To log onto this remote computer, you must be granted the Allow Log on through Terminal Services Right....

When I try to log onto a terminal server as a user it gives me the following error,   To log onto this remote computer, you must be granted the Allow Log on through Terminal Services Right....etc.    I have this user added as a remote desktop user on the domain controller and on the terminal server in question.  If I make the user a domain admin then they are able to log on but we do not want them to have these rights.  We have also made sure the Remote Desktop User group has the rights to log on using Terminal Services.  Any siggestions?
johnpatbullockAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

raptorjb007Commented:
Add the domain "Remote Desktop users" group to the Terminal Server's local "Remote Desktop users" group. The local group has permissions to the RDP protocol by default. This configuration will allow you to manage which users can connect using the domain security group going forward.

If the terminal server is a DC there may be additional steps, if this is the case let me know.
0
johnpatbullockAuthor Commented:
This has been added and it still will not let me log on.  The terminal server is not the DC.
0
raptorjb007Commented:
There are a few places that need to be configured properly for TS to work.

1) The "allow logon through terminal services" right must be assigned to the user or group in question. This can be done through group policy or local policy. By default, remote desktop users is granted this right locally, you can do the same with a domain policy for good group organization.

2) Permissions to the RDP protocol must be added in (admin tools->Terminal services config->connections->RDP-tcp properties->Permissions). Usually remote desktop users is already listed but you may have to add it.

3) The "HKLM\system\currentcontrolset\control\terminal server\fDenyTSConnections" dword must be set to "0". This can also be accessed by right clicking "my computer" and choose properties, go to the "remote" tab, and check the box for "enable remote desktop on this computer.

Typically, I add "authenticated users" to the local remote desktop group, then grant remote desktop users permissions to the RDP-tcp protocol. I then grant the "allow logon through terminal services" right via group policy to the terminal server(locally or domain) to "authenticated users". This method allows all users to logon, you would have to use a security group if you only want to grant specific users access.

You can define the permissions for the user's/groups however you want. It is usually easiest to add the users you wish to allow to the domain group "remote desktop users", add the domain group to the local "remote desktop users" on the server for good measure, then reference the domain group in RDP permissions and the "allow logon.." policy setting.

Let me know if this helps.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

ChiefITCommented:
Assuming this has never worked before, you have to manually configure RDP to allow log on.

Right click the "my compuer" icon> select "properties">> select the remote tab. In the middle of that tab you need to enable the checkbox that says something like "allow users to connect to this computer remotely" (By default, the only one with permissions is the domain administrator). To add other folks click the "select remote users" tab.

A group or local policy will deny you from logging onto Terminal services and RDP. But, the error is a little bit different. It will usually say something like "a local (or group policy) is preventing you from logging on interactively to terminal services"
0
raptorjb007Commented:
Any luck?
0
comptech_engineeringCommented:
Adding Domain Users to the RDP protocol fixed this problem for me.  

Thanks raptorjb007.
0
agrogersCommented:
Problem was solved for me by adding the Domain User to the local Remote Desktop Users group.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.