DubberDan
asked on
Users unable to log on to Terminal Server
I'm in the process of setting up a terminal server on a Win2K server but have hit a snag where by users can't log on a TS session. They get an error to say "You are not allowed to log on interactively......".
I have checked in AD for the users and they have the box ticked to say allow log on to Terminal Server. If I set them as domain admins then they can log in, but obviously I don't want them given those sorts of permissions.
I've created a Global Group for TS users but I guess I need a permissions somewhere to activate that. Any suggestions?
I have checked in AD for the users and they have the box ticked to say allow log on to Terminal Server. If I set them as domain admins then they can log in, but obviously I don't want them given those sorts of permissions.
I've created a Global Group for TS users but I guess I need a permissions somewhere to activate that. Any suggestions?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ah, ok. Seems there are fixes for everything but 2K server!! Oh well the work around of clicking past them all seems to do the trick. Just not sure whay it's cropped up as it worked the last time I used the policy editor and thats the only place I've used for altering polices. Another microsoftism I gues!!!.
Back to the original question. I can see "allow logon through terminal services" within policies but I did see an setting for "Log on locally" so I have added in the global group I'd created to that. But that doesn't seem to have done the trick. Is it because this is Win 2K server?
Next thing to try?
Back to the original question. I can see "allow logon through terminal services" within policies but I did see an setting for "Log on locally" so I have added in the global group I'd created to that. But that doesn't seem to have done the trick. Is it because this is Win 2K server?
Next thing to try?
Win2K string error patch, it is very common to need this, though if all updates and patches are installed it should fix itself:
http://www.microsoft.com/downloads/details.aspx?familyid=BA478B46-3AF7-4EAF-9CE6-E34EA2C74FAF&displaylang=en
http://www.microsoft.com/downloads/details.aspx?familyid=BA478B46-3AF7-4EAF-9CE6-E34EA2C74FAF&displaylang=en
The setting your looking for in in the "local security policy" on the terminals server "allow log on locally"
sorry about the typo's just add the group or user you want to access the terminal server and voila
ASKER
There's no option for "Allow logo on locally" but there is just "Log on locally". Have tried setting it for both local and domain policies but still no joy.
make sure the user isnt denied the right in the deny user logon policy
also make sure you are editing the default domain controller policy
also make sure you are editing the default domain controller policy
It has been mentioned above but...
>>"I've created a Global Group for TS users but I guess I need a permissions somewhere to activate that. Any suggestions?"
This group needs to be added to the "Remote users group" on the terminal server itself, not the domain group in AD.
>>"I've created a Global Group for TS users but I guess I need a permissions somewhere to activate that. Any suggestions?"
This group needs to be added to the "Remote users group" on the terminal server itself, not the domain group in AD.
ASKER
The server is also our DC so I can only access AD and not users/groups in Computer Management. So where do I find this "Remote users group" for the TS?
Go to administrative tools - Terminal services configuration - expand connections - Right click on the RDP-TCP - select properties - Permissions tab and add the domain group that you want to have access.
As long as that group does not have an explicit Deny logon locally somewhere and has logon local right this should solve your issue.
As long as that group does not have an explicit Deny logon locally somewhere and has logon local right this should solve your issue.
As acsmedic suggested, or in this case use the remote desktop built in domain group. Should accomplish the same thing where you are accessing the same machine.
However, It seems to me there are issues with running TS on a DC for other than admin purposes, or is that what you are trying to achieve. There are also issues with giving non-domain admins access to the DC.
However, It seems to me there are issues with running TS on a DC for other than admin purposes, or is that what you are trying to achieve. There are also issues with giving non-domain admins access to the DC.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks DubberDan,
--Rob
--Rob
cheers mate!
Hoi Hoi Rob!
Hoi Hoi Rob!
ASKER
"The following entry int he [strings] section is too long and has been truncated."
It then goes on about all sorts of things. Clicking Ok gets rid of it to be replaced by something similar but the text after it then is differen. This keeps going for 10 - 20 messages but I never seem to get past it.
Help!!!