Users cannot logon to Terminal Server 2008

I have two Windows Server 2008 machines. One is the Domain Controller running AD, DHCP, File Sharing and is the Terminal Server Licensing machine. The other Server 2008 is the Terminal Server.

When I try to login  to the terminal server I get the following message:

The User Profile Service service failed the logon. User Profile cannot be loaded.

I have 10 other users and they are working just fine and we have 20 CAL's installed.

I do have the user profiles (roaming) setup on a shared folder on the terminal server machine on the "E" drive (not the primary C and not on the local active directory machine.

I have checked all the permissions as per Microsoft and others. I just cannot get any new users to be able to log in to the domain at all. 98% of my users are on thin clients with two users on fat clients. Two new users have been hired and we need for them to be able to use thin client setup.
Marc BarashPresidentAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JHallidayChief Technical OfficerCommented:
Have you checked to see if there is any conflict with the drive letters ? Also try setting the users to use a local profile and see if that works if it does then it must be something to do with how your roaming profiles are set-up otherwise it will be a local server issue on your Terminal Server
0
Marc BarashPresidentAuthor Commented:
The users I am trying to add are thin client users. There are not fat clients so they have to be roaming.

I don't understand the question, "conflict with the drive letters"? Could you please explain?

The local path in Terminal Profile  we are using is e.x. \\TS-SERVER\Users\<username>\Profile
0
JHallidayChief Technical OfficerCommented:
If you set the user in the Active Directory Users and Computers console to have a local profile it will create a local profile on the TS server not the thin client device.

The conflict in drive letters could be caused by you setting the user profile to be E:\Profile (for example) but also mapping a network drive to E:
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Marc BarashPresidentAuthor Commented:
I understand your question and will check the mapping as you have suggested. I will let you know shortly if this is a problem.
0
Marc BarashPresidentAuthor Commented:
Okay, still no go. User properties looks like this

Profile tab User profile
\\ts-server\users$\username\Profile
Home Folder area blank

Terminal Services Profile tab
\\ts-server\Profiles\username
Home Folder area blank

Remember AD is on the Domain controller called Server and the profiles are stored on the Terminal Server. I was told this might be the cause of the problem. but others are working fine.
0
JHallidayChief Technical OfficerCommented:
Try removing the text from User Profile on both the User Profile tab and the Terminal Services Profile Tab that will force the server to generate a temporary profile and let me know if it works.
0
Marc BarashPresidentAuthor Commented:
with no profile specified I get the message "user name or password is incorrect"

if I use the domain\user name I get the message: To log on to this remote computer, us must be granted the Allow log on through Terminal Services right, By default, members of the Remote Desktop Users group.......

This user is a member of the Remote Desktop Users group.
0
JHallidayChief Technical OfficerCommented:
Hmmm this is starting to sound like a permissions issue.  As a temporary measure to ascertain if the problem is permissions related or not add one user to the local server admin group and try and log in (remember to remove them afterwards)
0
Marc BarashPresidentAuthor Commented:
added user to admin group and same response, To log on to this remote computer, user must be granted the Allow log on through Terminal Services right, By .......

I am trying to log on to the Terminal Server via RDP from the DC to test the users login and profile.
0
Marc BarashPresidentAuthor Commented:
I remember once having to adjust some registry keys for remote access... Are you familiar with those and where they are located?
0
JHallidayChief Technical OfficerCommented:
I've never had to amend any registry keys but there is a local security policy setting that you occassionaly need to tweak. Go to Administrative tools then select Local Security Policy.

From there open Local Policies >> User Rights Assignment >> Allow log on Locally and Allo Log on thought Terminal Services

But if it was a problem with the local policy it would be all users affected.  This looks more like a server issue though as your user can't logon even when flagged as an admin.
0
Marc BarashPresidentAuthor Commented:
I went into local user rights and added this user, still no success. I added the user to local policies on both the DC and the TS.
0
Marc BarashPresidentAuthor Commented:
Any more thoughts?
0
JHallidayChief Technical OfficerCommented:
I'm completely stumped on this one.  Do you have anything showing in the Event Logs ?
0
Marc BarashPresidentAuthor Commented:
Nope, nothing showing in event logs. The customer is going live on Friday, so as a last ditch attempt to get this right, I added the new 4 users to the Domain Admins group and that worked!

I don't understand why 9 other users work fine without having to be a part of domain admins, but these new users have to be. It seems that when I set them up in AC  on the DC, their folders don't get created with the proper permissions.

Any thoughts as I really don't want to leave these users as part of the domain admins group.
0
JHallidayChief Technical OfficerCommented:
Totally agree about not leaving them in DA.

What results do you get if you run the effective permissions on the Terminal Server Profile path ?

If you don't know how to run it right click on the parent foler and goto security tab then advanced there is a tab at the top called Effective Permissions you can select one of your working users and problem users and compare the permission sets (see screenshot)
Effective-Permissions.jpg
0
Marc BarashPresidentAuthor Commented:
have effective permissions set for user or admin and still no change
0
JHallidayChief Technical OfficerCommented:
Can you Copy a working user and try and log in and see if you get the same issue.  Use the Copy User functionwithin Active Directory.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Marc BarashPresidentAuthor Commented:
got the problem solved with a 12 hour phone call with microsoft support. The resolution was while the users in AD had the Terminal Services Profile pathed to the Terminal Server, the Profile tab was blank. Thus a local profile was unable to create folders on the C drive of the Terminal Server due to permissions and access.

When we created a Users folder on the Terminal Server, then all users were able to now logon. There had been a Users folder and was redirected in the Profiles tab but someone had removed all the entries.
0
Marc BarashPresidentAuthor Commented:
For sticking with the problem, points should be awarded.
0
JHallidayChief Technical OfficerCommented:
Fantastic.  Glad you got it sorted and thanks for posting the solution :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Server Software

From novice to tech pro — start learning today.