• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 530
  • Last Modified:

Cannot logon Terminal services (2003)without local admin access


With the everyone group taken out of the local admin groups - Domain users who try and log onto the server from Microsoft Terminal Server Client (MSTSC) are automatically logged off as soon as they pass the logon screen

Conversely if the everyone group is a member of the local admins then the user accounts can successfully logon onto the server using MSTSC.


To remove the everyone group for the local administrators group and ensure users can log on through terminal services

Various Notes to help

a). Terminal services is installed on the server

b). All users are in the Remote desktop group

c). The server has been running for more than 90 days

d). There are currently more than 2 users accessing this server.Currently there are 14 licenses available.

e).The install of terminal services services was not done by me, but i have been told that i was done by using all the standard default options.

f). I have just run the command on the server.
      change user /? and the output is  Application EXECUTE mode is enabled

g).Local Policies, User Rights Assignment has Allow Log on through Terminal Services

h). Could this be a file permissioning issue ???

i) Server is windows 2003 and is not a domain controller

j) client is windows XP

Please help

  • 6
  • 2
1 Solution
Does it give you a error message when a user fails to log in?

Is there anything in the event viewer?

Local admin is working because local admins ignore license limit.

It sounds like there is a license problem. On TS config what type of licence is it using, device or user?

By default it uses device, when you bought lisences and setup a licence server you need to change it to per user (unless you bought per device licences) Check on your server for what type of TS licences you bought.
markroeAuthor Commented:
no error message

There are currently more than 2 users (who are members of local admin)accessing this server.Currently there are 14 licenses available.
Sounds like the security for RDP is not setup correctly.

1. Add the group to Local Users as well as the Remote Desktop Users Group.
    Only do this if the following accounts have been deleted out of the Local Users Group.
          NT Authority\Authenticated Users
          NT Authority\Interactive

2.  The next place to check is probably your problem.
    Goto Start/Administrative Tools/Terminal Services Configuration.
    Double Click on RDP TCP Properties
      Go to the Permissions Tab
         Make sure your Group or the Remote Desktop users Group is in there.
         Make sure they have User Access
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

markroeAuthor Commented:
about to try
markroeAuthor Commented:
no change

are there any file permission needed ?
No file permissions unless major changes have been made.
Run Filemon if you are worried.  Look for access denied.

You said you were using the everyone group.  Try Adding a real AD group to the groups and places listed above.
markroeAuthor Commented:
will try your suggestions
markroeAuthor Commented:
no difference for the ad group
markroeAuthor Commented:
The answer is

Within the local policy of the server

the software restiction policy was set to disallowed i.e software will not run regardless of the access rights of the user.

thanks for your efforts

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now