Domain User Can't Logon to a Server Via RDP

Terminal Services Permissions Problem:

I have a user who I would like to be able to RDP to certain servers within my infrastructure to enable him to update an application that he looks after. When the user tries to do this, it displays the default message:

"the desktop you are trying to open is currently only available to administrators, contact your systems..."

"to logon to this computer you must have terminal server user access permissions on this computer..."

I have checked GPO, all settings allow this and there are no policies which deny access.

The user is part of the Remote Desktop Users Group on that server. I have checked RDP listener permissions in Terminal Services Config Manager and the Remote Desktop Users group is there, I also added the user in manually. I have also checked the local security policy and both 'allow logon locally' and 'allow logon using terminal services' are enabled for remote desktop users - again I added the user in manually.

Still the user gets the same message. Any ideas?
Who is Participating?
Do you have Citrix MetaFrame Presentation Server installed? This is a known issue where Citrix creates a new RDP-TCP listener but the default properties of this listener allow only the launching of published applications.
To fix clear "Only launch Published Applications" under the 'Advanced Connection Settings' of the RDP-TCP listener.
It definately sounds like a permissions issue somewhere. Remember that an explicit deny somewhere will override any allow permissions you may have set. There are a few tests you could do to see where the issue lies but it depends on what your current setup is.

Are you using domain accounts? If so, copy the user's account and try the same thing with the new, copied account. That would eliminate your user's account being specifically the cause. I assume all other users who are supposed to have RDP access can without an issue? Is your user in a group that these other users aren't? Do some testing adding a working user to these other groups one at a time to see if you can highlight a denied group.

If this doesnt fit your setup, please provide a bit more info. Good luck
hertel-devAuthor Commented:
Correct, we are using MPS3.0 on the same servers. Strangely enough, the farm has 5 application servers and the user can RDP to 3 of them without a problem so I can only assume that the setting you mention hasn't been changed on the other 2.

It worked a treat. Thanks
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.