Solved

Cannot login to Windows 2003 Terminal Server except as Domain Administrator equivalent

Posted on 2006-06-14
5
364 Views
Last Modified: 2010-04-18
I have setup 4 new Windows 2003R2 servers; ADMIN1PRI, ADMIN2PSI, ADMIN3MAIL and ADMIN4TS.  ADMIN1PRI is the primary server with the primary domain controller, print services, etc.  ADMIN2PSI runs a key application and is setup as a backup domain controller.  ADMIN3MAIL is a member of the domain and runs the mail system.  ADMIN4TS is a member of the domain and has Terminal Services activated.  When trying to login to the Terminal Server as a user who is a member of the Remote Desktop Users Group I get the following message:

"To log on to this remote computer, you must be granted the Allow log on through Terminal Services right.  By default, members of the Remote Desktop Users group have this right.  If you are not a member of the Remote Desktop Users group or another group that has this right, or if the Remote Desktop Users group does not have this right, you must be granted the right manually."

I have checked every location I can think of regarding rights and the only way I can give these users the ability to login is to make them a Domain Administrator.  Is there some change in R2 of Windows 2003 security that disables Terminal Services access by standard users?  Any idea where I should look?  Thanks!

Steve
0
Comment
Question by:sfrechette
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16908564
make sure your local policy is allowing it - windows settings - security settings - local policies - user rights assignment - allow logon through terminal services

make sure your Remote desktop users group is in there
0
 

Author Comment

by:sfrechette
ID: 16908577
I've already checked that and it is being allowed.  Any other ideas?

0
 
LVL 4

Expert Comment

by:shard26
ID: 16908615
Starting in 2003 they changed there security on TS.  Users are no longer allowed access by default. You should only have to do the follow if everything is default and you have made no changes.

Ok here we go

 On your domain great a global group and call it TS_Users or what every you want.
Next logon to your TS server and right click on my computer and goto manage
Go to local users and groups
and the domain global group ts_users to the local group remote desktop users.(you will notice that is the same group that was mentioned in the message)
Now add the users you want access to Terminal servers to the TS_Users group and BOW they have access.
 
 The reason behind this is the new right that was added in 2003 for computers. You can see this by going to group policies.


   Start/Run/gpedit.msc
   Computer Config/Windows settings/security settings/local Policies/User rights assignment
   Notice allow log on through terminal services on the right
   also notice that "Remote Desktop Users" is also there.  Thats how that group gets the rights.  You could even added TS_users straight in here. You then would have to added them to the local "remote desktop users" but I don't recommend doing this.  Hope that helps.
0
 
LVL 4

Accepted Solution

by:
shard26 earned 500 total points
ID: 16908773
You then would have to added them to the local "remote desktop users" but I don't recommend doing this.  Hope that helps.


Correction Should read

You then wouldn't have to added them to the local "remote desktop users" but I don't recommend doing this.  Hope that helps.
0
 

Author Comment

by:sfrechette
ID: 16908793
Well done! This worked.  I'm not sure yet why being a member of Remote Desktop Users group didn't work but I'll go with this.  Thanks!
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question