Windows2003 TS users+administrator cannot login using RemoteDesktop

  • Thread starter Thread starter M. Kaya
  • Start date Start date
M

M. Kaya

Hello ,
I have installed new W2K3 Server ADC with ExchangeServer and TerminalServer.
Remote Desktop for Administration (in Control Panel - System is enabled) and
I also have changed the Local Security policy to
allow for newly created users+administrators to log on locally.

Console login works for all user without problem but remotedesktop login
works for nobody I always get the error message : The Local Policy of This
System Does Not Permit You to Logon Ineractively, even for Administrator I
get the same error.

any help would be appreciated
Max
 
You should check:
1) RDP permissions (using TS Configuration), by default Remote Desktop Users and Administrators are able to connect
2) Allow logon locally privilege
3) Allow logon through terminal services privilege (new to W2k3).

Effective settings for the last 2 privileges can be checked using Resultant set of policy processing on the server, and first one can be verified and/or modified using TS configuration administrative tool. Any user logging to the terminal server should have access on RDP object and should have both privileges.

--
Dmitry Korolyov [[email protected]]
MVP: Windows Server - Active Directory


Hello ,
I have installed new W2K3 Server ADC with ExchangeServer and TerminalServer.
Remote Desktop for Administration (in Control Panel - System is enabled) and
I also have changed the Local Security policy to
allow for newly created users+administrators to log on locally.

Console login works for all user without problem but remotedesktop login
works for nobody I always get the error message : The Local Policy of This
System Does Not Permit You to Logon Ineractively, even for Administrator I
get the same error.

any help would be appreciated
Max
 
In Windows 2003, you do *not* have to give all normal users the
right to logon locally to the console anymore, as in W2K!
This was a potential security risk and therefore, the permissions
have been separated in "Logon locally" (which should only be
granted to Administrators) and "Allow Logon through Terminal
Services", which is by default granted to the built-in group
"Remote Desktop Users".
So you should put your users in the Remote Desktop Users group,
and that should be enough.

Since even Administrators can't connect through RDP, I get the
feeling that the problem lies in the Local Security policy being
overridden. This TS is not a Domain Controller, is it? If so,
you'll have to set the user rights in the Domain Controller
Security policy.
 
Hi Vera,Dmitry,MSTeam
This TS is a Domain Controller and I ve set the user rights in the Domain
Controller Security policy only.
I ve granted LogonLocally and AllowLogon through TerminalServices for
RemoteDesktopUsers and Administrators
1) RDP permissions (using TS Configuration), by default Remote Desktop
Click to expand...
Users and Administrators are able to connect
there are still default settings I ve checked again so that Administrators
and RemoteDesktopUsers have full access rights.
2) Allow logon locally privilege
Click to expand...
done for RemoteDesktopUsers and Administrators
3) Allow logon through terminal services privilege (new to W2k3).
Click to expand...
done for RemoteDesktopUsers and Administrators

I still get the same error message "The Local Policy of This System Does Not
Permit You to Logon Interactively"

Exact the same settings works on w2k server without problem.

Regards
Max
 
I don't mean to butt in here...When you get the message,
are you trying to logon to the 2k3 DC or logon to the
DOMAIN? It will make a difference. Depending on what
you've setup, you may be able to logon to the 2k3 DC but
NOT onto the DOMAIN through Remote Desktop. If you can
logon to the DC but not to the DOMAIN, then the user /
group will need to be added to the Remote Desktop Users
Group on the 2k3 DC running Terminal Services...

Eg. I have a 2k DC and a 2k3 Member Server running Remote
Desktop. I had the same problem. I then realized that I
had to add the Domain Users Group on the 2kDC to the
Remote Dekstop Group on the 2k3 TS...problem solved...I
tightened things up after that...Hope this helps..it
sounds very similar to what I experienced but not exactly..
 
You must log in or register to reply here.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Domain User can't login unless it has local Administrators right 0
Cannot print from session when user login into TS 1
TS users cannot set default printer 6
Problem with local policy while connecting to a terminal server 3
Remote desktop logon 3
How to logon via TS in Windows 2003 as the console user session? 1
Windows 2003 Remote Desktop Issue. 5
Disable that User get kicked when he tries to login again from different Machine 1

Back
Top