Solved

Terminal Services (multi-session mode) on Windows server 2003 PDC - can't logon = "You do not have access ..."

Posted on 2004-09-21
16
2,606 Views
Last Modified: 2012-08-13
I can't logon to a Terminal Services (multi-session) on Windows server 2003 PDC - I get error message "You do not have access to logon to this Session" - not even Administrator!

I have done the following:

1.  Set permissions on the RDO connection to allow Domain Users, Domain Admins, Administratours, Remote Desktop ... etc., to have full access
2.  Set Domain Controller Security policy to allow all those groups to logon locally, allow all those groups to logon through terminal services session
3.  Set Domain Security policy to same as 2, above
4.  Added users to local Remote Desktop Users group (should not be necessary?)
5.  Set all user profiles in Active Directory for users allowed to logon to terminal services

At the PDC Desktop and any other network computer, when I run mstsc, connect to the PDC, and try to  login via Remote Desktop Connection, I get the "You do not have access ..." message when I try to logon.

I've read and followed the advice/instructions of the other postings in this section - I still cannot logon via RDC.

What am I missing?

Thanks - Grant E.
0
Comment
Question by:grant-ellsworth
  • 8
  • 8
16 Comments
 
LVL 15

Expert Comment

by:harleyjd
Comment Utility
so can you connect to the Remote Desktop OK, but not to the console using "mstsc /v:servername /console" or can you connect to neither?



0
 
LVL 1

Author Comment

by:grant-ellsworth
Comment Utility
I can't conect to the remote desktop from anywhere using either the Administrator or nay other userid I assigned to group for allowing RDP access.  To restate: I CANNOT connect to the Remote Desktop OK, let alone the console . . .
0
 
LVL 1

Author Comment

by:grant-ellsworth
Comment Utility
Clarification of last reply :  I CAN connect to the console and log in as administrator using /v:servername /console, but I CANNOT connect to thru an ordinary terminal services session.
0
 
LVL 15

Expert Comment

by:harleyjd
Comment Utility
:)

OK.

W2k3, right?

1.  Set permissions on the RDO connection

what bit? I might be telling you the same thing in a different way, but right click my computer, hit properties. Choose the remote tab and make sure the bottom checkbox is checked. Choose "select remote users" and add any requred groups there....

It should be on by default, and I think you're saying you did it, but I'm not 100% clear on that...

0
 
LVL 1

Author Comment

by:grant-ellsworth
Comment Utility
Been there, done all that! It's a W2K3 DOMAIN CONTROLLER!  The MYComputer does NOT have a "select remote users" button on the Remote tab.  However, I did add the Users to Remote Desktop Users group and did all the gyrations in the Domain Controller Security Policy, and set the RDP Connection permissions, etc. (see first msg again!).
0
 
LVL 15

Expert Comment

by:harleyjd
Comment Utility
There's not need to get cranky - I am trying to help. I even said I thought you'd done it but I wasn't clear.

I am looking at a w2k domain controller, and it has the "select remote users" button enabled. There is nothing in there, as admins are enabled by default. I didn't need to set any permissions to enable Admin to do it, though I am not trying to allow joe blow to log in.

Have you had a look at the permissions tab in the Terminal Services Configuration mmc?

Admins get full control, and RDUsers get User and Guest access. Check also that it's bound to the correct adaptor.

0
 
LVL 1

Author Comment

by:grant-ellsworth
Comment Utility
Hello!  Sorry to project cranky - not intended!  And I thankyou for your attention, time, and help.  I had done everything you cited in setting this up before I posted the issue.  I kep thiking I missed something really subtle or so obvious it should be a snake on the plate.

You wrote --

I am looking at a w2k domain controller, and it has the "select remote users" button enabled. There is nothing in there, as admins are enabled by default. I didn't need to set any permissions to enable Admin to do it, though I am not trying to allow joe blow to log in.
----------
Well, there's a difference between W2k and W2K3 domain controllers in that respect.  MS documents in W2K3 that you can't use that path to assign users to the Remote Desktop Users group on a W2K3 Domain Controller.  This is where this mis-adventure began.  

