Solved

Not Permitting Terminal Services Logon

Posted on 2008-06-23
12
419 Views
Last Modified: 2012-05-05
Good morning,
Our servers are not letting our users logon via terminal services.  We're running Windows Server 2003 in a terminal services environment.  Administrators can logon.  No other user can.  Where would I address this problem and how.
Thanks for your help.
0
Comment
Question by:cclausen1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 3

Expert Comment

by:dblake15
ID: 21845209
So your users are trying to RDP in??  If that is the case then you need to make sure that the users are part of the remote desktop users group or in My Computer properties, under the remote tab, you can add the group that you have the users in, with regards to AD.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21845771
Normally the users nead to be added to the local group "Remote Desktop Users".
The groups allowed to log on through TS is controlled by the policy "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on through Terminal Services" (default Administrators and Remote Desktop Users).
0
 

Author Comment

by:cclausen1
ID: 21845995
Users are part of the Remote Desktop Users group.  I think a Group Policy was changed affecting this.  Is that possible?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21846124
Yes, it's the user rights assignment in my previous post that has been changed through GPO or local policy.
Use rsop.msc (Resultant Set Of Policies) to analyze what GPO is setting the policy.
Create a new GPO to set the "...\User Rights\Allow log on through Terminal Services" to allow TS-access for both Administrators and Remote Desktop Users. Link the GPO to the OU containing the TS-server.
0
 

Author Comment

by:cclausen1
ID: 21846608
The policy "Allow logon through Terminal Services" shows only administrators and the option of "adding" or "removing" users is greyed-out for all our servers.
0
 

Author Comment

by:cclausen1
ID: 21846646
I have also enabled the group policy "Allow users to connect remotely using Terminal Services" at the domain and domain controller level.  This has had no effect unfortunately.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21846817
The reason for it's grayed out is that a GPO is affecting the server. Run rsop.msc to see what GPO is applying the setting. If you were able to modify the setting, it would be overriden by the GPO.
You nead to modify the GPO (or create a new linked to the OU containing the server) to allow both Administrators and Remote Desktop Users.
Your last posts make me wonder if the server also is a DC?
0
 

Author Comment

by:cclausen1
ID: 21846953
A DC is affected, but the two servers running as TSs are the ones we're focused on.  

I ran rsop.msc, but it wasn't evident.  Where would the policy blocking this most likely reside?  Under Users or Computer Config?

Thanks.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21847164
User rights assignment is a part of computer configuration.

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on through Terminal Services

rsop.msc is just for analyzing to find out what GPO is configuring the policy setting.

To solve the problem:
Place the TS-servers in their own OU.
Create a new GPO configuring the user right to log on through TS.
Link the GPO to the OU with the TS-servers.
0
 

Author Comment

by:cclausen1
ID: 21847313
Is this done via the Group Policy Management tool?  If local policies are changed via the process you've outlined, will it propogate to all the servers.
0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 250 total points
ID: 21847477
Yes
Local policy has lowest priority and will be overruled if the policy is set through a GPO in the domain.
0
 

Author Closing Comment

by:cclausen1
ID: 31469694
Thanks.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question