Domain User Can't Logon to a Server Via RDP

Posted on 2007-10-11
Last Modified: 2009-03-03
Terminal Services Permissions Problem:

I have a user who I would like to be able to RDP to certain servers within my infrastructure to enable him to update an application that he looks after. When the user tries to do this, it displays the default message:

"the desktop you are trying to open is currently only available to administrators, contact your systems..."

"to logon to this computer you must have terminal server user access permissions on this computer..."

I have checked GPO, all settings allow this and there are no policies which deny access.

The user is part of the Remote Desktop Users Group on that server. I have checked RDP listener permissions in Terminal Services Config Manager and the Remote Desktop Users group is there, I also added the user in manually. I have also checked the local security policy and both 'allow logon locally' and 'allow logon using terminal services' are enabled for remote desktop users - again I added the user in manually.

Still the user gets the same message. Any ideas?
Question by:hertel-dev
    LVL 3

    Accepted Solution

    Do you have Citrix MetaFrame Presentation Server installed? This is a known issue where Citrix creates a new RDP-TCP listener but the default properties of this listener allow only the launching of published applications.
    To fix clear "Only launch Published Applications" under the 'Advanced Connection Settings' of the RDP-TCP listener.
    LVL 2

    Expert Comment

    It definately sounds like a permissions issue somewhere. Remember that an explicit deny somewhere will override any allow permissions you may have set. There are a few tests you could do to see where the issue lies but it depends on what your current setup is.

    Are you using domain accounts? If so, copy the user's account and try the same thing with the new, copied account. That would eliminate your user's account being specifically the cause. I assume all other users who are supposed to have RDP access can without an issue? Is your user in a group that these other users aren't? Do some testing adding a working user to these other groups one at a time to see if you can highlight a denied group.

    If this doesnt fit your setup, please provide a bit more info. Good luck

    Author Comment

    Correct, we are using MPS3.0 on the same servers. Strangely enough, the farm has 5 application servers and the user can RDP to 3 of them without a problem so I can only assume that the setting you mention hasn't been changed on the other 2.

    It worked a treat. Thanks

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    This video discusses moving either the default database or any database to a new volume.
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now