blank screen after users log into Terminal Server

[Bill Unger]

I have been stuck on this for way too long. I have searched
Microsoft, Google, and in between the sofa cushions and cannot find a
definitive answer to this one. Here is the situation:

OVERVIEW
- Windows 2003 Standard Edition Server running Terminal Services
- Licensing Server successfully installed and activated, running in Per
User mode
- Successfully able to connect to TS as user Administrator all day long
- When connecting as a "normal" user, user just gets a blank desktop after
logging in ( ie., no icons, start menu, task bar, etc )
- If I add the user to the Administrator's group, works like a charm

WHAT I HAVE TRIED
note: it appears to be security/rights issue somewhere, but I can't
determine where
- have ensure Everyone has Read rights on C: and all the *important*
subdirs ( docs and settings, windows, system32, etc )
- tried most of the MS kb articles that I could find ( renaming files,
etc )
- have dumped profiles, etc
- have checked Group Policies
- have run FileMonitor and RegMonitor w/o finding anything that jumped out
at me ( though it did give an Access Denied error on system32\cmd.exe -
though I double-checked permissions and all were set okay )

I am completely lost on this one. Obviously giving them Admin rights is a
workaround, but I really don't want to do that. Any suggestions would be
very much appreciated!

thx,
Bill

 

[KadamsInCo]

Thank you!!!

I thought I was nuts, because I ALSO have tried
everything under the sun, in the sofa and under the bed,
but cannot get around this EXACT same Windows 2003
Teminal Server problem.

I currently have an open case with my hosting provider
and they are in touch with Microsoft on this issue. If I
get a resolution to this, I will post the fix.

Likewise, if you figure it out, sending a reply would be
GREATLY appreciated.

Thanks!

Keaton

 

[KAdamsInCo]

Bill,

Try RegMonitor again. This is the same problem that I
had which was fixed by modifying permissions on certain
registry entries. It took awhile to identify the access
denied errors in the RegMon output, but they were there.
Once I modified the specific registry permissions, a
normal user was able to get a desktop on my Win2k3 server.

It was a problem with access to certain Windows Registry
entries by normal "users" and "remote desktop users".

This is how I diagnosed and resolved this issue:

1. I went to http://www.sysinternals.com and downloaded
the RegMon program.
2. With RegMon running on the Terminal Server capturing
events, I opened up another session and logged in under a
normal "users"/"remote desktop users" account.
3. The desktop did not display, so I went back and
reviewed the RegMon log.
4. It did take time to scroll through a fairly large list
of output, but I did discover some ACCDENIED results for
the explorer.exe process during OpenKey requests for the
test user I was attempting to log in by.
5. I ran regedit and identified the folders and keys that
it had problems accessing. Some were under HKCR
(HKEY_CLASSES_ROOT) and HKLM (HKEY_LOCAL_MACHINE). I
modified the permissions to allow "users" and "remote
desktop users" the same level of access as "power users"
on the specific folders/keys that explorer.exe couldn't
access.

With the registry entries modified I tried to log in
through my test account again, and this time a full
desktop displayed. I was able to launch applications
such as Word and Excel, and in my Terminal Server session
only the printers mapped in my session were visible to me
(the original desired effect).

Exactly why the key values/folders necessary to display a
desktop for a normal user did not have the correct
permissions remains a mystery. I know for a fact that I
did not manually modify the registry to limit access to
these values. If it is something that I did through
software security, it was completely accidental. Since I
have had this problem from the very beginning, I am
inclined to believe the server was installed with this
registry permissions problem already in existence.

Thanks,

Keaton