We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


Terminal Server member server logon locally issues

cheesebugah asked
Medium Priority
Last Modified: 2010-04-13
I just created a new member server which I want to use to replace my old terminal server on my network.  I have read all about the logon locally user rights that you need to avoid the "unable to logon interactively" error while attempting to logon to the terminal server.  Well, I have given the appropriate users the allow logon locally rights on the new Terminal Server, but cannot get past the "unable to logon interactively" error.  The old terminal server was a DC, which I had to make the users a member of the administrators group to get it to work.  This is one of the reasons I made a new one.  I want to keep it as a member server only and still allow certain users access to the network.  Any ideas?
Watch Question

Hi cheesebugah,

There are separate security policies for domain controllers and other computers.  Did you set the Logon locally right in the correct policy for the member server?



I believe that would be the Local Security Policy\Local Policies\User Rights Assignment folder on the said member server.

Not if your machine is in a domain, the domain security policies will override the local security policy.


Why are we playing a guessing game?  If you know how to get this to work, why don't you just tell me?  
Unlock this solution and get a sample of our free trial.
(No credit card required)



Even though my new Terminal Server is a member server, not a DC?


As for guessing: I've never experienced any TS problems with either my DCs or my member servers (and I have about a dozen of them), so my "guessing" is trying to guess what you still need to do.  

You need to set the rights on the policy that affects the server in question.  If it's not a DC, then it is the default domain policy, not the DC policy, unless you have added additional policies to your AD.

The Local Security policies on machines that are members of a domain are overwritten by the AD default domain policy (by default - although it depends upon the location of the computer in the AD tree).

I'm trying to help, but maybe you can dial back the 'tude just a little.


If it is just a member server, and it is a member of the domain, then it's local policy will be overwritten by the domain level policy. You probably need to create a new OU and place your terminal server in it. Then give it a GPO that allows logon locally rights...


I got it, thanks!

I have the same problem, but a tad bit different.  

I have an SQL server (member server) in the domain controllers OU running w2k3.  So it is getting the DefaultDomainController's policy.  The prob is that i have consultants wanting to connect via TS administrative mode to administer the server (iis, sql, etc), but in order for me to be able to set the Allow Log on locally security setting and Allow log on through Terminal Services on that box, i have to do it at the OU level (effectively giving them rights to logon to all servers in that OU).  I think that is correct cause when i go to the local sec policy on the sql server the option to add and remove users and groups is there, but the ADD and REmove buttons are greyed out, wheras on the OU GPO they are not.

this is funny, cause i can set these policies on a 2000 windows server i have.  Also, they are local admins on this new 2k3 box with sql on it.


Always a bugger that one. If a server is a member server it will get the Default Domain Controller policy regardless, because it is a *member* server. Standalone is different :). What you could try is creating an OU and placing the Terminal Server computer in it. Then create an GPO with the desired Logon Locally rights and specify the No Override option on the GPO object.

I think this might work. Try it and let me know if it does.

worked.. thanks!


Another solution is to add REMOTE INTERACTIVE LOGON to "Allow logon through terminal services" in the local security policy of the Terminal Server (Not the DC)



"We are all of us in the gutter, but some are looking to the stars" - Oscar Wilde
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.