Solved

Terminal Server member server logon locally issues

Posted on 2004-04-08
13
904 Views
Last Modified: 2010-04-13
I just created a new member server which I want to use to replace my old terminal server on my network.  I have read all about the logon locally user rights that you need to avoid the "unable to logon interactively" error while attempting to logon to the terminal server.  Well, I have given the appropriate users the allow logon locally rights on the new Terminal Server, but cannot get past the "unable to logon interactively" error.  The old terminal server was a DC, which I had to make the users a member of the administrators group to get it to work.  This is one of the reasons I made a new one.  I want to keep it as a member server only and still allow certain users access to the network.  Any ideas?
0
Comment
Question by:cheesebugah
  • 4
  • 3
  • 3
  • +2
13 Comments
 
LVL 5

Expert Comment

by:millsoft
Comment Utility
Hi cheesebugah,

There are separate security policies for domain controllers and other computers.  Did you set the Logon locally right in the correct policy for the member server?

Cheers!
Brad
0
 

Author Comment

by:cheesebugah
Comment Utility
I believe that would be the Local Security Policy\Local Policies\User Rights Assignment folder on the said member server.
0
 
LVL 5

Expert Comment

by:millsoft
Comment Utility
Not if your machine is in a domain, the domain security policies will override the local security policy.

0
 

Author Comment

by:cheesebugah
Comment Utility
Why are we playing a guessing game?  If you know how to get this to work, why don't you just tell me?  
0
 
LVL 2

Accepted Solution

by:
spakko earned 500 total points
Comment Utility
From Administrative tools pick Domain Controller Security Policy. Under user rights (as you said above) add the user / group to the Logon Locally right. Ensure that your users in Active Directory Users & Computers have the right to use Terminal Services.

Now make sure your DCs are replicated. Open Active Directory Sites & Services and force replication as in http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prmd_stp_ccgm.asp

Now make sure that policy is updated, run: secedit /refreshpolicy user_policy

Try again. If this does not work, something weird is going on...
0
 

Author Comment

by:cheesebugah
Comment Utility
spakko,

Even though my new Terminal Server is a member server, not a DC?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 5

Expert Comment

by:millsoft
Comment Utility
Cheese,

As for guessing: I've never experienced any TS problems with either my DCs or my member servers (and I have about a dozen of them), so my "guessing" is trying to guess what you still need to do.  

You need to set the rights on the policy that affects the server in question.  If it's not a DC, then it is the default domain policy, not the DC policy, unless you have added additional policies to your AD.

The Local Security policies on machines that are members of a domain are overwritten by the AD default domain policy (by default - although it depends upon the location of the computer in the AD tree).

I'm trying to help, but maybe you can dial back the 'tude just a little.

Regards,
Brad

0
 
LVL 2

Expert Comment

by:spakko
Comment Utility
If it is just a member server, and it is a member of the domain, then it's local policy will be overwritten by the domain level policy. You probably need to create a new OU and place your terminal server in it. Then give it a GPO that allows logon locally rights...
0
 

Author Comment

by:cheesebugah
Comment Utility
I got it, thanks!
0
 

Expert Comment

by:captjwh
Comment Utility
I have the same problem, but a tad bit different.  

I have an SQL server (member server) in the domain controllers OU running w2k3.  So it is getting the DefaultDomainController's policy.  The prob is that i have consultants wanting to connect via TS administrative mode to administer the server (iis, sql, etc), but in order for me to be able to set the Allow Log on locally security setting and Allow log on through Terminal Services on that box, i have to do it at the OU level (effectively giving them rights to logon to all servers in that OU).  I think that is correct cause when i go to the local sec policy on the sql server the option to add and remove users and groups is there, but the ADD and REmove buttons are greyed out, wheras on the OU GPO they are not.

this is funny, cause i can set these policies on a 2000 windows server i have.  Also, they are local admins on this new 2k3 box with sql on it.

suggestions?  
0
 
LVL 2

Expert Comment

by:spakko
Comment Utility
Always a bugger that one. If a server is a member server it will get the Default Domain Controller policy regardless, because it is a *member* server. Standalone is different :). What you could try is creating an OU and placing the Terminal Server computer in it. Then create an GPO with the desired Logon Locally rights and specify the No Override option on the GPO object.

I think this might work. Try it and let me know if it does.
0
 

Expert Comment

by:captjwh
Comment Utility
worked.. thanks!
0
 

Expert Comment

by:bcallear
Comment Utility
Hi,

Another solution is to add REMOTE INTERACTIVE LOGON to "Allow logon through terminal services" in the local security policy of the Terminal Server (Not the DC)

Cheers

B

"We are all of us in the gutter, but some are looking to the stars" - Oscar Wilde
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now