Solved

Remote desktop doesn't work for non-admin user

Posted on 2009-06-27
7
1,005 Views
Last Modified: 2013-11-21
Folks,

I have created a user in Windows 2008 server and made the user a member of the Remote Desktop Users group.  I've checked the RDP-Tcp Properties (security tab) and I see Remote Desktop Users has "user access" and "guest access" allowed, but not "full control".    Under "system properties"/Remote tab, I have selected "Allow connection only from computers running Remote Desktop with NLA".  Under "Select users..." I've added this new account I created.

When I login via remote desktop connection, I see the login screen, but it has the message "To log on to this remote computer, you must be granted the Allow log on through Terminal Services right.  By Default, members of the Remote Desktop Users group..."

please help!  what am I doing wrong?

note that i prematurely accepted this answer.  this isn't an NLA issue:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_24503417.html#discussion
0
Comment
Question by:sfun28
7 Comments
 
LVL 4

Expert Comment

by:nasserd
ID: 24728208
The error message you describe refers to Local User and Groups account.  Every individual user may not have "Allow log on through Terminal Services" selected (it's a checkbox)... so group membership and access rights are, in fact, separate security concerns.
0
 
LVL 5

Expert Comment

by:AngelGabriel
ID: 24728219
check the individual user accounts, to make sure they can log on by terminal server - admins get around this by being in the administrator group.
0
 
LVL 1

Author Comment

by:sfun28
ID: 24728583
Where specifically should I go to enable Terminal Services for my user?

Under properies of "My Computer"/ Remote Settings  I there's a "Select Users..." button.  My user (not group) is in that list already.

In the User's properties under Computer Manager I don't see an option.  The "Terminal Services Profile" tab has a checkbox to "deny this user permission to lo on to terminal server" but that check box is unchecked currently.

How do I give this specific user access to login to via RDC?
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 24732177
Run RSOP.msc (Resultant Set Of Policies) and expand the following policy tree
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Check the settings
* Allow log on through Terminal Services
* Deny log on through Terminal Services

If user is member of any group that has been granted access and at the same time is a member of a group that has been denied access, the deny setting will override.
0
 
LVL 1

Author Comment

by:sfun28
ID: 24733195
hi jenjoh09,

I followed the policy tree, both settings say "Not defined".  When I click into them, the "Template security policy setting"  tag has options that are disabled, with a note that says "This setting is not compatible with computers running Windows 2000 Service Pack 1 or earlier.  Apply group policy objects containing this setting only to computers running a later version of the operating system"

To be honest I have no clue what this means.  I'm running Windows 2008 Server.

thoughts?
0
 
LVL 1

Author Comment

by:sfun28
ID: 24741847
henjoh09?
0
 
LVL 1

Accepted Solution

by:
sfun28 earned 0 total points
ID: 24750945
figured it out.  gpedit.msc, add Remote Desktop Users group to the Allow... setting.
why this isn't there by default is beyond me.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now