• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 917
  • Last Modified:

Terminal Server member server logon locally issues

I just created a new member server which I want to use to replace my old terminal server on my network.  I have read all about the logon locally user rights that you need to avoid the "unable to logon interactively" error while attempting to logon to the terminal server.  Well, I have given the appropriate users the allow logon locally rights on the new Terminal Server, but cannot get past the "unable to logon interactively" error.  The old terminal server was a DC, which I had to make the users a member of the administrators group to get it to work.  This is one of the reasons I made a new one.  I want to keep it as a member server only and still allow certain users access to the network.  Any ideas?
0
cheesebugah
Asked:
cheesebugah
  • 4
  • 3
  • 3
  • +2
1 Solution
 
millsoftCommented:
Hi cheesebugah,

There are separate security policies for domain controllers and other computers.  Did you set the Logon locally right in the correct policy for the member server?

Cheers!
Brad
0
 
cheesebugahAuthor Commented:
I believe that would be the Local Security Policy\Local Policies\User Rights Assignment folder on the said member server.
0
 
millsoftCommented:
Not if your machine is in a domain, the domain security policies will override the local security policy.

0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
cheesebugahAuthor Commented:
Why are we playing a guessing game?  If you know how to get this to work, why don't you just tell me?  
0
 
spakkoCommented:
From Administrative tools pick Domain Controller Security Policy. Under user rights (as you said above) add the user / group to the Logon Locally right. Ensure that your users in Active Directory Users & Computers have the right to use Terminal Services.

Now make sure your DCs are replicated. Open Active Directory Sites & Services and force replication as in http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prmd_stp_ccgm.asp

Now make sure that policy is updated, run: secedit /refreshpolicy user_policy

Try again. If this does not work, something weird is going on...
0
 
cheesebugahAuthor Commented:
spakko,

Even though my new Terminal Server is a member server, not a DC?
0
 
millsoftCommented:
Cheese,

As for guessing: I've never experienced any TS problems with either my DCs or my member servers (and I have about a dozen of them), so my "guessing" is trying to guess what you still need to do.  

You need to set the rights on the policy that affects the server in question.  If it's not a DC, then it is the default domain policy, not the DC policy, unless you have added additional policies to your AD.

The Local Security policies on machines that are members of a domain are overwritten by the AD default domain policy (by default - although it depends upon the location of the computer in the AD tree).

I'm trying to help, but maybe you can dial back the 'tude just a little.

Regards,
Brad

0
 
spakkoCommented:
If it is just a member server, and it is a member of the domain, then it's local policy will be overwritten by the domain level policy. You probably need to create a new OU and place your terminal server in it. Then give it a GPO that allows logon locally rights...
0
 
cheesebugahAuthor Commented:
I got it, thanks!
0
 
captjwhCommented:
I have the same problem, but a tad bit different.  

I have an SQL server (member server) in the domain controllers OU running w2k3.  So it is getting the DefaultDomainController's policy.  The prob is that i have consultants wanting to connect via TS administrative mode to administer the server (iis, sql, etc), but in order for me to be able to set the Allow Log on locally security setting and Allow log on through Terminal Services on that box, i have to do it at the OU level (effectively giving them rights to logon to all servers in that OU).  I think that is correct cause when i go to the local sec policy on the sql server the option to add and remove users and groups is there, but the ADD and REmove buttons are greyed out, wheras on the OU GPO they are not.

this is funny, cause i can set these policies on a 2000 windows server i have.  Also, they are local admins on this new 2k3 box with sql on it.

suggestions?  
0
 
spakkoCommented:
Always a bugger that one. If a server is a member server it will get the Default Domain Controller policy regardless, because it is a *member* server. Standalone is different :). What you could try is creating an OU and placing the Terminal Server computer in it. Then create an GPO with the desired Logon Locally rights and specify the No Override option on the GPO object.

I think this might work. Try it and let me know if it does.
0
 
captjwhCommented:
worked.. thanks!
0
 
bcallearCommented:
Hi,

Another solution is to add REMOTE INTERACTIVE LOGON to "Allow logon through terminal services" in the local security policy of the Terminal Server (Not the DC)

Cheers

B

"We are all of us in the gutter, but some are looking to the stars" - Oscar Wilde
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 4
  • 3
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now