Marc Barash
asked on
Users cannot logon to Terminal Server 2008
I have two Windows Server 2008 machines. One is the Domain Controller running AD, DHCP, File Sharing and is the Terminal Server Licensing machine. The other Server 2008 is the Terminal Server.
When I try to login to the terminal server I get the following message:
The User Profile Service service failed the logon. User Profile cannot be loaded.
I have 10 other users and they are working just fine and we have 20 CAL's installed.
I do have the user profiles (roaming) setup on a shared folder on the terminal server machine on the "E" drive (not the primary C and not on the local active directory machine.
I have checked all the permissions as per Microsoft and others. I just cannot get any new users to be able to log in to the domain at all. 98% of my users are on thin clients with two users on fat clients. Two new users have been hired and we need for them to be able to use thin client setup.
When I try to login to the terminal server I get the following message:
The User Profile Service service failed the logon. User Profile cannot be loaded.
I have 10 other users and they are working just fine and we have 20 CAL's installed.
I do have the user profiles (roaming) setup on a shared folder on the terminal server machine on the "E" drive (not the primary C and not on the local active directory machine.
I have checked all the permissions as per Microsoft and others. I just cannot get any new users to be able to log in to the domain at all. 98% of my users are on thin clients with two users on fat clients. Two new users have been hired and we need for them to be able to use thin client setup.
Have you checked to see if there is any conflict with the drive letters ? Also try setting the users to use a local profile and see if that works if it does then it must be something to do with how your roaming profiles are set-up otherwise it will be a local server issue on your Terminal Server
ASKER
The users I am trying to add are thin client users. There are not fat clients so they have to be roaming.
I don't understand the question, "conflict with the drive letters"? Could you please explain?
The local path in Terminal Profile we are using is e.x. \\TS-SERVER\Users\<usernam e>\Profile
I don't understand the question, "conflict with the drive letters"? Could you please explain?
The local path in Terminal Profile we are using is e.x. \\TS-SERVER\Users\<usernam
If you set the user in the Active Directory Users and Computers console to have a local profile it will create a local profile on the TS server not the thin client device.
The conflict in drive letters could be caused by you setting the user profile to be E:\Profile (for example) but also mapping a network drive to E:
The conflict in drive letters could be caused by you setting the user profile to be E:\Profile (for example) but also mapping a network drive to E:
ASKER
I understand your question and will check the mapping as you have suggested. I will let you know shortly if this is a problem.
ASKER
Okay, still no go. User properties looks like this
Profile tab User profile
\\ts-server\users$\usernam e\Profile
Home Folder area blank
Terminal Services Profile tab
\\ts-server\Profiles\usern ame
Home Folder area blank
Remember AD is on the Domain controller called Server and the profiles are stored on the Terminal Server. I was told this might be the cause of the problem. but others are working fine.
Profile tab User profile
\\ts-server\users$\usernam
Home Folder area blank
Terminal Services Profile tab
\\ts-server\Profiles\usern
Home Folder area blank
Remember AD is on the Domain controller called Server and the profiles are stored on the Terminal Server. I was told this might be the cause of the problem. but others are working fine.
Try removing the text from User Profile on both the User Profile tab and the Terminal Services Profile Tab that will force the server to generate a temporary profile and let me know if it works.
ASKER
with no profile specified I get the message "user name or password is incorrect"
if I use the domain\user name I get the message: To log on to this remote computer, us must be granted the Allow log on through Terminal Services right, By default, members of the Remote Desktop Users group.......
This user is a member of the Remote Desktop Users group.
if I use the domain\user name I get the message: To log on to this remote computer, us must be granted the Allow log on through Terminal Services right, By default, members of the Remote Desktop Users group.......
This user is a member of the Remote Desktop Users group.
Hmmm this is starting to sound like a permissions issue. As a temporary measure to ascertain if the problem is permissions related or not add one user to the local server admin group and try and log in (remember to remove them afterwards)
ASKER
added user to admin group and same response, To log on to this remote computer, user must be granted the Allow log on through Terminal Services right, By .......
I am trying to log on to the Terminal Server via RDP from the DC to test the users login and profile.
I am trying to log on to the Terminal Server via RDP from the DC to test the users login and profile.
ASKER
I remember once having to adjust some registry keys for remote access... Are you familiar with those and where they are located?
I've never had to amend any registry keys but there is a local security policy setting that you occassionaly need to tweak. Go to Administrative tools then select Local Security Policy.
From there open Local Policies >> User Rights Assignment >> Allow log on Locally and Allo Log on thought Terminal Services
But if it was a problem with the local policy it would be all users affected. This looks more like a server issue though as your user can't logon even when flagged as an admin.
From there open Local Policies >> User Rights Assignment >> Allow log on Locally and Allo Log on thought Terminal Services
But if it was a problem with the local policy it would be all users affected. This looks more like a server issue though as your user can't logon even when flagged as an admin.
ASKER
I went into local user rights and added this user, still no success. I added the user to local policies on both the DC and the TS.
ASKER
Any more thoughts?
I'm completely stumped on this one. Do you have anything showing in the Event Logs ?
ASKER
Nope, nothing showing in event logs. The customer is going live on Friday, so as a last ditch attempt to get this right, I added the new 4 users to the Domain Admins group and that worked!
I don't understand why 9 other users work fine without having to be a part of domain admins, but these new users have to be. It seems that when I set them up in AC on the DC, their folders don't get created with the proper permissions.
Any thoughts as I really don't want to leave these users as part of the domain admins group.
I don't understand why 9 other users work fine without having to be a part of domain admins, but these new users have to be. It seems that when I set them up in AC on the DC, their folders don't get created with the proper permissions.
Any thoughts as I really don't want to leave these users as part of the domain admins group.
Totally agree about not leaving them in DA.
What results do you get if you run the effective permissions on the Terminal Server Profile path ?
If you don't know how to run it right click on the parent foler and goto security tab then advanced there is a tab at the top called Effective Permissions you can select one of your working users and problem users and compare the permission sets (see screenshot)
Effective-Permissions.jpg
What results do you get if you run the effective permissions on the Terminal Server Profile path ?
If you don't know how to run it right click on the parent foler and goto security tab then advanced there is a tab at the top called Effective Permissions you can select one of your working users and problem users and compare the permission sets (see screenshot)
Effective-Permissions.jpg
ASKER
have effective permissions set for user or admin and still no change
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
got the problem solved with a 12 hour phone call with microsoft support. The resolution was while the users in AD had the Terminal Services Profile pathed to the Terminal Server, the Profile tab was blank. Thus a local profile was unable to create folders on the C drive of the Terminal Server due to permissions and access.
When we created a Users folder on the Terminal Server, then all users were able to now logon. There had been a Users folder and was redirected in the Profiles tab but someone had removed all the entries.
When we created a Users folder on the Terminal Server, then all users were able to now logon. There had been a Users folder and was redirected in the Profiles tab but someone had removed all the entries.
ASKER
For sticking with the problem, points should be awarded.
Fantastic. Glad you got it sorted and thanks for posting the solution :)