Cannot logon Terminal services (2003)without local admin access

Posted on 2006-04-26
Last Modified: 2010-04-18

With the everyone group taken out of the local admin groups - Domain users who try and log onto the server from Microsoft Terminal Server Client (MSTSC) are automatically logged off as soon as they pass the logon screen

Conversely if the everyone group is a member of the local admins then the user accounts can successfully logon onto the server using MSTSC.


To remove the everyone group for the local administrators group and ensure users can log on through terminal services

Various Notes to help

a). Terminal services is installed on the server

b). All users are in the Remote desktop group

c). The server has been running for more than 90 days

d). There are currently more than 2 users accessing this server.Currently there are 14 licenses available.

e).The install of terminal services services was not done by me, but i have been told that i was done by using all the standard default options.

f). I have just run the command on the server.
      change user /? and the output is  Application EXECUTE mode is enabled

g).Local Policies, User Rights Assignment has Allow Log on through Terminal Services

h). Could this be a file permissioning issue ???

i) Server is windows 2003 and is not a domain controller

j) client is windows XP

Please help

Question by:markroe
    LVL 8

    Expert Comment

    Does it give you a error message when a user fails to log in?

    Is there anything in the event viewer?

    Local admin is working because local admins ignore license limit.

    It sounds like there is a license problem. On TS config what type of licence is it using, device or user?

    By default it uses device, when you bought lisences and setup a licence server you need to change it to per user (unless you bought per device licences) Check on your server for what type of TS licences you bought.

    Author Comment

    no error message

    There are currently more than 2 users (who are members of local admin)accessing this server.Currently there are 14 licenses available.
    LVL 4

    Expert Comment

    Sounds like the security for RDP is not setup correctly.

    1. Add the group to Local Users as well as the Remote Desktop Users Group.
        Only do this if the following accounts have been deleted out of the Local Users Group.
              NT Authority\Authenticated Users
              NT Authority\Interactive

    2.  The next place to check is probably your problem.
        Goto Start/Administrative Tools/Terminal Services Configuration.
        Double Click on RDP TCP Properties
          Go to the Permissions Tab
             Make sure your Group or the Remote Desktop users Group is in there.
             Make sure they have User Access

    Author Comment

    about to try

    Author Comment

    no change

    are there any file permission needed ?
    LVL 4

    Accepted Solution

    No file permissions unless major changes have been made.
    Run Filemon if you are worried.  Look for access denied.

    You said you were using the everyone group.  Try Adding a real AD group to the groups and places listed above.

    Author Comment

    will try your suggestions

    Author Comment

    no difference for the ad group

    Author Comment

    The answer is

    Within the local policy of the server

    the software restiction policy was set to disallowed i.e software will not run regardless of the access rights of the user.

    thanks for your efforts

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
    Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now