Solved

Terminal Services (multi-session mode) on Windows server 2003 PDC - can't logon = "You do not have access ..."

Posted on 2004-09-21
16
2,625 Views
Last Modified: 2012-08-13
I can't logon to a Terminal Services (multi-session) on Windows server 2003 PDC - I get error message "You do not have access to logon to this Session" - not even Administrator!

I have done the following:

1.  Set permissions on the RDO connection to allow Domain Users, Domain Admins, Administratours, Remote Desktop ... etc., to have full access
2.  Set Domain Controller Security policy to allow all those groups to logon locally, allow all those groups to logon through terminal services session
3.  Set Domain Security policy to same as 2, above
4.  Added users to local Remote Desktop Users group (should not be necessary?)
5.  Set all user profiles in Active Directory for users allowed to logon to terminal services

At the PDC Desktop and any other network computer, when I run mstsc, connect to the PDC, and try to  login via Remote Desktop Connection, I get the "You do not have access ..." message when I try to logon.

I've read and followed the advice/instructions of the other postings in this section - I still cannot logon via RDC.

What am I missing?

Thanks - Grant E.
0
Comment
Question by:grant-ellsworth
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 8
16 Comments
 
LVL 15

Expert Comment

by:harleyjd
ID: 12120302
so can you connect to the Remote Desktop OK, but not to the console using "mstsc /v:servername /console" or can you connect to neither?



0
 
LVL 1

Author Comment

by:grant-ellsworth
ID: 12122391
I can't conect to the remote desktop from anywhere using either the Administrator or nay other userid I assigned to group for allowing RDP access.  To restate: I CANNOT connect to the Remote Desktop OK, let alone the console . . .
0
 
LVL 1

Author Comment

by:grant-ellsworth
ID: 12122445
Clarification of last reply :  I CAN connect to the console and log in as administrator using /v:servername /console, but I CANNOT connect to thru an ordinary terminal services session.
0
MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

 
LVL 15

Expert Comment

by:harleyjd
ID: 12122618
:)

OK.

W2k3, right?

1.  Set permissions on the RDO connection

what bit? I might be telling you the same thing in a different way, but right click my computer, hit properties. Choose the remote tab and make sure the bottom checkbox is checked. Choose "select remote users" and add any requred groups there....

It should be on by default, and I think you're saying you did it, but I'm not 100% clear on that...

0
 
LVL 1

Author Comment

by:grant-ellsworth
ID: 12123598
Been there, done all that! It's a W2K3 DOMAIN CONTROLLER!  The MYComputer does NOT have a "select remote users" button on the Remote tab.  However, I did add the Users to Remote Desktop Users group and did all the gyrations in the Domain Controller Security Policy, and set the RDP Connection permissions, etc. (see first msg again!).
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 12123798
There's not need to get cranky - I am trying to help. I even said I thought you'd done it but I wasn't clear.

I am looking at a w2k domain controller, and it has the "select remote users" button enabled. There is nothing in there, as admins are enabled by default. I didn't need to set any permissions to enable Admin to do it, though I am not trying to allow joe blow to log in.

Have you had a look at the permissions tab in the Terminal Services Configuration mmc?

Admins get full control, and RDUsers get User and Guest access. Check also that it's bound to the correct adaptor.

0
 
LVL 1

Author Comment

by:grant-ellsworth
ID: 12124179
Hello!  Sorry to project cranky - not intended!  And I thankyou for your attention, time, and help.  I had done everything you cited in setting this up before I posted the issue.  I kep thiking I missed something really subtle or so obvious it should be a snake on the plate.

You wrote --

I am looking at a w2k domain controller, and it has the "select remote users" button enabled. There is nothing in there, as admins are enabled by default. I didn't need to set any permissions to enable Admin to do it, though I am not trying to allow joe blow to log in.
----------
Well, there's a difference between W2k and W2K3 domain controllers in that respect.  MS documents in W2K3 that you can't use that path to assign users to the Remote Desktop Users group on a W2K3 Domain Controller.  This is where this mis-adventure began.  

