Remote Desktop / Terminal Services Issue

Hello,
We have a mixed enviornment of Win2K Pro and Win XP Pro desktops with all DC's on Windows 2000 Server and some members servers on Windows 2003 Server.

As of today we started having issues when attempting to connect to a client workstation using Remote Desktop.  We can log on using our own username/password as I am also a Domain Admin.  The issue appears when trying to log on as the user.  I get an error stating the "The local policy of the system does not permit you to logon interactively"  Nothing has changed on our domain that we know of except for the Default Domain Controller's Policy was edited.  I checked the default domain policy and nothing was defined.  I tried using ntrights to set the policy but I get an error that reads "ERROR Open Policy -some numbers".  This is affecting all our desktops and can't determine a reason why.  If someone could point me in the right direction as to what else to check I'd appreciate it.

Thanks.
LVL 1
liquid22Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tmorrison3Commented:
Check the default domain policy also - Somewhere the logon locally policy is set to administrator.
I would verify all you permissions and policies are correct before looking at anything else.

0
liquid22Author Commented:
I forgot to mention that I did verify the default domain policy.  It's current settings do not define any "deny logon" policy and for grins I set the allow logon policy to "Everyone", "Authenticated Users", "Domain Admins", "Domain Users", and "BUILTIN\Administrators" and still no luck.  I have applied secedit /refreshpolicy machine_policy /enforce several times after making changes but still no luck.  Any other things I should check that I might be overlooking?

0
tmorrison3Commented:
Check in the local computer policy for the "Log on Locally" and see what the effective permissions are set to. I had this problem a while back with a server - I didn't change anything and all of a sudden I couldn't logon on interactively. It was an explicit DENY - so check the deny local logon as well.
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

tmorrison3Commented:
0
liquid22Author Commented:
I've read all of those today and tried.  The one thing I haven't tried is to manually edit the GptTmpl.ini file back to original settings.  I'll do that and try it out tomorrow and see if it works.  If it does I'll award my points to you.

Thanks.
0
binary_1001010Commented:
NO NO, do not set  default domain policy  , set only default controller domain policy.  Make sure the setting in  default domain policy  is set to not define.  in  default controller domain policy , make sure allow logon locally and allow logon through terminal server is defined.
0
liquid22Author Commented:
That is actually exactly how I have everything configured but still no luck.  What's odd is this didn't start until I modified the default domain controller's policy.  It appears that it's "bleeding" over to the rest of the domain though I don't know how but even if I revert the settings I made to the default domain policy it doesn't correct my issue.
0
liquid22Author Commented:
Okay I'm at a total loss on this one.

Here's what I have set.  My Default Domain Policy has nothing defined.  I've refreshed the policy across the domain and notice on my PC, which I'm using for testing, my local policy as the following groups under "Log on Locally":
Administrators
Backup Operators
Guest
Power Users
Users

Under "Deny Logon Locally" there is the following account:
SUPPORT 388945a0, which I believe should be there.

If I attempt to log onto my PC using the test account created I still get the interactive logon error.  There's nothing I can see the is outright denying this privilege.  I can log on using my regular credentials but I'm a Domain Admins.  I've tried every Microsoft fix I can find on the subject and reinstalling the O/S isn't an option since it's affecting every single PC running XP Pro.  Can anyone think of anything else I'm overlooking?

Thanks in advance.
0
liquid22Author Commented:
I should mention this is only happening via Remote Desktop connections - the end users can log on locally to their terminals without any issues.  There are times, though, when us Admins need to connect to a desktop and log on as the end user and that's where I problem comes up.
0
liquid22Author Commented:
Okay I have figured out this problem after chasing my tail for many hours.

Apparently another admin was making desktop changes and removed our users out of the local administrators group, which is a good thing, but forgot to add them to the remote desktop group so naturally as we tried to log on as the user we couldn't because only administrators can do this by default.

So now I change my questions - does anyone know how that I can remotely add say "Domain Users" to each PC's Remote Desktop Users group without having to touch each PC?  

Thanks.
0
tmorrison3Commented:
Add a policy that does a computer Startup script.
For the script do "net localgroup Administrators DOMAINGROUPNAME /add"
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
liquid22Author Commented:
Thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.