?
Solved

Terminal Server member server logon locally issues

Posted on 2004-04-08
13
Medium Priority
?
911 Views
Last Modified: 2010-04-13
I just created a new member server which I want to use to replace my old terminal server on my network.  I have read all about the logon locally user rights that you need to avoid the "unable to logon interactively" error while attempting to logon to the terminal server.  Well, I have given the appropriate users the allow logon locally rights on the new Terminal Server, but cannot get past the "unable to logon interactively" error.  The old terminal server was a DC, which I had to make the users a member of the administrators group to get it to work.  This is one of the reasons I made a new one.  I want to keep it as a member server only and still allow certain users access to the network.  Any ideas?
0
Comment
Question by:cheesebugah
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +2
13 Comments
 
LVL 5

Expert Comment

by:millsoft
ID: 10787329
Hi cheesebugah,

There are separate security policies for domain controllers and other computers.  Did you set the Logon locally right in the correct policy for the member server?

Cheers!
Brad
0
 

Author Comment

by:cheesebugah
ID: 10787612
I believe that would be the Local Security Policy\Local Policies\User Rights Assignment folder on the said member server.
0
 
LVL 5

Expert Comment

by:millsoft
ID: 10787720
Not if your machine is in a domain, the domain security policies will override the local security policy.

0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:cheesebugah
ID: 10787772
Why are we playing a guessing game?  If you know how to get this to work, why don't you just tell me?  
0
 
LVL 2

Accepted Solution

by:
spakko earned 2000 total points
ID: 10788494
From Administrative tools pick Domain Controller Security Policy. Under user rights (as you said above) add the user / group to the Logon Locally right. Ensure that your users in Active Directory Users & Computers have the right to use Terminal Services.

Now make sure your DCs are replicated. Open Active Directory Sites & Services and force replication as in http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prmd_stp_ccgm.asp

Now make sure that policy is updated, run: secedit /refreshpolicy user_policy

Try again. If this does not work, something weird is going on...
0
 

Author Comment

by:cheesebugah
ID: 10789154
spakko,

Even though my new Terminal Server is a member server, not a DC?
0
 
LVL 5

Expert Comment

by:millsoft
ID: 10789193
Cheese,

As for guessing: I've never experienced any TS problems with either my DCs or my member servers (and I have about a dozen of them), so my "guessing" is trying to guess what you still need to do.  

You need to set the rights on the policy that affects the server in question.  If it's not a DC, then it is the default domain policy, not the DC policy, unless you have added additional policies to your AD.

The Local Security policies on machines that are members of a domain are overwritten by the AD default domain policy (by default - although it depends upon the location of the computer in the AD tree).

I'm trying to help, but maybe you can dial back the 'tude just a little.

Regards,
Brad

0
 
LVL 2

Expert Comment

by:spakko
ID: 10789586
If it is just a member server, and it is a member of the domain, then it's local policy will be overwritten by the domain level policy. You probably need to create a new OU and place your terminal server in it. Then give it a GPO that allows logon locally rights...
0
 

Author Comment

by:cheesebugah
ID: 10791394
I got it, thanks!
0
 

Expert Comment

by:captjwh
ID: 10845851
I have the same problem, but a tad bit different.  

I have an SQL server (member server) in the domain controllers OU running w2k3.  So it is getting the DefaultDomainController's policy.  The prob is that i have consultants wanting to connect via TS administrative mode to administer the server (iis, sql, etc), but in order for me to be able to set the Allow Log on locally security setting and Allow log on through Terminal Services on that box, i have to do it at the OU level (effectively giving them rights to logon to all servers in that OU).  I think that is correct cause when i go to the local sec policy on the sql server the option to add and remove users and groups is there, but the ADD and REmove buttons are greyed out, wheras on the OU GPO they are not.

this is funny, cause i can set these policies on a 2000 windows server i have.  Also, they are local admins on this new 2k3 box with sql on it.

suggestions?  
0
 
LVL 2

Expert Comment

by:spakko
ID: 10847759
Always a bugger that one. If a server is a member server it will get the Default Domain Controller policy regardless, because it is a *member* server. Standalone is different :). What you could try is creating an OU and placing the Terminal Server computer in it. Then create an GPO with the desired Logon Locally rights and specify the No Override option on the GPO object.

I think this might work. Try it and let me know if it does.
0
 

Expert Comment

by:captjwh
ID: 10863867
worked.. thanks!
0
 

Expert Comment

by:bcallear
ID: 11144576
Hi,

Another solution is to add REMOTE INTERACTIVE LOGON to "Allow logon through terminal services" in the local security policy of the Terminal Server (Not the DC)

Cheers

B

"We are all of us in the gutter, but some are looking to the stars" - Oscar Wilde
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Learn how to use the free Acronis True Image app to easily transfer data between iPhones and Android phones.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question