Need admin rights to login ???

In order to run MSTC a user needs to to be a member of the local administrators group on the local machine.

User a/c are in the local remote desktop group.

I have put everyone to have the right log on locally. (just in case)

HOWEVER - When i take the users out of the local administrator group i get the following error message

"To log on to this remote console session you must have administration permission"

Why ???

How can i remove the admistartor rights and still allow USERS  to use MSTC

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


I've never heard of MSTC, but hopefully you're talking about Terminal Services.  If you are, then carry on reading.  If not, then ignore what's below!  :0)

Can you be more specific about what version of Server 2003 you're using?  

I know there's an issue with SBS whereby users have to be a member of the local Admin group as Terminal Services can only run in Remote Administration mode on an SBS box.

Let's confirm the above, and then take it from there.


MSTC is rather Remote Desktop Sharing .. To be able to allow also user to connect via Remote Desktop you need to give those user- usergroups permission to do so.

Right click "My Computer" -> "Properties" -> "Remote" -> "Select Remote Users"

This way also no-admins can join the PC.

Assigning no user the right to connect remote, only administrators are allowed to do so ...

Hope this helps
You might as well check the security settings
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

mcsweenSr. Network AdministratorCommented:
MSTSC = Microsoft Terminal Server Client

A user does not need Admin access to launch the terminal server client.  If Terminal Services isn't installed on the server and you are running Remote Desktop to have them access the server then they will need Administrator access to get an interactive logon.

If you install Terminal Services on the server (Add/Remove Programs, Add/Remove Windows Componets) then the users just need to be a member of the "Remote Desktop Users" local group on the server.

Hope this helps!
markroeAuthor Commented:
The users are in "My Computer" -> "Properties" -> "Remote" -> "Select Remote Users"

Terminal services is installed on the server.

Still have issue of users needing to be in the local admins group to use Microsoft Terminal Server Client

Any ideas ?

Can you answer my question to you at the top please?  Are you using SBS (Small Business Server)?

If you are, then non-administrator group users will never be allowed to log on.

markroeAuthor Commented:
No i am running windows 2003 sp1

So if you're running vanilla 2003, the things to check for are:

Is the server running terminal Services in Application Server mode?

If it is not, the same as the SBS applies, i.e.  You're running it in remote administration mode and therefore your users have to be a member of the Administrators group.

If it is in Application Server mode then you need a Terminal Server Licence Server installed on that box, or some other  box on the network.  This is needed to allow users to log into a RDC Session, however I suspect you haven't got a Licence Server installed as the error message then mentions no such server is available to process your request.

Can you confirm the above please?
mcsweenSr. Network AdministratorCommented:
It appears to me that you are running in remote admistration mode which will not allow non-administrators to log on.

You will have to install full blown Terminal Services from Add/Remove programs - Add/Remove Windows Componets
You will have 90 days to install a licensing server (from add/remove) and add some licenses to it.  This can be on the same machine.

Once you have Terminal Services installed your users need to be in the "Remote Desktop Users" group.  (RC My Computer, manage, Users and Groups, Groups, Remote Desktop users...add your users here)

Let me know if this helps.
markroeAuthor Commented:
How do i check the mode that i am running TS in.

If it is in  remote administration mode how do i change it

Also the Terminal Services has valid licenses.
users are alredy in Remote Desktop Users

thank you
markroeAuthor Commented:
i did not do the install of TS, but I have been installed by the installer that TS was installed with all the defaults.

If the default install is remote administration mode (and that requires admin rights) then I would expect that to be the reason.

Can this be changed ???

markroeAuthor Commented:
i have just run the command

change user /?

and the output is

Application EXECUTE mode is enabled.

hope this helps
The default Terminal Services installation is Remote Administration.  That is activated by default when you 'take it out of the box'.  This allows for remote administration of the server, just like a Windows XP workstation if you enable Remote Desktop Connection.  The only difference is that you are allowed two ADMINISTRATORS to be logged in concurrently.

But back to the server.....

Check to see if you have a Terminal Server Licensing Server installed.  To to this, open Administrative Tools (Control Panel, Administrative Tools) and see if the Terminal Server Licensing applet is there.

If it is, open it and see if there is an Activated Server listed.  If there is, see how many licenses are installed, and of those, how many are available.

If the Terminal Server Licensing applet is not there, then you have no Licensing Server installed and therefore must be running in Remote Administration mode.

If you want to install a License Server, install it through Add/Remove Programs, then Windows Components.  Scroll down the list of installed components until you see Terminal Server Licensing, put a tick in the box and install it.

Once complete, you will have 180 days to install Licenses for your users.  Choose wisely when you order the License as you have the choice of Per User or Per Seat.

Let us know how you get on.

markroeAuthor Commented:
1). Terminal Server Licensing applet is there. And is issuing licenses.

I hope this is helpful

markroeAuthor Commented:
Currentlt there are 14 licenses available
mcsweenSr. Network AdministratorCommented:
Check Add/Remove programs, Add/Remove Windows Componets, Terminal Server...let me know if this option is checked.
Try this:

If Active Directory is installed, create a new domain Security Group called 'TS Access' or something similar.  Put all you users you want to have access into the group.

If you haven't got AD installed, create a new Local Group on the server and add users as above.

Open Local Security Policy on the server (Control Panel, Administrative Tools, Local Security Policy), navigate to Local Policies, User Rights Assignment

Ensure the group above is allowed to:

Allow Log on through Terminal Services

Hopefully that will work.

Let us know.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
markroeAuthor Commented:
GOOD NEWS (We are moving forward)

with everyone group taken out of the local admin groups - users in the domain & and on the local machine can log on


As soon as the user (who is not a member of the local admin) goes past the log on screen the account is automatically logged off.

I would be keen to find out whty this is the case. Any suggestions ???

[In the meantime i have had to put the everyone group back into the local admins group to all users access ]

markroeAuthor Commented:
The answer is

Within the local policy of the server

the software restiction policy was set to disallowed i.e software will not run regardless of the access rights of the user.
I have seen similar situations when the Remote Desktop Client is set to log on to the console.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.