Solved

Remote desktop doesn't work for non-admin user

Posted on 2009-06-27
7
997 Views
Last Modified: 2013-11-21
Folks,

I have created a user in Windows 2008 server and made the user a member of the Remote Desktop Users group.  I've checked the RDP-Tcp Properties (security tab) and I see Remote Desktop Users has "user access" and "guest access" allowed, but not "full control".    Under "system properties"/Remote tab, I have selected "Allow connection only from computers running Remote Desktop with NLA".  Under "Select users..." I've added this new account I created.

When I login via remote desktop connection, I see the login screen, but it has the message "To log on to this remote computer, you must be granted the Allow log on through Terminal Services right.  By Default, members of the Remote Desktop Users group..."

please help!  what am I doing wrong?

note that i prematurely accepted this answer.  this isn't an NLA issue:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_24503417.html#discussion
0
Comment
Question by:sfun28
7 Comments
 
LVL 4

Expert Comment

by:nasserd
ID: 24728208
The error message you describe refers to Local User and Groups account.  Every individual user may not have "Allow log on through Terminal Services" selected (it's a checkbox)... so group membership and access rights are, in fact, separate security concerns.
0
 
LVL 5

Expert Comment

by:AngelGabriel
ID: 24728219
check the individual user accounts, to make sure they can log on by terminal server - admins get around this by being in the administrator group.
0
 
LVL 1

Author Comment

by:sfun28
ID: 24728583
Where specifically should I go to enable Terminal Services for my user?

Under properies of "My Computer"/ Remote Settings  I there's a "Select Users..." button.  My user (not group) is in that list already.

In the User's properties under Computer Manager I don't see an option.  The "Terminal Services Profile" tab has a checkbox to "deny this user permission to lo on to terminal server" but that check box is unchecked currently.

How do I give this specific user access to login to via RDC?
0
The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 24732177
Run RSOP.msc (Resultant Set Of Policies) and expand the following policy tree
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Check the settings
* Allow log on through Terminal Services
* Deny log on through Terminal Services

If user is member of any group that has been granted access and at the same time is a member of a group that has been denied access, the deny setting will override.
0
 
LVL 1

Author Comment

by:sfun28
ID: 24733195
hi jenjoh09,

I followed the policy tree, both settings say "Not defined".  When I click into them, the "Template security policy setting"  tag has options that are disabled, with a note that says "This setting is not compatible with computers running Windows 2000 Service Pack 1 or earlier.  Apply group policy objects containing this setting only to computers running a later version of the operating system"

To be honest I have no clue what this means.  I'm running Windows 2008 Server.

thoughts?
0
 
LVL 1

Author Comment

by:sfun28
ID: 24741847
henjoh09?
0
 
LVL 1

Accepted Solution

by:
sfun28 earned 0 total points
ID: 24750945
figured it out.  gpedit.msc, add Remote Desktop Users group to the Allow... setting.
why this isn't there by default is beyond me.
0

Featured Post

Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

Join & Write a Comment

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
Know what services you can and cannot, should and should not combine on your server.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now