Terminal Services for Administration Denies Administrator Access

Posted on 2006-05-10
Last Modified: 2008-02-01
I am getting the following error message when I attempt to connect to remote desktop on a Windows Server 2003 machine:

To logon to this remote computer you must be granted the Allow log on through terminal services right.

The server is the only server in the domain and is running AD.

I’ve been working on this server for a couple of months with no problems using remote desktop.  I attempted to change some settings to allow other users access to AD computers via remote desktop and somehow hosed up the configuration.  Hopefully I’ve included all of the pertinent configuration info below.  Everything looks to me to be setup ok.  The server is running Exchange, SQL Server, Symantec Antivirus Enterprise, Veritas Backup Exec, and some software from RJS.  Remote Desktop was working fine with all of the software installed.

I have two group policy objects, 1 – Default Domain Controllers Policy, 2 – a policy specific to my domain for folder redirection and whatnot.

Default Domain Controllers Policy –
Allow log on through terminal services – Administrators, Remote Desktop Users.
Deny log on through terminal services – Not Defined.

Second policy –
Allow log on through terminal services – Remote Desktop Users.
Deny log on through terminal services – Not Defined.

The Remote Desktop users group contains the following users:

Administrator user profile Terminal Services Profile:
Deny this user permissions to log on to any Terminal Server is Unchecked.

Terminal Server Configuration –
RDP-Tcp Properties –
Network Adapter – All network adapters configured with this protocol.
Permissions –
Administrators – Full Control, User Access, Guest Access.
Remote Desktop Users – User Access, Guest Access.

Administrator is a member of the following groups:
Debugger Users
Domain Admins
Domain Users
Enterprise Admins
Group Policy Creator Owners
Remote Desktop Users
Schema Admins

I’m at stuck on this until I can get remote desktop working again so it is of urgent importance for me to get this problem resolved.  Thank you in advance for any assistance you can provide.
Question by:kolpin
    LVL 48

    Expert Comment

    Hi kolpin,

    are you able to log in with any other users?

    Author Comment

    Nope.  Can't login with any users.
    LVL 48

    Expert Comment

    what kind of licensing do you have?
    if you were running on the temp licences they may well have expired

    what does the event viewer say

    Author Comment

    I'm just using the standard 2 user Remote Desktop / Terminal Services for Administration.  That's probably the reason why I can't config it for any other users.  At this point I just want the administrator user to work.  Anyway, as far as server goes it's Win2k3 Server Standard and it has been registered if that makes a difference.

    LVL 48

    Expert Comment

    registered is all good but are there no licence errors in the event viewer, just wanted to double check!

    try giving that RDP users group full control on your permission properties

    otherwise your sec pols look fine, i would try reinstalling TS

    Author Comment

    Double checked the event viewer and there are no licensing error.

    Gave RDP users group full control.

    Removed RDP, rebooted, installed RDP, reboot, double checked all RDP related settings.

    Still getting the error message that I'm (administrator) not allowed to log in via Terminal Services.  There are no other terminal services installed on the box, just RDP so I can admin the server remote.

    Thanks for any help you can provide.  I'm at a point where it will be very painfull to scratch the server and reinstall the OS and I really want to aviod using pcAnywhere for remote access.

    Author Comment

    Got it up an running again.  I was under the assumption that all of the GPOs that needed to but looked at were available and linked in group policy management.  I loaded the group policy editor in MMC for local computer and found that somehow the deny terminal services log in property was set to Administrator and Remote Desktop Users.  I have no idea how that would have gotten set but a change back to not defined and life is good again.

    Thank you for taking the time to read my ramblings and offer assistance.
    LVL 48

    Expert Comment

    ah random policies! its actually not first time i have seen terminal service users get denied for no apparant reason, its why i usually try and point the obvious with those polcies first, well done though :)

    Accepted Solution

    PAQed with points refunded (500)

    Community Support Moderator

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
    Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    This video discusses moving either the default database or any database to a new volume.

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now