• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 192
  • Last Modified:

Why all of a sudden are my users unable to remotely connect to servers? Getting all sorts of error messages.

I've got Terminal Server (not licensed yet) running on 1 server out of 2 in my AD domain.  This server is used primarily for VPN services and has been up and running for a good 20 or so days no problems.  

I got an email from a user saying he can't login now and is getting 'The local policy of this system does not permit you to logon interactively'.  Funny, I can connect via VPN fine and remote to my other server machine fine, but whenever I try to connect to the VPN server either directly or from my other machines via Remote Desktop, I get similar messages.  'Do not have privelages to access...' 'no permissions...'  yadda, yadda, yadda.  I'm the Domain Admin, so how don't I have permissions to access this machine?  Furthermore, I have not done anything to it to at all to possibly cause these messages.  I've yet to physically go to the office to logon, but I should be able to access this machine somehow remotely am I wrong?  This VPN server is also my BDC so I've checked my accounts via my PDC to make sure all the users have access and they do.

What needs to be done for my users to get back into the Remote Desktop game?
0
yoyz
Asked:
yoyz
  • 7
  • 7
1 Solution
 
Gareth GudgerCommented:
1/. Get those licenses. :)

2/. Have you modified any group or local policies on the machine? You will most likely have to go to it locally as you have lost your remote ability but go to Start==>Run==>gpedit.msc

Check the following in gpedit.msc

+ Computer Configuration
  + Windows Settings
     + Security Settings
        + Local Policies
          + User Rights Assignment

Things to look for here are "Access this computer from the network.", "Deny Access to this computer from the network", "Deny logon through Terminal Services" & "Log on Locally",
0
 
yoyzAuthor Commented:
Ok, so could it be a problem if I don't have licenses?  I mean I thought you have like 90 days or something?  

On your other note, everything was working fine so I don't understand why things would just stop working like that, I haven't tooled around with any policy settings... but I'll check nonetheless.
0
 
Gareth GudgerCommented:
Yea you wouldn't think so. But I have been in a situation with a group policy changing more than once which no one had changed. :) Just kind of got messed up I guess. :)

How long have you been running Terminal Services? Can you just add the licenses in Terminal License Manager now and buy later?
0
Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

 
yoyzAuthor Commented:
So is there anything I can do right now to get these guys up and running without licensing.  We are working on that.
0
 
yoyzAuthor Commented:
Also, I've looked at a bunch of Security Bulletins and tried some things that didin't work on my PDC, do I physically need to make domain policy edit's on my BDC where Terminal Server is running or will it replicate over from my PDC to BDC eventually?
0
 
Gareth GudgerCommented:
They will replicate to the BDC as they are domain-wide policies. Take a look at it first. It might be okay anyway and not need any change. I just wanted you to check to make sure it hadn't got screwed up.
0
 
yoyzAuthor Commented:
Ok, here's the deal.  I remoted in to my PDC and changed the Allow to log onto Terminal Services policy and log on locally policy's to reflect individual users rather than Groups.  It now works fine?!?  Should I alter this in any way by just adding another Remote Operators Group or something or is there a special group I can put them in first, then remote and add that group rather than having individual listings?
0
 
yoyzAuthor Commented:
On another note... all my users can log in via Terminal Services but me!!!  What the heck did I do.  I'm a domain admin and I can't log in, says I can't log in interactively. Any ideas?
0
 
Gareth GudgerCommented:
Ick....did you check to see if you removed the Administrator or Administrators group?
0
 
Gareth GudgerCommented:
By default Admninistrators should be in the "Allow logon through Terminal Services" box. And the only thing in "Deny Logon To Terminal Services" is "ASPNET".
0
 
yoyzAuthor Commented:
In my administrators group I have: (under builtin)

Domain Admins
Enterprise Admins
My Administrator account

In my Domain Admins Group I have: (under users)
My own account that I use to log in and do everything with and  that account only.  That account sits in the 'users' section of AD.

For 'Deny Logon to Terminal Services' I have nothing.
For 'Allow logon locally' all I have is Administrators
For 'Allow logon through Terminal Services' I have all my individual users that I created.  Those users WERE in the Domain Users group, but I removed them for troubleshooting purposes.
0
 
yoyzAuthor Commented:
I think I figured it out.  I had to add my account to the Administrators Group.  I then added Administrators to the Domain Admins Group.

So I figured that part out, my next question is when I log in as one of the users they have access to view a lot of admin tools, like AD Users and Computers, TS Manager, etc...  I don't want them viewing that stuff at all.  I want my users to be part of Domain Users group and to restrict stuff like that.
0
 
Gareth GudgerCommented:
You could try adding the Domain Users back now......
0
 
Gareth GudgerCommented:
To further explain....sometines it has just been a matter of removing it and readding it to get something back to working.
0

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now