• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 427
  • Last Modified:

Not Permitting Terminal Services Logon

Good morning,
Our servers are not letting our users logon via terminal services.  We're running Windows Server 2003 in a terminal services environment.  Administrators can logon.  No other user can.  Where would I address this problem and how.
Thanks for your help.
0
cclausen1
Asked:
cclausen1
  • 6
  • 5
1 Solution
 
dblake15Commented:
So your users are trying to RDP in??  If that is the case then you need to make sure that the users are part of the remote desktop users group or in My Computer properties, under the remote tab, you can add the group that you have the users in, with regards to AD.
0
 
Henrik JohanssonSystems engineerCommented:
Normally the users nead to be added to the local group "Remote Desktop Users".
The groups allowed to log on through TS is controlled by the policy "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on through Terminal Services" (default Administrators and Remote Desktop Users).
0
 
cclausen1Author Commented:
Users are part of the Remote Desktop Users group.  I think a Group Policy was changed affecting this.  Is that possible?
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
Henrik JohanssonSystems engineerCommented:
Yes, it's the user rights assignment in my previous post that has been changed through GPO or local policy.
Use rsop.msc (Resultant Set Of Policies) to analyze what GPO is setting the policy.
Create a new GPO to set the "...\User Rights\Allow log on through Terminal Services" to allow TS-access for both Administrators and Remote Desktop Users. Link the GPO to the OU containing the TS-server.
0
 
cclausen1Author Commented:
The policy "Allow logon through Terminal Services" shows only administrators and the option of "adding" or "removing" users is greyed-out for all our servers.
0
 
cclausen1Author Commented:
I have also enabled the group policy "Allow users to connect remotely using Terminal Services" at the domain and domain controller level.  This has had no effect unfortunately.
0
 
Henrik JohanssonSystems engineerCommented:
The reason for it's grayed out is that a GPO is affecting the server. Run rsop.msc to see what GPO is applying the setting. If you were able to modify the setting, it would be overriden by the GPO.
You nead to modify the GPO (or create a new linked to the OU containing the server) to allow both Administrators and Remote Desktop Users.
Your last posts make me wonder if the server also is a DC?
0
 
cclausen1Author Commented:
A DC is affected, but the two servers running as TSs are the ones we're focused on.  

I ran rsop.msc, but it wasn't evident.  Where would the policy blocking this most likely reside?  Under Users or Computer Config?

Thanks.
0
 
Henrik JohanssonSystems engineerCommented:
User rights assignment is a part of computer configuration.

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on through Terminal Services

rsop.msc is just for analyzing to find out what GPO is configuring the policy setting.

To solve the problem:
Place the TS-servers in their own OU.
Create a new GPO configuring the user right to log on through TS.
Link the GPO to the OU with the TS-servers.
0
 
cclausen1Author Commented:
Is this done via the Group Policy Management tool?  If local policies are changed via the process you've outlined, will it propogate to all the servers.
0
 
Henrik JohanssonSystems engineerCommented:
Yes
Local policy has lowest priority and will be overruled if the policy is set through a GPO in the domain.
0
 
cclausen1Author Commented:
Thanks.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now