Solved

To log on to this remote computer, you must be granted the allow log on through Terminal Services right. By default, members of the Remote Desktop User group have this right.

Posted on 2009-03-29
8
4,005 Views
Last Modified: 2013-11-21
server - 2003 DC
I didn't modify the defautl admin account. I also created another domain admin account. The acooung is able to remote access, but the default admin account is not..... why?

by default it should be already in the remote desktop GP, I also tried to added in the GP, but not helpful.
0
Comment
Question by:bubuko
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 11

Expert Comment

by:Quetzal
ID: 24013241
Run Terminal Services configuration, right-click the connection, click on Properites, view Security tab.  Is the default admin account explicitly denied here?
0
 

Author Comment

by:bubuko
ID: 24013265
there is no security tab, only Permission.

In side the tab, there is Administrators, local service, network service, remote desktop users and system.

The weired thing is the other admin account which I created later is able to RDP, but the default admin (administrator) account not able to.
0
 
LVL 9

Accepted Solution

by:
Michael Knight earned 250 total points
ID: 24013268
If you're certain the users have the "allow log on the through Terminal Services" rights Then I would check the settings in the Terminal Services snap-in to ensure those users explicitly have logon locally and logon to terminal services rights..
Ive seen it a few times on 2k3 where simply adding them in AD didn't let them login to TS.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 9

Expert Comment

by:Michael Knight
ID: 24013271
wow too slow...jeez
0
 
LVL 11

Expert Comment

by:Quetzal
ID: 24013306
Michael, nice catch on the user rights assignments.  This is accessible through the Local Security Policy applet.  Also check Deny logon through Terminal Services to make certain the admin account is not there.
0
 

Author Comment

by:bubuko
ID: 24013308
michaelaknight!! you rock!! I checked in DC policy, user right assignments:

Check "Allow log on locally" -> administrators is there.

Check in "Allow logon through terminal service" -> Only the created admin account is there. I removed it, instead I add the administrator GP.

But why this is not there by default?? It should be there by default though!!
0
 
LVL 9

Expert Comment

by:Michael Knight
ID: 24013544
Hah! i wasn't too slow.
you know bubuko, I've stopped trying to understand why microsoft does what it does...I just fix the errors and collect my check ;)
0
 
LVL 18

Expert Comment

by:Americom
ID: 24014025
Hummm...if you are referring to a domain controller, by default, the "Domain Policy" and the "Domain Controller Policy" of the "allow log on trhough Terminal Services" are set to "Not Defined" which means only Administrator can logon remotely. This inlcuding the domain "Administrator" account as well as any domain account created as a member of Domain Admins. However, by default the local policy of the Domain Controllers(if ran gpedit.msc) of the "Allow log on through Terminal Services" is open to the "Administrators" and "Domain Admins" group. This means non administrator cannot logon remotely, even if the are added to the domain "remote desktop users" group. This is by design and usually not recommended to make your Domain Controller a Terminal Servers for security reason.

If you find any of the setting that is different then the default, then someone must have changed, either intentionally or not fully understand the different between a Domain Controller when compare to the member server.

Of course the default setting for "Allow log on through Terminal Services" is open to "Administrators" and "Remote Desktop Users" which means as long as you add a non-admin account to the Remote Desktop Users group, the user would have remote logon access to the member server.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question