Is ANYONE using Win 2003 Terminal Server??

[KAdamsInCo]

Are you using Terminal Server in Windows 2003 Standard
Edition?

If so, what groups do they belong to? Can they connect
if they belong to just "Remote Desktop Users", or are
they also a member of "Power Users" or "Administrators"
in order to connect?

If you are running Windows 2000 Terminal Server, can your
users connect by just belonging to "Remote Desktop Users"?

I am being told that it is "normal" that in Windows 2003
users MUST belong to at least "Power Users" before they
can log on through Terminal Server and get a desktop.
This means that EVERY user on the system has to have
administrative rights before they can launch Explorer to
get a full desktop on their screen. Can anyone validate
this??

Thanks,

Keaton

 

[Guest]

Hi Keaton,
User do not have to belong to power users to login to a
2003 Terminal Server. Just place them in the Remote
Desktop Users group and make sure that you allow them
login to TS under their user properties. Should work fine.

 

[KAdamsInCo]

Do you have users connecting to a Win 2003 Standard
Edition server through Terminal Server as "Remote Desktop
Users"? Do they get a desktop after login?

I have these steps completed, but when a "Remote Desktop
User" who has TS login permissions logs in, their login
is processed, but no desktop is displayed.

-K

 

[Matthew Harris [MVP]]

Sounds like a permission problem. If you make a test user
an admin, does it then work? I'm willing to bet you
probably have incorrect permissions on the Windows
directory or the temp directory.

-M

 

[KAdamsinCo]

When I add a standard user to "Power Users", they get a
desktop.

Both "Remote Desktop Users" and "Users" have read/write
permissions to the Windows directory and the temp
directory. I have opened up permissions on the registry,
on system files such as explorer.exe, and on system
directories. Nothing seems to make a difference.

I agree it sounds like a permissions problem, but I've
run out of ideas in terms of what to grant permissions to.

-K

 

[Vera Noest [MVP]]

As with all permission problems, I would download FileMon and
RegMon from http://www.sysinternals.com/. Run them as
administrator and start a TS session as a normal user.

FileMon and RegMon will show you all "access denied" errors
that occur, so that you can give your users the necessary
permissions on a file-to file or Registry subkey basis.

 

[Matthew Harris [MVP]]

Just as word of caution (and from my experience a few
times) running a regmon or filemon during a login activity
is known to crash or freeze your OS. I've done it
repeatedly on a Windows 2000 and Windows NT TSE machine.
While your experiences may vary, you might want to wait to
do this on your server during some downtime when no one
else is on the server.

-M

 

[KAdamsInCO]

Hi Vera,

Thanks for the help. This solved my problem.

It was a problem with access to certain Windows Registry
entries by normal "users" and "remote desktop users".

This is how I diagnosed and resolved this issue:

1. I went to http://www.sysinternals.com and downloaded
the RegMon program.
2. With RegMon running on the Terminal Server capturing
events, I opened up another session and logged in under a
normal "users"/"remote desktop users" account.
3. The desktop did not display, so I went back and
reviewed the RegMon log.
4. It did take time to scroll through a fairly large list
of output, but I did discover some ACCDENIED results for
the explorer.exe process during OpenKey requests for the
test user I was attempting to log in by.
5. I ran regedit and identified the folders and keys that
it had problems accessing. Some were under HKCR
(HKEY_CLASSES_ROOT) and HKLM (HKEY_LOCAL_MACHINE). I
modified the permissions to allow "users" and "remote
desktop users" the same level of access as "power users"
on the specific folders/keys that explorer.exe couldn't
access.

With the registry entries modified I tried to log in
through my test account again, and this time a full
desktop displayed. I was able to launch applications
such as Word and Excel, and in my Terminal Server session
only the printers mapped in my session were visible to me
(the original desired effect).

Exactly why the key values/folders necessary to display a
desktop for a normal user did not have the correct
permissions remains a mystery. I know for a fact that I
did not manually modify the registry to limit access to
these values. If it is something that I did through
software security, it was completely accidental. Since I
have had this problem from the very beginning, I am
inclined to believe the server was installed with this
registry permissions problem already in existence.

Thanks,

Keaton

 

[Vera Noest [MVP]]

Oops! Never had that happen, fortunately, but thanks for the
warning, Matthew!