Re: Termserv loses security settings each night
- From: ramspede@xxxxxxxxx
- Date: 15 Jan 2006 09:28:59 -0800
Windows server 2003 standard edition service pack 1
It is a member server in a single-domain forest.
Domain Security Policy might be the key - see below.
The error is
"To logon to this remote computer, you must be granted the allow to log
on through terminal services right. By default, members of the Remote
Dektop Users group have this right. If you are not a member of the
Remote Desktop Users group or another group that has this right, or if
the remote dekstop users group does not have this right, you must be
granted the right manually."
Now that I enabled more auditing, I also receive this event log error:
Logon Failure:
Reason: The user has not been granted the requested
logon type at this machine
User Name: tsuser1
Domain: domainname
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: TS1
Caller User Name: TS1$
Caller Domain: domainname
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2432
Transited Services: -
Source Network Address: 67.71.89.117
Source Port: 1348
---
This morning, same problem. I got it working today by adding a GPO
that defines local policy for Allow to Logion to Terminal Services and
includes my TSUsers global group. It's working again - just like
yesterday and the day before. In fact, I can prove the GPO controls it
by adding/removing the policy and seeing it work/fail.
But I don't feel confident about this fix, because it is essentially
what I used before - I had already added both tsusers and remote
desktop users into a doamin-wide GPO earlier. That worked but only
temporarily. There's no inheritance blocking and or No Overrides in
effect that would explain why this is working.
I think the problem might lie somewhere in the GPOs but it doesn't
explain why it would break in the middle of the night, or why it would
break at all once it was functioning.
I initially setup security by putting the users into a TSUsers global
group, and placing the TSusers global group into the Remote Desktop
Users group on the termserver. When this failed (after working for a
month), I went into Terminal Services Configuration, Connections,
RDP-Tcp - properties. I added permissions to allow the global group
access (user access and guest access.) when that failed the next day,
I used a different global group that the users are a member of. I
don't remember the exact sequence, but I also have a domain level GPO
that defines local policy for terminal services access, and now today I
have a GPO for my termserv container.
I have been making changes in those places each day to get the users
back online.
The time frame for the initial failure was when it installed security
patch KB912919.
.
- Follow-Ups:
- Re: Termserv loses security settings each night
- From: Vera Noest [MVP]
- Re: Termserv loses security settings each night
- References:
- Termserv loses security settings each night
- From: ramspede
- Re: Termserv loses security settings each night
- From: Vera Noest [MVP]
- Termserv loses security settings each night
- Prev by Date: Re: Termserv loses security settings each night
- Next by Date: Re: Upgrade OS using Terminal services
- Previous by thread: Re: Termserv loses security settings each night
- Next by thread: Re: Termserv loses security settings each night
- Index(es):
Relevant Pages
|
