Cannot logon Terminal services (2003)without local admin access

Problem
=======

With the everyone group taken out of the local admin groups - Domain users who try and log onto the server from Microsoft Terminal Server Client (MSTSC) are automatically logged off as soon as they pass the logon screen


Conversely if the everyone group is a member of the local admins then the user accounts can successfully logon onto the server using MSTSC.

Objective
=========

To remove the everyone group for the local administrators group and ensure users can log on through terminal services

Various Notes to help
=====================

a). Terminal services is installed on the server

b). All users are in the Remote desktop group

c). The server has been running for more than 90 days

d). There are currently more than 2 users accessing this server.Currently there are 14 licenses available.

e).The install of terminal services services was not done by me, but i have been told that i was done by using all the standard default options.

f). I have just run the command on the server.
      change user /? and the output is  Application EXECUTE mode is enabled

g).Local Policies, User Rights Assignment has Allow Log on through Terminal Services


h). Could this be a file permissioning issue ???

i) Server is windows 2003 and is not a domain controller

j) client is windows XP

Please help



markroeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bilbusCommented:
Does it give you a error message when a user fails to log in?

Is there anything in the event viewer?

Local admin is working because local admins ignore license limit.

It sounds like there is a license problem. On TS config what type of licence is it using, device or user?

By default it uses device, when you bought lisences and setup a licence server you need to change it to per user (unless you bought per device licences) Check on your server for what type of TS licences you bought.
0
markroeAuthor Commented:
no error message

There are currently more than 2 users (who are members of local admin)accessing this server.Currently there are 14 licenses available.
0
dmccurdy51Commented:
Sounds like the security for RDP is not setup correctly.

1. Add the group to Local Users as well as the Remote Desktop Users Group.
    Only do this if the following accounts have been deleted out of the Local Users Group.
          NT Authority\Authenticated Users
          NT Authority\Interactive

2.  The next place to check is probably your problem.
    Goto Start/Administrative Tools/Terminal Services Configuration.
    Double Click on RDP TCP Properties
      Go to the Permissions Tab
         Make sure your Group or the Remote Desktop users Group is in there.
         Make sure they have User Access
0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

markroeAuthor Commented:
about to try
0
markroeAuthor Commented:
no change

are there any file permission needed ?
0
dmccurdy51Commented:
No file permissions unless major changes have been made.
Run Filemon if you are worried.  Look for access denied.

You said you were using the everyone group.  Try Adding a real AD group to the groups and places listed above.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
markroeAuthor Commented:
will try your suggestions
0
markroeAuthor Commented:
no difference for the ad group
0
markroeAuthor Commented:
The answer is

Within the local policy of the server

the software restiction policy was set to disallowed i.e software will not run regardless of the access rights of the user.

thanks for your efforts
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.