domain controller local policy

As administrator I logged on to the domain using terminal services and created a user USER1 [authenticated user], then logged off then tried to log back to the domain through terminal services as a USER1, but received a message that I can't login because of the local policy...

I would like to know what this mean? and what needs to be fixed to get USER1 able to log to the domain through terminal services.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You need to allow the user terminal service access, this is done inside AD.

Also, you may need to check your TS licensing to ensure your not out of licences.

is user1 in a group with the rigth to log in via terminalsevice?
in w2k the group should have 'log on localy' rigth
in w2k3s be part of usergroup 'Remote Desktop Users'
Also Ensure that your Terminal Server is not in Remote Administration Mode.  Only Administrators Can log on under this mode.

If you go to start -- Administrators -- Terminal Server Configuration -- Right Click the RDP-Tcp in the Right hand Pane and select Properties.  Click on the Permissions Tab and add User1
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

The reason you cannot login is because the user does not have permission to logon to the server locally (even though you are connecting through terminal services, you still are connecting locally to the server when you attempt to login)

To solve this, you can change the local login setting using the group policy that affects the organizational unit that the server is in (this is under the active directory users and computers MMC snap-in).

If you need more help on how to change this setting let me know.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
OR add user1 to the Remote Desktop User Group, then they should have rights
ChuckbuchanAuthor Commented:
to TheTull : I guess you are much more closer to where my problem is.
But I still wonder why I can't to logon to that domain controller with USER1, as long as the USER1 is a domain user, why should I have to set up the local policy for the DC?



Let me explain in details how I created that USER1
from W2000 Pro workstation I used TS to logon to the domain and create USER1 in AD, and logged off then tried to log back in with USER1, but could not.

in AD the user USER1 is allowed access to TS, I checked that box, so the problem should be in DC local policy.
The reason is, all domain controllers by default have a strict local login policy, this is to protect them from users who could potentially logon and cause harm to your server.  By default only administrators are allowed to logon locally.  Remember that Windows considers domain controllers to be very vital (and they are quite vital) so it will protect it as much as it can be default.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.