Yes - I had a look at the Terminal Services config connection permissions - I had all groups I wanted allowed full access to the connection.  I got so frustrated with this I deleted the connection and  recreated it and then assigned the groups I wanted to have the access as having "full" access until I figured out how to make the simple thing work.  I've messed with the Domain Controller Security Policies, the Domain Policies, the GPEDIT.MSC, etc..  allowing the groups and the users by name to logon locally and to access via remote services; I didn't mess with the "Allow access from the network" because that already specified 'Everyone' == which I don't care about until I get the rest of the setup working.

I had a vagrent thought ... should I reboot this PDC??!!?? for all my changes to take effect?  Especially the RDP Connection params?

What do you think??
0
 
LVL 15

Expert Comment

by:harleyjd
Comment Utility
Sorry, missed the 3!

I was looking at a w2k3 server.

play some thinking music...
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 1

Author Comment

by:grant-ellsworth
Comment Utility
For thinking music, try Bach's Chaconne from the Partita in D Minor as transcribed for Guitar ...

Problem solved.

Well I did reboot.  The thing now works.  Funny thing is I had rebooted earlier to see if that would fix anything - it did not.

The only thing I did between the previous reboot and the one I referred to was to delete the RDP connection from the TS Config Manager and create a new one.  Then I added the permissions = 1 additional group where I had assigned the remote users.

I am mystified - I should not have had to delete and create a new RDP connection.  I'm not even sure that I should have had to reboot.

It's voodoo.

Thanks for confirming that I had otherwise done everything I needed to do.

Side note on the W2K3 PDC and the Remote tab on the System / My Computer applet ...

On the W2K3 workgroup server in a domain, the "Show Remote Users" button does show.  On a Domain Controller, it does not.  This is discussed in the microsoft help page on Terminal Services.
0
 
LVL 15

Expert Comment

by:harleyjd
Comment Utility
Where can I post a screen cap of my DC's "Show Remote Users" tab? :)



0
 
LVL 1

Author Comment

by:grant-ellsworth
Comment Utility
This gets curiouser and curiouser ... I'm wondering if we're referring to the same thing.

First - I noticed that I miskeyed the button label - should have been "Select Remote Users" , not "Show ... ".

Ok - let's get this clear straightened out and make sure we're writing about the same space.  Here's what i do to get to where I'm writing about - on the win2003 domain controller:

1.  click on Start button
2.  Right click on "My Computer" in Right Column of 2 column menu
3.  Left click on Properties item - bottom of popup menu to see the System Properties dialog box
4.  Click on "Remote" tab in upper right of the dialog box
5.  Bottom half of the Remote Tab is labeled "Remote Desktop" and has check box for "Allow uses to connect remotely to your computer."
6.  On my W2K3 Domain Controller, there is NO button in this box.  None.  zero. zip. zilch.
6b.  Same situation on my non-DC plain W2K3 server (I shot from "the lip" in previous post!)
7.  On my Windows XP systems there is a button saying "Select Remote Users"

So, if your DC has that button on the system properties remote tab, and mine does not, I'm wondering why.  

So, questions:  1.  Are we writing about the same area?  2.  If so, why would you have it on your PDC and I would not?

0
 
LVL 15

Expert Comment

by:harleyjd
Comment Utility
1.  click on Start button
2.  Right click on "My Computer" in Right Column of 2 column menu
3.  Left click on Properties item - bottom of popup menu to see the System Properties dialog box
4.  Click on "Remote" tab in upper right of the dialog box
5.  Bottom half of the Remote Tab is labeled "Remote Desktop" and has check box for "Allow uses to connect remotely to your computer."
6.  On my W2K3 Domain Controller, there is a button in this box. One Uno (I don't know any other words for one). I also get a "learn more about" link
6b.  Same situation on a Client's SBS 2k3 server (So it's a DC, too)
7.  On my Windows XP systems there is a button saying "Select Remote Users"

Go figure. :)

I used the MSDN W2K3 version, and the client's is an Open Value licence. I can't see that being a difference, though.

