Users unable to log on to Terminal Server

I'm in the process of setting up a terminal server on a Win2K server but have hit a snag where by users can't log on a TS session.  They get an error to say "You are not allowed to log on interactively......".

I have checked in AD for the users and they have the box ticked to say allow log on to Terminal Server.  If I set them as domain admins then they can log in, but obviously I don't want them given those sorts of permissions.

I've created a Global Group for TS users but I guess I need a permissions somewhere to activate that.  Any suggestions?
DubberDanAsked:
Who is Participating?
 
Jay_Jay70Commented:
Hi DubberDan,

check your policies - compt settings - windows components - security settings - local policies - user rights assignment   \  allow logon through terminal services

also make sure your members are a part of the remote desktop group and that it is allowed in that policy

Cheers!
0
 
DubberDanAuthor Commented:
Hmm, I've just gone into group policy editor but get a message come up to say:

"The following entry int he [strings] section is too long and has been truncated."

It then goes on about all sorts of things.  Clicking Ok gets rid of it to be replaced by something similar but the text after it then is differen.  This keeps going for 10 - 20 messages but I never seem to get past it.

Help!!!
0
 
Jay_Jay70Commented:
seen that before as well!

http://support.microsoft.com/?id=842933
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
DubberDanAuthor Commented:
Ah, ok.  Seems there are fixes for everything but 2K server!!  Oh well the work around of clicking past them all seems to do the trick.  Just not sure whay it's cropped up as it worked the last time I used the policy editor and thats the only place I've used for altering polices.  Another microsoftism I gues!!!.

Back to the original question.  I can see "allow logon through terminal services" within policies but I did see an setting for "Log on locally" so I have added in the global group I'd created to that.  But that doesn't seem to have done the trick.  Is it because this is Win 2K server?

Next thing to try?
0
 
Rob WilliamsCommented:
Win2K string error patch, it is very common to need this, though if all updates and patches are installed it should fix itself:
http://www.microsoft.com/downloads/details.aspx?familyid=BA478B46-3AF7-4EAF-9CE6-E34EA2C74FAF&displaylang=en
0
 
DawilliamsCommented:
The setting your looking for in in the "local security policy" on the terminals server "allow log on locally"
0
 
DawilliamsCommented:
sorry about the typo's just add the group or user you want to access the terminal server and voila
0
 
DubberDanAuthor Commented:
There's no option for "Allow logo on locally" but there is just "Log on locally".  Have tried setting it for both local and domain policies but still no joy.
0
 
Jay_Jay70Commented:
make sure the user isnt denied the right   in the deny user logon policy

also make sure you are editing the default domain controller policy
0
 
Rob WilliamsCommented:
It has been mentioned above but...
>>"I've created a Global Group for TS users but I guess I need a permissions somewhere to activate that.  Any suggestions?"
This group needs to be added to the "Remote users group" on the terminal server itself, not the domain group in AD.
0
 
DubberDanAuthor Commented:
The server is also our DC so I can only access AD and not users/groups in Computer Management.  So where do I find this "Remote users group" for the TS?
0
 
acsmedicCommented:
Go to administrative tools - Terminal services configuration - expand connections - Right click on the RDP-TCP - select properties - Permissions tab and add the domain group that you want to have access.

As long as that group does not have an explicit Deny logon locally somewhere and has logon local right this should solve your issue.
0
 
Rob WilliamsCommented:
As acsmedic  suggested, or in this case use the remote desktop built in domain group. Should accomplish the same thing where you are accessing the same machine.

However, It seems to me there are issues with running TS on a DC for other than admin purposes, or is that what you are trying to achieve. There are also issues with giving non-domain admins access to the DC.
0
 
Rob WilliamsCommented:
Because it is a DC you will need to modify the domain policy as per:
http://support.microsoft.com/default.aspx?scid=kb;en-us;q247989

Were you able to apply the patch above so you can access your GP management Console?
0
 
Rob WilliamsCommented:
Thanks DubberDan,
--Rob
0
 
Jay_Jay70Commented:
cheers mate!

Hoi Hoi Rob!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.