have to go to it locally as you have lost your remote ability but go to Start==>Run==>gpedit.msc

Check the following in gpedit.msc

+ Computer Configuration
  + Windows Settings
     + Security Settings
        + Local Policies
          + User Rights Assignment

Things to look for here are "Access this computer from the network.", "Deny Access to this computer from the network", "Deny logon through Terminal Services" & "Log on Locally",
0
 

Author Comment

by:yoyz
ID: 10774037
Ok, so could it be a problem if I don't have licenses?  I mean I thought you have like 90 days or something?  

On your other note, everything was working fine so I don't understand why things would just stop working like that, I haven't tooled around with any policy settings... but I'll check nonetheless.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10774061
Yea you wouldn't think so. But I have been in a situation with a group policy changing more than once which no one had changed. :) Just kind of got messed up I guess. :)

How long have you been running Terminal Services? Can you just add the licenses in Terminal License Manager now and buy later?
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 

Author Comment

by:yoyz
ID: 10776768
So is there anything I can do right now to get these guys up and running without licensing.  We are working on that.
0
 

Author Comment

by:yoyz
ID: 10776794
Also, I've looked at a bunch of Security Bulletins and tried some things that didin't work on my PDC, do I physically need to make domain policy edit's on my BDC where Terminal Server is running or will it replicate over from my PDC to BDC eventually?
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10777522
They will replicate to the BDC as they are domain-wide policies. Take a look at it first. It might be okay anyway and not need any change. I just wanted you to check to make sure it hadn't got screwed up.
0
 

Author Comment

by:yoyz
ID: 10777692
Ok, here's the deal.  I remoted in to my PDC and changed the Allow to log onto Terminal Services policy and log on locally policy's to reflect individual users rather than Groups.  It now works fine?!?  Should I alter this in any way by just adding another Remote Operators Group or something or is there a special group I can put them in first, then remote and add that group rather than having individual listings?
0
 

Author Comment

by:yoyz
ID: 10784748
On another note... all my users can log in via Terminal Services but me!!!  What the heck did I do.  I'm a domain admin and I can't log in, says I can't log in interactively. Any ideas?
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10784775
Ick....did you check to see if you removed the Administrator or Administrators group?
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10784794
By default Admninistrators should be in the "Allow logon through Terminal Services" box. And the only thing in "Deny Logon To Terminal Services" is "ASPNET".
0
 

Author Comment

by:yoyz
ID: 10785851
In my administrators group I have: (under builtin)

Domain Admins
Enterprise Admins
My Administrator account

In my Domain Admins Group I have: (under users)
My own account that I use to log in and do everything with and  that account only.  That account sits in the 'users' section of AD.

For 'Deny Logon to Terminal Services' I have nothing.
For 'Allow logon locally' all I have is Administrators
For 'Allow logon through Terminal Services' I have all my individual users that I created.  Those users WERE in the Domain Users group, but I removed them for troubleshooting purposes.
0
 

Author Comment

by:yoyz
ID: 10786284
I think I figured it out.  I had to add my account to the Administrators Group.  I then added Administrators to the Domain Admins Group.

So I figured that part out, my next question is when I log in as one of the users they have access to view a lot of admin tools, like AD Users and Computers, TS Manager, etc...  I don't want them viewing that stuff at all.  I want my users to be part of Domain Users group and to restrict stuff like that.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10788587
You could try adding the Domain Users back now......
0
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 250 total points
ID: 10788593
To further explain....sometines it has just been a matter of removing it and readding it to get something back to working.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question