Yes - I had a look at the Terminal Services config connection permissions - I had all groups I wanted allowed full access to the connection.  I got so frustrated with this I deleted the connection and  recreated it and then assigned the groups I wanted to have the access as having "full" access until I figured out how to make the simple thing work.  I've messed with the Domain Controller Security Policies, the Domain Policies, the GPEDIT.MSC, etc..  allowing the groups and the users by name to logon locally and to access via remote services; I didn't mess with the "Allow access from the network" because that already specified 'Everyone' == which I don't care about until I get the rest of the setup working.

I had a vagrent thought ... should I reboot this PDC??!!?? for all my changes to take effect?  Especially the RDP Connection params?

What do you think??
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 12128672
Sorry, missed the 3!

I was looking at a w2k3 server.

play some thinking music...
0
 
LVL 1

Author Comment

by:grant-ellsworth
ID: 12129602
For thinking music, try Bach's Chaconne from the Partita in D Minor as transcribed for Guitar ...

Problem solved.

Well I did reboot.  The thing now works.  Funny thing is I had rebooted earlier to see if that would fix anything - it did not.

The only thing I did between the previous reboot and the one I referred to was to delete the RDP connection from the TS Config Manager and create a new one.  Then I added the permissions = 1 additional group where I had assigned the remote users.

I am mystified - I should not have had to delete and create a new RDP connection.  I'm not even sure that I should have had to reboot.

It's voodoo.

Thanks for confirming that I had otherwise done everything I needed to do.

Side note on the W2K3 PDC and the Remote tab on the System / My Computer applet ...

On the W2K3 workgroup server in a domain, the "Show Remote Users" button does show.  On a Domain Controller, it does not.  This is discussed in the microsoft help page on Terminal Services.
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 12129632
Where can I post a screen cap of my DC's "Show Remote Users" tab? :)



0
 
LVL 1

Author Comment

by:grant-ellsworth
ID: 12129836
This gets curiouser and curiouser ... I'm wondering if we're referring to the same thing.

First - I noticed that I miskeyed the button label - should have been "Select Remote Users" , not "Show ... ".

Ok - let's get this clear straightened out and make sure we're writing about the same space.  Here's what i do to get to where I'm writing about - on the win2003 domain controller:

1.  click on Start button
2.  Right click on "My Computer" in Right Column of 2 column menu
3.  Left click on Properties item - bottom of popup menu to see the System Properties dialog box
4.  Click on "Remote" tab in upper right of the dialog box
5.  Bottom half of the Remote Tab is labeled "Remote Desktop" and has check box for "Allow uses to connect remotely to your computer."
6.  On my W2K3 Domain Controller, there is NO button in this box.  None.  zero. zip. zilch.
6b.  Same situation on my non-DC plain W2K3 server (I shot from "the lip" in previous post!)
7.  On my Windows XP systems there is a button saying "Select Remote Users"

So, if your DC has that button on the system properties remote tab, and mine does not, I'm wondering why.  

So, questions:  1.  Are we writing about the same area?  2.  If so, why would you have it on your PDC and I would not?

0
 
LVL 15

Expert Comment

by:harleyjd
ID: 12129870
1.  click on Start button
2.  Right click on "My Computer" in Right Column of 2 column menu
3.  Left click on Properties item - bottom of popup menu to see the System Properties dialog box
4.  Click on "Remote" tab in upper right of the dialog box
5.  Bottom half of the Remote Tab is labeled "Remote Desktop" and has check box for "Allow uses to connect remotely to your computer."
6.  On my W2K3 Domain Controller, there is a button in this box. One Uno (I don't know any other words for one). I also get a "learn more about" link
6b.  Same situation on a Client's SBS 2k3 server (So it's a DC, too)
7.  On my Windows XP systems there is a button saying "Select Remote Users"

Go figure. :)

I used the MSDN W2K3 version, and the client's is an Open Value licence. I can't see that being a difference, though.

