Terminal Services for Administration Denies Administrator Access

I am getting the following error message when I attempt to connect to remote desktop on a Windows Server 2003 machine:

To logon to this remote computer you must be granted the Allow log on through terminal services right.

The server is the only server in the domain and is running AD.

I’ve been working on this server for a couple of months with no problems using remote desktop.  I attempted to change some settings to allow other users access to AD computers via remote desktop and somehow hosed up the configuration.  Hopefully I’ve included all of the pertinent configuration info below.  Everything looks to me to be setup ok.  The server is running Exchange, SQL Server, Symantec Antivirus Enterprise, Veritas Backup Exec, and some software from RJS.  Remote Desktop was working fine with all of the software installed.

I have two group policy objects, 1 – Default Domain Controllers Policy, 2 – a policy specific to my domain for folder redirection and whatnot.

Default Domain Controllers Policy –
Allow log on through terminal services – Administrators, Remote Desktop Users.
Deny log on through terminal services – Not Defined.

Second policy –
Allow log on through terminal services – Remote Desktop Users.
Deny log on through terminal services – Not Defined.

The Remote Desktop users group contains the following users:

Administrator user profile Terminal Services Profile:
Deny this user permissions to log on to any Terminal Server is Unchecked.

Terminal Server Configuration –
RDP-Tcp Properties –
Network Adapter – All network adapters configured with this protocol.
Permissions –
Administrators – Full Control, User Access, Guest Access.
Remote Desktop Users – User Access, Guest Access.

Administrator is a member of the following groups:
Debugger Users
Domain Admins
Domain Users
Enterprise Admins
Group Policy Creator Owners
Remote Desktop Users
Schema Admins

I’m at stuck on this until I can get remote desktop working again so it is of urgent importance for me to get this problem resolved.  Thank you in advance for any assistance you can provide.
Who is Participating?
CetusMODConnect With a Mentor Commented:
PAQed with points refunded (500)

Community Support Moderator
Hi kolpin,

are you able to log in with any other users?
kolpinAuthor Commented:
Nope.  Can't login with any users.
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

what kind of licensing do you have?
if you were running on the temp licences they may well have expired

what does the event viewer say
kolpinAuthor Commented:
I'm just using the standard 2 user Remote Desktop / Terminal Services for Administration.  That's probably the reason why I can't config it for any other users.  At this point I just want the administrator user to work.  Anyway, as far as server goes it's Win2k3 Server Standard and it has been registered if that makes a difference.

registered is all good but are there no licence errors in the event viewer, just wanted to double check!

try giving that RDP users group full control on your permission properties

otherwise your sec pols look fine, i would try reinstalling TS
kolpinAuthor Commented:
Double checked the event viewer and there are no licensing error.

Gave RDP users group full control.

Removed RDP, rebooted, installed RDP, reboot, double checked all RDP related settings.

Still getting the error message that I'm (administrator) not allowed to log in via Terminal Services.  There are no other terminal services installed on the box, just RDP so I can admin the server remote.

Thanks for any help you can provide.  I'm at a point where it will be very painfull to scratch the server and reinstall the OS and I really want to aviod using pcAnywhere for remote access.
kolpinAuthor Commented:
Got it up an running again.  I was under the assumption that all of the GPOs that needed to but looked at were available and linked in group policy management.  I loaded the group policy editor in MMC for local computer and found that somehow the deny terminal services log in property was set to Administrator and Remote Desktop Users.  I have no idea how that would have gotten set but a change back to not defined and life is good again.

Thank you for taking the time to read my ramblings and offer assistance.
ah random policies! its actually not first time i have seen terminal service users get denied for no apparant reason, its why i usually try and point the obvious with those polcies first, well done though :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.