Solved

Remote desktop doesn't work for non-admin user

Posted on 2009-06-27
7
1,013 Views
Last Modified: 2013-11-21
Folks,

I have created a user in Windows 2008 server and made the user a member of the Remote Desktop Users group.  I've checked the RDP-Tcp Properties (security tab) and I see Remote Desktop Users has "user access" and "guest access" allowed, but not "full control".    Under "system properties"/Remote tab, I have selected "Allow connection only from computers running Remote Desktop with NLA".  Under "Select users..." I've added this new account I created.

When I login via remote desktop connection, I see the login screen, but it has the message "To log on to this remote computer, you must be granted the Allow log on through Terminal Services right.  By Default, members of the Remote Desktop Users group..."

please help!  what am I doing wrong?

note that i prematurely accepted this answer.  this isn't an NLA issue:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_24503417.html#discussion
0
Comment
Question by:sfun28
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 4

Expert Comment

by:nasserd
ID: 24728208
The error message you describe refers to Local User and Groups account.  Every individual user may not have "Allow log on through Terminal Services" selected (it's a checkbox)... so group membership and access rights are, in fact, separate security concerns.
0
 
LVL 5

Expert Comment

by:AngelGabriel
ID: 24728219
check the individual user accounts, to make sure they can log on by terminal server - admins get around this by being in the administrator group.
0
 
LVL 1

Author Comment

by:sfun28
ID: 24728583
Where specifically should I go to enable Terminal Services for my user?

Under properies of "My Computer"/ Remote Settings  I there's a "Select Users..." button.  My user (not group) is in that list already.

In the User's properties under Computer Manager I don't see an option.  The "Terminal Services Profile" tab has a checkbox to "deny this user permission to lo on to terminal server" but that check box is unchecked currently.

How do I give this specific user access to login to via RDC?
0
Office 365 Advanced Training for Admins

Special Offer:  Buy 1 course, get 2nd free!  Buy the 'Managing Office 365 Identities & Requirements' course w/ Accelerated TestPrep, and automatically receive the 'Enabling Office 365 Services' course FREE!

 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 24732177
Run RSOP.msc (Resultant Set Of Policies) and expand the following policy tree
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Check the settings
* Allow log on through Terminal Services
* Deny log on through Terminal Services

If user is member of any group that has been granted access and at the same time is a member of a group that has been denied access, the deny setting will override.
0
 
LVL 1

Author Comment

by:sfun28
ID: 24733195
hi jenjoh09,

I followed the policy tree, both settings say "Not defined".  When I click into them, the "Template security policy setting"  tag has options that are disabled, with a note that says "This setting is not compatible with computers running Windows 2000 Service Pack 1 or earlier.  Apply group policy objects containing this setting only to computers running a later version of the operating system"

To be honest I have no clue what this means.  I'm running Windows 2008 Server.

thoughts?
0
 
LVL 1

Author Comment

by:sfun28
ID: 24741847
henjoh09?
0
 
LVL 1

Accepted Solution

by:
sfun28 earned 0 total points
ID: 24750945
figured it out.  gpedit.msc, add Remote Desktop Users group to the Allow... setting.
why this isn't there by default is beyond me.
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question