Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Always have to double logon with terminal services

Posted on 2009-02-20
Medium Priority
Last Modified: 2013-11-29
I'm using Windows Server 2008 and setting up TS for use with a program for a couple users.  I want to have the users type their username/passwords in on their local RDP window rather than seeing the Server 2008 logon screen.  When I go to:
Terminal Services Configuration--> RDP-tcp-->Logon Settings-->
The "always prompt for password" is checked, but greyed out.  I believe this is where my problem is.  No matter what setting I select above, that check box is still greyed out.  I've tried changing settings in gpedit.msc, but to no avail.  I've even moved this server into a "No inheritance" OU and rebooted but this check box is still greyed out.  Any ideas?  Thanks in advanced.
Question by:Unisys1
  • 3
  • 2

Author Comment

ID: 23692545
Forgot to add, the original problem is that users are prompted at open of the .rdp file to connect, and once they log onto the server they are prompted for credentials again.
LVL 13

Expert Comment

ID: 23692899
I think you're right about that checkbox being the problem. After you changed the GPO settings or moved it to the other OU, did you run gpupdate to refresh the policies on the terminal server? Are they running the new remote desktop client or the one that came with XP?

Another option to work around it is to just have them leave the password blank initially. Then when they're actually connected it will ask for their password and they can log in. I think in this case, since the terminal server is always asking for the password the 2nd time, it never processes the initial login, so leaving the password blank initially should not count as a bad password attempt.

Author Comment

ID: 23695189
Yes, I did run the gpupdate /force after I modified the settings & moved OUs.  We are connecting from XPSP3 so it is RDP 6.1.  

To answer your second question, yes that would work fine desable local credentials and have the user log on at the Server 2008 Screen, but what I left out was that we would like to use RemoteApp and just have them enter username/password at the small initial screen and then they would never see that 2008 logon screen and it would look truely seemless to the end user.

I've uninstalled Terminal ervices, modified the gpedit.msc "Prompt for credentials on the Client Computer" to enabled.  Rebooted, and now the check box is unchecked, but still greyed out!   Arrgh...
Reinstalled TS, and it does prompt for credentials only once, but still greyed out.  Any clues?
LVL 13

Accepted Solution

CrashDummy_MS earned 1000 total points
ID: 23695327
Grayed out check boxes almost always means either you're not logged in with enough rights to change something or that it is configured by a policy. I'm assuming you're logged in as an admin on the server so it shouldn't be that.

That still leaves a policy. Run gpedit.msc on the terminal server and see if anything there is configured. It should be under computer settings, administrative templates, windows components, terminal services.

If that doesn't do it, use the group policy management console and run resultant set of policies for that server and see what policies get applied to it.

Author Comment

ID: 23727070
Wierd wierd wierd.  First of all, thank you CrashDummy.  It doesn't matter how much you believe your settings are right, you should always double check.  Currently the machine is in an OU that blocks GPO inheritance.  I ran gpresult /v and looked through the list and sure enough, the reason my box is greyed out & unchecked is because of a local GPedit.

Initial Problem --> OU GPO applied
2nd Problem, after I moved to an ininherited OU, I still had the local "Do not allow passwords to be saved" Policy set to enabled.  

They are both set to not configured, and my check box is back.  Thanks

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question