• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 784
  • Last Modified:

Remote Desktop / Terminal Services Issue

Hello,
We have a mixed enviornment of Win2K Pro and Win XP Pro desktops with all DC's on Windows 2000 Server and some members servers on Windows 2003 Server.

As of today we started having issues when attempting to connect to a client workstation using Remote Desktop.  We can log on using our own username/password as I am also a Domain Admin.  The issue appears when trying to log on as the user.  I get an error stating the "The local policy of the system does not permit you to logon interactively"  Nothing has changed on our domain that we know of except for the Default Domain Controller's Policy was edited.  I checked the default domain policy and nothing was defined.  I tried using ntrights to set the policy but I get an error that reads "ERROR Open Policy -some numbers".  This is affecting all our desktops and can't determine a reason why.  If someone could point me in the right direction as to what else to check I'd appreciate it.

Thanks.
0
liquid22
Asked:
liquid22
  • 7
  • 6
1 Solution
 
tmorrison3Commented:
Check the default domain policy also - Somewhere the logon locally policy is set to administrator.
I would verify all you permissions and policies are correct before looking at anything else.

0
 
liquid22Author Commented:
I forgot to mention that I did verify the default domain policy.  It's current settings do not define any "deny logon" policy and for grins I set the allow logon policy to "Everyone", "Authenticated Users", "Domain Admins", "Domain Users", and "BUILTIN\Administrators" and still no luck.  I have applied secedit /refreshpolicy machine_policy /enforce several times after making changes but still no luck.  Any other things I should check that I might be overlooking?

0
 
tmorrison3Commented:
Check in the local computer policy for the "Log on Locally" and see what the effective permissions are set to. I had this problem a while back with a server - I didn't change anything and all of a sudden I couldn't logon on interactively. It was an explicit DENY - so check the deny local logon as well.
0
New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

 
tmorrison3Commented:
0
 
liquid22Author Commented:
I've read all of those today and tried.  The one thing I haven't tried is to manually edit the GptTmpl.ini file back to original settings.  I'll do that and try it out tomorrow and see if it works.  If it does I'll award my points to you.

Thanks.
0
 
binary_1001010Commented:
NO NO, do not set  default domain policy  , set only default controller domain policy.  Make sure the setting in  default domain policy  is set to not define.  in  default controller domain policy , make sure allow logon locally and allow logon through terminal server is defined.
0
 
liquid22Author Commented:
That is actually exactly how I have everything configured but still no luck.  What's odd is this didn't start until I modified the default domain controller's policy.  It appears that it's "bleeding" over to the rest of the domain though I don't know how but even if I revert the settings I made to the default domain policy it doesn't correct my issue.
0
 
liquid22Author Commented:
Okay I'm at a total loss on this one.

Here's what I have set.  My Default Domain Policy has nothing defined.  I've refreshed the policy across the domain and notice on my PC, which I'm using for testing, my local policy as the following groups under "Log on Locally":
Administrators
Backup Operators
Guest
Power Users
Users

Under "Deny Logon Locally" there is the following account:
SUPPORT 388945a0, which I believe should be there.

If I attempt to log onto my PC using the test account created I still get the interactive logon error.  There's nothing I can see the is outright denying this privilege.  I can log on using my regular credentials but I'm a Domain Admins.  I've tried every Microsoft fix I can find on the subject and reinstalling the O/S isn't an option since it's affecting every single PC running XP Pro.  Can anyone think of anything else I'm overlooking?

Thanks in advance.
0
 
liquid22Author Commented:
I should mention this is only happening via Remote Desktop connections - the end users can log on locally to their terminals without any issues.  There are times, though, when us Admins need to connect to a desktop and log on as the end user and that's where I problem comes up.
0
 
liquid22Author Commented:
Okay I have figured out this problem after chasing my tail for many hours.

Apparently another admin was making desktop changes and removed our users out of the local administrators group, which is a good thing, but forgot to add them to the remote desktop group so naturally as we tried to log on as the user we couldn't because only administrators can do this by default.

So now I change my questions - does anyone know how that I can remotely add say "Domain Users" to each PC's Remote Desktop Users group without having to touch each PC?  

Thanks.
0
 
tmorrison3Commented:
Add a policy that does a computer Startup script.
For the script do "net localgroup Administrators DOMAINGROUPNAME /add"
0
 
liquid22Author Commented:
Thanks.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now