Link to home
Start Free TrialLog in
Avatar of Marc Barash
Marc BarashFlag for United States of America

asked on

Users cannot logon to Terminal Server 2008

I have two Windows Server 2008 machines. One is the Domain Controller running AD, DHCP, File Sharing and is the Terminal Server Licensing machine. The other Server 2008 is the Terminal Server.

When I try to login  to the terminal server I get the following message:

The User Profile Service service failed the logon. User Profile cannot be loaded.

I have 10 other users and they are working just fine and we have 20 CAL's installed.

I do have the user profiles (roaming) setup on a shared folder on the terminal server machine on the "E" drive (not the primary C and not on the local active directory machine.

I have checked all the permissions as per Microsoft and others. I just cannot get any new users to be able to log in to the domain at all. 98% of my users are on thin clients with two users on fat clients. Two new users have been hired and we need for them to be able to use thin client setup.
Avatar of Jon Halliday
Jon Halliday
Flag of United Kingdom of Great Britain and Northern Ireland image

Have you checked to see if there is any conflict with the drive letters ? Also try setting the users to use a local profile and see if that works if it does then it must be something to do with how your roaming profiles are set-up otherwise it will be a local server issue on your Terminal Server
Avatar of Marc Barash

ASKER

The users I am trying to add are thin client users. There are not fat clients so they have to be roaming.

I don't understand the question, "conflict with the drive letters"? Could you please explain?

The local path in Terminal Profile  we are using is e.x. \\TS-SERVER\Users\<username>\Profile
If you set the user in the Active Directory Users and Computers console to have a local profile it will create a local profile on the TS server not the thin client device.

The conflict in drive letters could be caused by you setting the user profile to be E:\Profile (for example) but also mapping a network drive to E:
I understand your question and will check the mapping as you have suggested. I will let you know shortly if this is a problem.
Okay, still no go. User properties looks like this

Profile tab User profile
\\ts-server\users$\username\Profile
Home Folder area blank

Terminal Services Profile tab
\\ts-server\Profiles\username
Home Folder area blank

Remember AD is on the Domain controller called Server and the profiles are stored on the Terminal Server. I was told this might be the cause of the problem. but others are working fine.
Try removing the text from User Profile on both the User Profile tab and the Terminal Services Profile Tab that will force the server to generate a temporary profile and let me know if it works.
with no profile specified I get the message "user name or password is incorrect"

if I use the domain\user name I get the message: To log on to this remote computer, us must be granted the Allow log on through Terminal Services right, By default, members of the Remote Desktop Users group.......

This user is a member of the Remote Desktop Users group.
Hmmm this is starting to sound like a permissions issue.  As a temporary measure to ascertain if the problem is permissions related or not add one user to the local server admin group and try and log in (remember to remove them afterwards)
added user to admin group and same response, To log on to this remote computer, user must be granted the Allow log on through Terminal Services right, By .......

I am trying to log on to the Terminal Server via RDP from the DC to test the users login and profile.
I remember once having to adjust some registry keys for remote access... Are you familiar with those and where they are located?
I've never had to amend any registry keys but there is a local security policy setting that you occassionaly need to tweak. Go to Administrative tools then select Local Security Policy.

From there open Local Policies >> User Rights Assignment >> Allow log on Locally and Allo Log on thought Terminal Services

But if it was a problem with the local policy it would be all users affected.  This looks more like a server issue though as your user can't logon even when flagged as an admin.
I went into local user rights and added this user, still no success. I added the user to local policies on both the DC and the TS.
Any more thoughts?
I'm completely stumped on this one.  Do you have anything showing in the Event Logs ?
Nope, nothing showing in event logs. The customer is going live on Friday, so as a last ditch attempt to get this right, I added the new 4 users to the Domain Admins group and that worked!

I don't understand why 9 other users work fine without having to be a part of domain admins, but these new users have to be. It seems that when I set them up in AC  on the DC, their folders don't get created with the proper permissions.

Any thoughts as I really don't want to leave these users as part of the domain admins group.
Totally agree about not leaving them in DA.

What results do you get if you run the effective permissions on the Terminal Server Profile path ?

If you don't know how to run it right click on the parent foler and goto security tab then advanced there is a tab at the top called Effective Permissions you can select one of your working users and problem users and compare the permission sets (see screenshot)
Effective-Permissions.jpg
have effective permissions set for user or admin and still no change
ASKER CERTIFIED SOLUTION
Avatar of Jon Halliday
Jon Halliday
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
got the problem solved with a 12 hour phone call with microsoft support. The resolution was while the users in AD had the Terminal Services Profile pathed to the Terminal Server, the Profile tab was blank. Thus a local profile was unable to create folders on the C drive of the Terminal Server due to permissions and access.

When we created a Users folder on the Terminal Server, then all users were able to now logon. There had been a Users folder and was redirected in the Profiles tab but someone had removed all the entries.
For sticking with the problem, points should be awarded.
Fantastic.  Glad you got it sorted and thanks for posting the solution :)