[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Users unable to log on to Terminal Server

Posted on 2006-04-07
16
Medium Priority
?
352 Views
Last Modified: 2013-11-21
I'm in the process of setting up a terminal server on a Win2K server but have hit a snag where by users can't log on a TS session.  They get an error to say "You are not allowed to log on interactively......".

I have checked in AD for the users and they have the box ticked to say allow log on to Terminal Server.  If I set them as domain admins then they can log in, but obviously I don't want them given those sorts of permissions.

I've created a Global Group for TS users but I guess I need a permissions somewhere to activate that.  Any suggestions?
0
Comment
Question by:DubberDan
  • 5
  • 4
  • 4
  • +2
16 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 500 total points
ID: 16399086
Hi DubberDan,

check your policies - compt settings - windows components - security settings - local policies - user rights assignment   \  allow logon through terminal services

also make sure your members are a part of the remote desktop group and that it is allowed in that policy

Cheers!
0
 

Author Comment

by:DubberDan
ID: 16399143
Hmm, I've just gone into group policy editor but get a message come up to say:

"The following entry int he [strings] section is too long and has been truncated."

It then goes on about all sorts of things.  Clicking Ok gets rid of it to be replaced by something similar but the text after it then is differen.  This keeps going for 10 - 20 messages but I never seem to get past it.

Help!!!
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16399158
seen that before as well!

http://support.microsoft.com/?id=842933
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 

Author Comment

by:DubberDan
ID: 16399410
Ah, ok.  Seems there are fixes for everything but 2K server!!  Oh well the work around of clicking past them all seems to do the trick.  Just not sure whay it's cropped up as it worked the last time I used the policy editor and thats the only place I've used for altering polices.  Another microsoftism I gues!!!.

Back to the original question.  I can see "allow logon through terminal services" within policies but I did see an setting for "Log on locally" so I have added in the global group I'd created to that.  But that doesn't seem to have done the trick.  Is it because this is Win 2K server?

Next thing to try?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16399604
Win2K string error patch, it is very common to need this, though if all updates and patches are installed it should fix itself:
http://www.microsoft.com/downloads/details.aspx?familyid=BA478B46-3AF7-4EAF-9CE6-E34EA2C74FAF&displaylang=en
0
 
LVL 5

Expert Comment

by:Dawilliams
ID: 16399938
The setting your looking for in in the "local security policy" on the terminals server "allow log on locally"
0
 
LVL 5

Expert Comment

by:Dawilliams
ID: 16399963
sorry about the typo's just add the group or user you want to access the terminal server and voila
0
 

Author Comment

by:DubberDan
ID: 16400737
There's no option for "Allow logo on locally" but there is just "Log on locally".  Have tried setting it for both local and domain policies but still no joy.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16400903
make sure the user isnt denied the right   in the deny user logon policy

also make sure you are editing the default domain controller policy
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16400956
It has been mentioned above but...
>>"I've created a Global Group for TS users but I guess I need a permissions somewhere to activate that.  Any suggestions?"
This group needs to be added to the "Remote users group" on the terminal server itself, not the domain group in AD.
0
 

Author Comment

by:DubberDan
ID: 16401289
The server is also our DC so I can only access AD and not users/groups in Computer Management.  So where do I find this "Remote users group" for the TS?
0
 
LVL 3

Expert Comment

by:acsmedic
ID: 16401370
Go to administrative tools - Terminal services configuration - expand connections - Right click on the RDP-TCP - select properties - Permissions tab and add the domain group that you want to have access.

As long as that group does not have an explicit Deny logon locally somewhere and has logon local right this should solve your issue.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16401743
As acsmedic  suggested, or in this case use the remote desktop built in domain group. Should accomplish the same thing where you are accessing the same machine.

However, It seems to me there are issues with running TS on a DC for other than admin purposes, or is that what you are trying to achieve. There are also issues with giving non-domain admins access to the DC.
0
 
LVL 78

Assisted Solution

by:Rob Williams
Rob Williams earned 500 total points
ID: 16401796
Because it is a DC you will need to modify the domain policy as per:
http://support.microsoft.com/default.aspx?scid=kb;en-us;q247989

Were you able to apply the patch above so you can access your GP management Console?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16416324
Thanks DubberDan,
--Rob
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16416331
cheers mate!

Hoi Hoi Rob!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question