Link to home
Start Free TrialLog in
Avatar of kolpin
kolpin

asked on

Terminal Services for Administration Denies Administrator Access

I am getting the following error message when I attempt to connect to remote desktop on a Windows Server 2003 machine:

To logon to this remote computer you must be granted the Allow log on through terminal services right.

The server is the only server in the domain and is running AD.

I’ve been working on this server for a couple of months with no problems using remote desktop.  I attempted to change some settings to allow other users access to AD computers via remote desktop and somehow hosed up the configuration.  Hopefully I’ve included all of the pertinent configuration info below.  Everything looks to me to be setup ok.  The server is running Exchange, SQL Server, Symantec Antivirus Enterprise, Veritas Backup Exec, and some software from RJS.  Remote Desktop was working fine with all of the software installed.

I have two group policy objects, 1 – Default Domain Controllers Policy, 2 – a policy specific to my domain for folder redirection and whatnot.

Default Domain Controllers Policy –
Allow log on through terminal services – Administrators, Remote Desktop Users.
Deny log on through terminal services – Not Defined.

Second policy –
Allow log on through terminal services – Remote Desktop Users.
Deny log on through terminal services – Not Defined.

The Remote Desktop users group contains the following users:
Administrator

Administrator user profile Terminal Services Profile:
Deny this user permissions to log on to any Terminal Server is Unchecked.

Terminal Server Configuration –
RDP-Tcp Properties –
Network Adapter – All network adapters configured with this protocol.
Permissions –
Administrators – Full Control, User Access, Guest Access.
Remote Desktop Users – User Access, Guest Access.

Administrator is a member of the following groups:
Administrators
Debugger Users
Domain Admins
Domain Users
Enterprise Admins
Group Policy Creator Owners
Remote Desktop Users
Schema Admins

I’m at stuck on this until I can get remote desktop working again so it is of urgent importance for me to get this problem resolved.  Thank you in advance for any assistance you can provide.
Avatar of Jay_Jay70
Jay_Jay70
Flag of Australia image

Hi kolpin,

are you able to log in with any other users?
Avatar of kolpin
kolpin

ASKER

Nope.  Can't login with any users.
what kind of licensing do you have?
if you were running on the temp licences they may well have expired

what does the event viewer say
Avatar of kolpin

ASKER

I'm just using the standard 2 user Remote Desktop / Terminal Services for Administration.  That's probably the reason why I can't config it for any other users.  At this point I just want the administrator user to work.  Anyway, as far as server goes it's Win2k3 Server Standard and it has been registered if that makes a difference.

Thanks.
registered is all good but are there no licence errors in the event viewer, just wanted to double check!

try giving that RDP users group full control on your permission properties

otherwise your sec pols look fine, i would try reinstalling TS
Avatar of kolpin

ASKER

Double checked the event viewer and there are no licensing error.

Gave RDP users group full control.

Removed RDP, rebooted, installed RDP, reboot, double checked all RDP related settings.

Still getting the error message that I'm (administrator) not allowed to log in via Terminal Services.  There are no other terminal services installed on the box, just RDP so I can admin the server remote.

Thanks for any help you can provide.  I'm at a point where it will be very painfull to scratch the server and reinstall the OS and I really want to aviod using pcAnywhere for remote access.
Avatar of kolpin

ASKER

Got it up an running again.  I was under the assumption that all of the GPOs that needed to but looked at were available and linked in group policy management.  I loaded the group policy editor in MMC for local computer and found that somehow the deny terminal services log in property was set to Administrator and Remote Desktop Users.  I have no idea how that would have gotten set but a change back to not defined and life is good again.

Thank you for taking the time to read my ramblings and offer assistance.
ah random policies! its actually not first time i have seen terminal service users get denied for no apparant reason, its why i usually try and point the obvious with those polcies first, well done though :)
ASKER CERTIFIED SOLUTION
Avatar of CetusMOD
CetusMOD
Flag of Netherlands image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial