Solved

Terminal Server member server logon locally issues

Posted on 2004-04-08
13
910 Views
Last Modified: 2010-04-13
I just created a new member server which I want to use to replace my old terminal server on my network.  I have read all about the logon locally user rights that you need to avoid the "unable to logon interactively" error while attempting to logon to the terminal server.  Well, I have given the appropriate users the allow logon locally rights on the new Terminal Server, but cannot get past the "unable to logon interactively" error.  The old terminal server was a DC, which I had to make the users a member of the administrators group to get it to work.  This is one of the reasons I made a new one.  I want to keep it as a member server only and still allow certain users access to the network.  Any ideas?
0
Comment
Question by:cheesebugah
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +2
13 Comments
 
LVL 5

Expert Comment

by:millsoft
ID: 10787329
Hi cheesebugah,

There are separate security policies for domain controllers and other computers.  Did you set the Logon locally right in the correct policy for the member server?

Cheers!
Brad
0
 

Author Comment

by:cheesebugah
ID: 10787612
I believe that would be the Local Security Policy\Local Policies\User Rights Assignment folder on the said member server.
0
 
LVL 5

Expert Comment

by:millsoft
ID: 10787720
Not if your machine is in a domain, the domain security policies will override the local security policy.

0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 

Author Comment

by:cheesebugah
ID: 10787772
Why are we playing a guessing game?  If you know how to get this to work, why don't you just tell me?  
0
 
LVL 2

Accepted Solution

by:
spakko earned 500 total points
ID: 10788494
From Administrative tools pick Domain Controller Security Policy. Under user rights (as you said above) add the user / group to the Logon Locally right. Ensure that your users in Active Directory Users & Computers have the right to use Terminal Services.

Now make sure your DCs are replicated. Open Active Directory Sites & Services and force replication as in http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prmd_stp_ccgm.asp

Now make sure that policy is updated, run: secedit /refreshpolicy user_policy

Try again. If this does not work, something weird is going on...
0
 

Author Comment

by:cheesebugah
ID: 10789154
spakko,

Even though my new Terminal Server is a member server, not a DC?
0
 
LVL 5

Expert Comment

by:millsoft
ID: 10789193
Cheese,

As for guessing: I've never experienced any TS problems with either my DCs or my member servers (and I have about a dozen of them), so my "guessing" is trying to guess what you still need to do.  

You need to set the rights on the policy that affects the server in question.  If it's not a DC, then it is the default domain policy, not the DC policy, unless you have added additional policies to your AD.

The Local Security policies on machines that are members of a domain are overwritten by the AD default domain policy (by default - although it depends upon the location of the computer in the AD tree).

I'm trying to help, but maybe you can dial back the 'tude just a little.

Regards,
Brad

0
 
LVL 2

Expert Comment

by:spakko
ID: 10789586
If it is just a member server, and it is a member of the domain, then it's local policy will be overwritten by the domain level policy. You probably need to create a new OU and place your terminal server in it. Then give it a GPO that allows logon locally rights...
0
 

Author Comment

by:cheesebugah
ID: 10791394
I got it, thanks!
0
 

Expert Comment

by:captjwh
ID: 10845851
I have the same problem, but a tad bit different.  

I have an SQL server (member server) in the domain controllers OU running w2k3.  So it is getting the DefaultDomainController's policy.  The prob is that i have consultants wanting to connect via TS administrative mode to administer the server (iis, sql, etc), but in order for me to be able to set the Allow Log on locally security setting and Allow log on through Terminal Services on that box, i have to do it at the OU level (effectively giving them rights to logon to all servers in that OU).  I think that is correct cause when i go to the local sec policy on the sql server the option to add and remove users and groups is there, but the ADD and REmove buttons are greyed out, wheras on the OU GPO they are not.

this is funny, cause i can set these policies on a 2000 windows server i have.  Also, they are local admins on this new 2k3 box with sql on it.

suggestions?  
0
 
LVL 2

Expert Comment

by:spakko
ID: 10847759
Always a bugger that one. If a server is a member server it will get the Default Domain Controller policy regardless, because it is a *member* server. Standalone is different :). What you could try is creating an OU and placing the Terminal Server computer in it. Then create an GPO with the desired Logon Locally rights and specify the No Override option on the GPO object.

I think this might work. Try it and let me know if it does.
0
 

Expert Comment

by:captjwh
ID: 10863867
worked.. thanks!
0
 

Expert Comment

by:bcallear
ID: 11144576
Hi,

Another solution is to add REMOTE INTERACTIVE LOGON to "Allow logon through terminal services" in the local security policy of the Terminal Server (Not the DC)

Cheers

B

"We are all of us in the gutter, but some are looking to the stars" - Oscar Wilde
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question