Duuh - you have installed Terminal Services, haven't you? It's running in application mode, not Remote Admin mode. You do not need to choose Terminal Sevices for remote admin when setting up a W2k3 server anymore. It's enabled like a WXP machine...
0
 
LVL 1

Author Comment

by:grant-ellsworth
Comment Utility
You're right - this is "go figure!"

To clear up and muddy the waters:

1.  Yes, I set the w2k3 DC for Terminal Services / application mode (in w2k lingo) - not Remote Admin mode.  Yes, I see it like an XP machine.

2.  My w2k3 DC is not an MSDN distribution CD - it's a MAPS distribution CD - So is my W2K3 plain

3.  MS's docs said clearly that we could not set up a Terminal Services multi-session mode on SBS 2k3.

From KB Article #828056

The Terminal Server component is not available in the Windows Components Wizard in Windows Small Business Server 2003
View products that this article applies to.
SYMPTOMS
On a Microsoft Windows Small Business Server 2003-based computer, Terminal Services is configured by using the Remote Desktop for Administration mode. If you open the Terminal Services Configuration console and try to change the mode for Terminal Services, the Licensing Mode dialog box contains the following message:

To change this server out of Remote Desktop for Administration, use Add/Remove Programs.
However, if you open Add/Remove Programs and then click Add/Remove Windows Components, the Windows Components Wizard does not list the Terminal Server component as the wizard does on the Standard, Enterprise, and Datacenter editions of Microsoft Windows Server 2003.

Note In Microsoft Windows 2000 Server, the Terminal Server component is named Terminal Services in Application Server mode, and the Remote Desktop for Administration component is named Terminal Services in Remote Administration mode.
CAUSE
Terminal Server is available on the Standard, Enterprise, and Datacenter editions of Windows Server 2003. In Windows Small Business Server 2003, only the Remote Desktop for Administration mode is available. Only this mode is available because Windows Small Business Server 2003 always runs on a domain controller, and if you run Terminal Server on a domain controller, you may risk the safety of the server and the safety of your organization's sensitive data.
RESOLUTION
To deploy Terminal Server on your Windows Small Business Server 2003-based network, you must install an additional Windows Server 2003-based computer.

Did you install a SBS2k3 using and MSDN CD distribution?  I wonder if MS changed their minds about TS on SBS between a late Developer distribution and the final retail?

Yeah - maybe we both need to go figure!
0
 
LVL 15

Expert Comment

by:harleyjd
Comment Utility
Nope. Both of these two are not, and intentionally not, running terminal service (yes, let's stick with W2k3 lingo!) and neither machine ever requires access by users, just by admin.

But you want more than 2 sessions running, so you need terminal services, is that correct? Is that why you said "multi session"? You can still have console and 2 sessions running for W2k3 remote desktop - it's only XP that is console or remote...
0
 
LVL 1

Author Comment

by:grant-ellsworth
Comment Utility
Howdy

HarleyJD Wrote ...
But you want more than 2 sessions running, so you need terminal services, is that correct? Is that why you said "multi session"? You can still have console and 2 sessions running for W2k3 remote desktop - it's only XP that is console or remote...
----------------------------
 I needed more than 2 sessions for mere mortal users who would not have admin access to the server - that is why I wrote "Multi Session" - looking for some lingo to make it distinct from the Remote Admin mode.  Using the term "Terminal Services" by itself seemed to me to be ambiguous.  I wish Microsoft would stop muddying up its own waters by changing what terms mean and refer to in just one upgrade cycle.  In Win2000 (W2K), "Application Server" mode meant running Terminal Services for muultiple sessions to support users sharing applications on the server.  Now "Application Server" is all tied up with running IIS and web-based applications.
-----------
You understood what I was trying to do, so we got the problem solved.  Thanks again.
 
 
0
 
LVL 15

Accepted Solution

by:
harleyjd earned 300 total points
Comment Utility
hah, yeah. Hiho...
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now