Cant logon interactively

Is this server meber server or stand alone server?

Users should be members of "Remote Desktop Users" first.

Windows 2003 Server has new setting in "User rights assignment":
"Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow logon through Terminal Services" which can be used to avoid your problem.

This is a standalone server with two windows XP Clients. The users in question are in the remote desktop users group. I am a little unclear on whether i should be working with the local policy on the clients or the group policy on the server. the error message refers to the local policy of this system.

You should change policy on server.

Check the Access this computer from network policy, add the user account to that..

run a gpupdate on the client, then RDP...

BTW: there is a new RDP client out as well, might wanna try that as well..

policies are set as follows
access this computer from the network: everyone, authenticated users...
logon locally: individual users
logon through terminal services: remote desktop users, individual users

for the logon rights I listed the users individually as well as allowing remote desktop users for terminal services, this might be a little redundant but neither one seems to be working. I should probably remove everyone from the access right, but ill tighten up the security once i can login.

another bizzare quirk is that the user I am trying to logon as is a member of the domain administrators group, but is not an admin on the local machine. I can RDP into the client machine using the local administrator account, but I get the error message when trying to logon as the user who is a member of the domain administrators group. i guess the local admin isn't subject to the domain controllers security policy since its not part of the domain?

I haven't tried the gpupdate on the client machine but I will when I get a chance later today.

OK, I might misunderstood something, but if your server is stand alone and NOT member of your domain then consequently domain admins can not access this server.

Its a domain controller, but it is the only server in the network.

OK, your server is DC Windows 2003, and you want to access this server from XP with RDP?

1. On your domain controller add appropriate user accounts in "Remote Desktop Users" group
2. Go to Domain Controller Security Settings and change "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow logon through Terminal Services" setting, add appropriate user account.
3. Go to command prompt and use "gpupdate /force" or wait for at least 5 minutes.
4 Go to XP client and try to connect to DC.

If not succesfull, post error message here.

sorry let me clarify, I want to logon to one of the clients with RDP. I can RDP into the server just fine, but when i try to RDP to the client it says I cannot logon interactively.

And your XP client is domain member, and you want to access XP as which account?

the users are all members of "remote desktop users" and are listed under "Allow logon through Terminal Services" I did a "gpupdate /force"on both the client and the server, no luck.

i am using one of the user accounts listed under "remote desktop users" in the server local policy.

We need to clarify few things. Are you trying to RDP into XP which is domain member?

yes

OK. Then go to XP machine and add proper user account to "Remote Desktop Users" group - nothing else, because "Remotete Desktop Users" has access through policy defined by default.
What is error now, when you try to connect to XP?

still the same message

"the local policy of this system does not permit you to logon interactively"

the user was a member of the "administrators group" instead of "Remote desktop users" i think they are both granted remote logon. I changed it to "Remote desktop users" but the error message stayed the same.

Please run this command on your XP computer "gpresult /v > gpolog.txt" and paste contents of gpolog.txt here, I would like to check wheter if other than policies are in effect.

And you wouldn't try to connect to XP with user account which has blank password? ;)

hmm,

for some reason it wont let me run that command, it outputs the following message and the output file is blank.

INFO: The user "domainname\administrator" does not have RSOP data.

Can you logon to XP as domain admin?

Let me rephrase: Can you logon LOCALLY to XP as domain admin?

yea, there are no problems logging into the client computer with the domain administrator account

And after you log in "gpresult" gives you that error!?

yea, when i rdp login to the domain admin account on the xp client computer and go to the command prompt and type "gpresult /v > gpolog.txt" i get the error "INFO: The user "domainname\administrator" does not have RSOP data."

your Domain Admin account , is it called/named Administrator?

I can rdp login with the administrator credentials but I cant rdp login with a normal user. Locally all logins work fine

create a test user account..

Add that user to the Remote Desktop group that exists in Active Directory.

On the server that you are trying to access, run a gpupdate from the command prompt..

Now trying to make an RDP connection, and logon with the test user account created.

Post the results..

forget the above, i forgot its a stand anlone server..

simply add the account as a member of the Administrators group on the XP client machine.

I wish I could edit...there is a domain controller and two clients, I am trying to rdp into the clients with the normal user account.

i tried adding the account to the local administrators group on the client, still wont let me rdp. Im not sure if the local policy the error message refers to is the policy of the client or the server.

Local Policies -> User Rights Assignments -> Logon through terminal services policy on the XP Client , add Administrators and Domain Admins to the policy.


Also check

Local Policies -> User Rights Assignments -> Deny Logon Locally
and
Local Policies -> User Rights Assignments -> Deny logon throught Terminal Services

Local Policy on client is set to:
"Allow Logon through terminal services": "Remote Desktop Users", "COMPUTERNAME/USERNAME", "administrators"
"Deny Logon Locally": blank
"Deny Logon Through Terminal Services": blank
"Logon Locally": "Users", "COMPUTERNAME/USERNAME", "administrators", "Guest"

I tried to add domain admins to "allow Logon through terminal services" but it wouldn't let me. It said "name not found" I tried setting the "location" to the domain but the only available option is COMPUTERNAME. It seems strange to me that i wouldn't be able to select the domain from the locations list, any ideas why the domain isn't available here? This server does not function as a "Terminal server" I am just trying to use RDP to loginto the clients, does rdp run ontop of terminal server? just curious bc im not using termainal server to serve applications or anything.

I just logged in locally (the computer not the domain) and realized something. I think the problem may be that there is a local account on the computer named the same thing as the domain account I am trying to use, I think the local policy settings were effecting the local account as opposed to the domain account. the problem is, I cant add the domain account to any groups, I also cant change any permissions regarding the domain account because the computer cannot find the domain account when i go into the add window (ie to add the user to a policy) I think I need to find out why I cannot select the domain from the "locations" section of the add window. If I could add domain objects, i could probably add the correct user to the policy and rdp in, but how can I add the domain user to the appropriate policies?

I think what it comes down to is the domain objects, therfore I have reposted a question under the title "domain objects" in the os section