Duuh - you have installed Terminal Services, haven't you? It's running in application mode, not Remote Admin mode. You do not need to choose Terminal Sevices for remote admin when setting up a W2k3 server anymore. It's enabled like a WXP machine...
0
 
LVL 1

Author Comment

by:grant-ellsworth
ID: 12130007
You're right - this is "go figure!"

To clear up and muddy the waters:

1.  Yes, I set the w2k3 DC for Terminal Services / application mode (in w2k lingo) - not Remote Admin mode.  Yes, I see it like an XP machine.

2.  My w2k3 DC is not an MSDN distribution CD - it's a MAPS distribution CD - So is my W2K3 plain

3.  MS's docs said clearly that we could not set up a Terminal Services multi-session mode on SBS 2k3.

From KB Article #828056

The Terminal Server component is not available in the Windows Components Wizard in Windows Small Business Server 2003
View products that this article applies to.
SYMPTOMS
On a Microsoft Windows Small Business Server 2003-based computer, Terminal Services is configured by using the Remote Desktop for Administration mode. If you open the Terminal Services Configuration console and try to change the mode for Terminal Services, the Licensing Mode dialog box contains the following message:

To change this server out of Remote Desktop for Administration, use Add/Remove Programs.
However, if you open Add/Remove Programs and then click Add/Remove Windows Components, the Windows Components Wizard does not list the Terminal Server component as the wizard does on the Standard, Enterprise, and Datacenter editions of Microsoft Windows Server 2003.

Note In Microsoft Windows 2000 Server, the Terminal Server component is named Terminal Services in Application Server mode, and the Remote Desktop for Administration component is named Terminal Services in Remote Administration mode.
CAUSE
Terminal Server is available on the Standard, Enterprise, and Datacenter editions of Windows Server 2003. In Windows Small Business Server 2003, only the Remote Desktop for Administration mode is available. Only this mode is available because Windows Small Business Server 2003 always runs on a domain controller, and if you run Terminal Server on a domain controller, you may risk the safety of the server and the safety of your organization's sensitive data.
RESOLUTION
To deploy Terminal Server on your Windows Small Business Server 2003-based network, you must install an additional Windows Server 2003-based computer.

Did you install a SBS2k3 using and MSDN CD distribution?  I wonder if MS changed their minds about TS on SBS between a late Developer distribution and the final retail?

Yeah - maybe we both need to go figure!
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 12130113
Nope. Both of these two are not, and intentionally not, running terminal service (yes, let's stick with W2k3 lingo!) and neither machine ever requires access by users, just by admin.

But you want more than 2 sessions running, so you need terminal services, is that correct? Is that why you said "multi session"? You can still have console and 2 sessions running for W2k3 remote desktop - it's only XP that is console or remote...
0
 
LVL 1

Author Comment

by:grant-ellsworth
ID: 12133123
Howdy

HarleyJD Wrote ...
But you want more than 2 sessions running, so you need terminal services, is that correct? Is that why you said "multi session"? You can still have console and 2 sessions running for W2k3 remote desktop - it's only XP that is console or remote...
----------------------------
 I needed more than 2 sessions for mere mortal users who would not have admin access to the server - that is why I wrote "Multi Session" - looking for some lingo to make it distinct from the Remote Admin mode.  Using the term "Terminal Services" by itself seemed to me to be ambiguous.  I wish Microsoft would stop muddying up its own waters by changing what terms mean and refer to in just one upgrade cycle.  In Win2000 (W2K), "Application Server" mode meant running Terminal Services for muultiple sessions to support users sharing applications on the server.  Now "Application Server" is all tied up with running IIS and web-based applications.
-----------
You understood what I was trying to do, so we got the problem solved.  Thanks again.
 
 
0
 
LVL 15

Accepted Solution

by:
harleyjd earned 300 total points
ID: 12133173
hah, yeah. Hiho...
0

Featured Post

Veeam gives away 10 full conference passes

Veeam is a VMworld 2017 US & Europe Platinum Sponsor. Enter the raffle to get the full conference pass. Pass includes the admission to all general and breakout sessions, VMware Hands-On Labs, Solutions Exchange, exclusive giveaways and the great VMworld Customer Appreciation Part

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question