Users unable to log on to Terminal Server

I'm in the process of setting up a terminal server on a Win2K server but have hit a snag where by users can't log on a TS session.  They get an error to say "You are not allowed to log on interactively......".

I have checked in AD for the users and they have the box ticked to say allow log on to Terminal Server.  If I set them as domain admins then they can log in, but obviously I don't want them given those sorts of permissions.

I've created a Global Group for TS users but I guess I need a permissions somewhere to activate that.  Any suggestions?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi DubberDan,

check your policies - compt settings - windows components - security settings - local policies - user rights assignment   \  allow logon through terminal services

also make sure your members are a part of the remote desktop group and that it is allowed in that policy


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DubberDanAuthor Commented:
Hmm, I've just gone into group policy editor but get a message come up to say:

"The following entry int he [strings] section is too long and has been truncated."

It then goes on about all sorts of things.  Clicking Ok gets rid of it to be replaced by something similar but the text after it then is differen.  This keeps going for 10 - 20 messages but I never seem to get past it.

seen that before as well!
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

DubberDanAuthor Commented:
Ah, ok.  Seems there are fixes for everything but 2K server!!  Oh well the work around of clicking past them all seems to do the trick.  Just not sure whay it's cropped up as it worked the last time I used the policy editor and thats the only place I've used for altering polices.  Another microsoftism I gues!!!.

Back to the original question.  I can see "allow logon through terminal services" within policies but I did see an setting for "Log on locally" so I have added in the global group I'd created to that.  But that doesn't seem to have done the trick.  Is it because this is Win 2K server?

Next thing to try?
Rob WilliamsCommented:
Win2K string error patch, it is very common to need this, though if all updates and patches are installed it should fix itself:
The setting your looking for in in the "local security policy" on the terminals server "allow log on locally"
sorry about the typo's just add the group or user you want to access the terminal server and voila
DubberDanAuthor Commented:
There's no option for "Allow logo on locally" but there is just "Log on locally".  Have tried setting it for both local and domain policies but still no joy.
make sure the user isnt denied the right   in the deny user logon policy

also make sure you are editing the default domain controller policy
Rob WilliamsCommented:
It has been mentioned above but...
>>"I've created a Global Group for TS users but I guess I need a permissions somewhere to activate that.  Any suggestions?"
This group needs to be added to the "Remote users group" on the terminal server itself, not the domain group in AD.
DubberDanAuthor Commented:
The server is also our DC so I can only access AD and not users/groups in Computer Management.  So where do I find this "Remote users group" for the TS?
Go to administrative tools - Terminal services configuration - expand connections - Right click on the RDP-TCP - select properties - Permissions tab and add the domain group that you want to have access.

As long as that group does not have an explicit Deny logon locally somewhere and has logon local right this should solve your issue.
Rob WilliamsCommented:
As acsmedic  suggested, or in this case use the remote desktop built in domain group. Should accomplish the same thing where you are accessing the same machine.

However, It seems to me there are issues with running TS on a DC for other than admin purposes, or is that what you are trying to achieve. There are also issues with giving non-domain admins access to the DC.
Rob WilliamsCommented:
Because it is a DC you will need to modify the domain policy as per:;en-us;q247989

Were you able to apply the patch above so you can access your GP management Console?
Rob WilliamsCommented:
Thanks DubberDan,
cheers mate!

Hoi Hoi Rob!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.