• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1576
  • Last Modified:

Users cannot logon to Terminal Server 2008

I have two Windows Server 2008 machines. One is the Domain Controller running AD, DHCP, File Sharing and is the Terminal Server Licensing machine. The other Server 2008 is the Terminal Server.

When I try to login  to the terminal server I get the following message:

The User Profile Service service failed the logon. User Profile cannot be loaded.

I have 10 other users and they are working just fine and we have 20 CAL's installed.

I do have the user profiles (roaming) setup on a shared folder on the terminal server machine on the "E" drive (not the primary C and not on the local active directory machine.

I have checked all the permissions as per Microsoft and others. I just cannot get any new users to be able to log in to the domain at all. 98% of my users are on thin clients with two users on fat clients. Two new users have been hired and we need for them to be able to use thin client setup.
0
Marc Barash
Asked:
Marc Barash
  • 12
  • 9
1 Solution
 
JHallidayChief Technical OfficerCommented:
Have you checked to see if there is any conflict with the drive letters ? Also try setting the users to use a local profile and see if that works if it does then it must be something to do with how your roaming profiles are set-up otherwise it will be a local server issue on your Terminal Server
0
 
Marc BarashAuthor Commented:
The users I am trying to add are thin client users. There are not fat clients so they have to be roaming.

I don't understand the question, "conflict with the drive letters"? Could you please explain?

The local path in Terminal Profile  we are using is e.x. \\TS-SERVER\Users\<username>\Profile
0
 
JHallidayChief Technical OfficerCommented:
If you set the user in the Active Directory Users and Computers console to have a local profile it will create a local profile on the TS server not the thin client device.

The conflict in drive letters could be caused by you setting the user profile to be E:\Profile (for example) but also mapping a network drive to E:
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
Marc BarashAuthor Commented:
I understand your question and will check the mapping as you have suggested. I will let you know shortly if this is a problem.
0
 
Marc BarashAuthor Commented:
Okay, still no go. User properties looks like this

Profile tab User profile
\\ts-server\users$\username\Profile
Home Folder area blank

Terminal Services Profile tab
\\ts-server\Profiles\username
Home Folder area blank

Remember AD is on the Domain controller called Server and the profiles are stored on the Terminal Server. I was told this might be the cause of the problem. but others are working fine.
0
 
JHallidayChief Technical OfficerCommented:
Try removing the text from User Profile on both the User Profile tab and the Terminal Services Profile Tab that will force the server to generate a temporary profile and let me know if it works.
0
 
Marc BarashAuthor Commented:
with no profile specified I get the message "user name or password is incorrect"

if I use the domain\user name I get the message: To log on to this remote computer, us must be granted the Allow log on through Terminal Services right, By default, members of the Remote Desktop Users group.......

This user is a member of the Remote Desktop Users group.
0
 
JHallidayChief Technical OfficerCommented:
Hmmm this is starting to sound like a permissions issue.  As a temporary measure to ascertain if the problem is permissions related or not add one user to the local server admin group and try and log in (remember to remove them afterwards)
0
 
Marc BarashAuthor Commented:
added user to admin group and same response, To log on to this remote computer, user must be granted the Allow log on through Terminal Services right, By .......

I am trying to log on to the Terminal Server via RDP from the DC to test the users login and profile.
0
 
Marc BarashAuthor Commented:
I remember once having to adjust some registry keys for remote access... Are you familiar with those and where they are located?
0
 
JHallidayChief Technical OfficerCommented:
I've never had to amend any registry keys but there is a local security policy setting that you occassionaly need to tweak. Go to Administrative tools then select Local Security Policy.

From there open Local Policies >> User Rights Assignment >> Allow log on Locally and Allo Log on thought Terminal Services

But if it was a problem with the local policy it would be all users affected.  This looks more like a server issue though as your user can't logon even when flagged as an admin.
0
 
Marc BarashAuthor Commented:
I went into local user rights and added this user, still no success. I added the user to local policies on both the DC and the TS.
0
 
Marc BarashAuthor Commented:
Any more thoughts?
0
 
JHallidayChief Technical OfficerCommented:
I'm completely stumped on this one.  Do you have anything showing in the Event Logs ?
0
 
Marc BarashAuthor Commented:
Nope, nothing showing in event logs. The customer is going live on Friday, so as a last ditch attempt to get this right, I added the new 4 users to the Domain Admins group and that worked!

I don't understand why 9 other users work fine without having to be a part of domain admins, but these new users have to be. It seems that when I set them up in AC  on the DC, their folders don't get created with the proper permissions.

Any thoughts as I really don't want to leave these users as part of the domain admins group.
0
 
JHallidayChief Technical OfficerCommented:
Totally agree about not leaving them in DA.

What results do you get if you run the effective permissions on the Terminal Server Profile path ?

If you don't know how to run it right click on the parent foler and goto security tab then advanced there is a tab at the top called Effective Permissions you can select one of your working users and problem users and compare the permission sets (see screenshot)
Effective-Permissions.jpg
0
 
Marc BarashAuthor Commented:
have effective permissions set for user or admin and still no change
0
 
JHallidayChief Technical OfficerCommented:
Can you Copy a working user and try and log in and see if you get the same issue.  Use the Copy User functionwithin Active Directory.
0
 
Marc BarashAuthor Commented:
got the problem solved with a 12 hour phone call with microsoft support. The resolution was while the users in AD had the Terminal Services Profile pathed to the Terminal Server, the Profile tab was blank. Thus a local profile was unable to create folders on the C drive of the Terminal Server due to permissions and access.

When we created a Users folder on the Terminal Server, then all users were able to now logon. There had been a Users folder and was redirected in the Profiles tab but someone had removed all the entries.
0
 
Marc BarashAuthor Commented:
For sticking with the problem, points should be awarded.
0
 
JHallidayChief Technical OfficerCommented:
Fantastic.  Glad you got it sorted and thanks for posting the solution :)
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 12
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now