Re: Can't log on locally to XP after RDP session
- From: Glen Martin <Silmarillion@xxxxxxxxxxxxx>
- Date: Mon, 25 Jun 2007 15:53:00 -0700
Thanks very much! Appreciate the education in best practices. This method
does work much better, as I can identify my TS Users in the group at a
glance. I have been struggling with this issue for months.
"TP" wrote:
Hi,.
To control the ability to logon to your Terminal Servers via Remote
Desktop, use membership of each server's local Remote Desktop Users
group, except for DCs where you would use a combination of the Domain
Local RDU group and RDP-Tcp listener object permissions (This
would permit to allow TS logon to some DCs and not other DCs).
To control the ability to logon to your XP Professional machines via
Remote Desktop, use membership of each machine's local Remote
Desktop Users group.
The "Deny this user permissions to log on to any Terminal Server"
check box in the user account properties is *not* used in most cases.
If you have checked this box in an attempt to control who can access
your TS servers then you need to go back and *uncheck* it for all
accounts.
If you only need to grant access to all/none of your TS member servers,
then the typical solution would be to create a global group called something
like "TS Users" and make it a member of all of the local server Remote
Desktop Users groups. That way you can easily grant/deny access
to your TS servers using Active Directory Users and Computers simply by
group membership.
For your XP machines you can do the same thing--create a "XP Remote
Desktop Users" global group and make it a member of all of the local
XP Remote Desktop Users groups.
-TP
Glen Martin wrote:
Sorry about the new thread - see background info below.
I still don't see a fix for this issue. Another bit of information -
I am able to log on at the console as a domain admin when the problem
appears. If I then log off, the non-admin user is able to log on
without encountering the error.
The problem we have is that we do not want to enable Terminal
Services logon in AD, as we are using it to restrict non-TS users
from logging on to our TS. So that workaround does not work for us.
Another question: Is there any way to apply the TS restrictions in
AD to just the Terminal Server, as opposed to having it affect
everyone who uses RDP to come into an XP host? We use TS and XP RDP
hosts for different purposes, and we would like to restrict who logs
onto the TS. Right now, when we disable a user's TS logon privilege
in AD, it also prevents them from logging onto an XP RDP host.
Glen
Hello,
It seems you are replying another post this newsgroup. If you have any
questions, please feel free to submit your question.
Thanks & Regards,
Ken Zhao
Microsoft Online Support
Microsoft Global Technical Support Center
I have seen the same "BUG". Here's the scenario:
User A is logged into her XP Pro SP2 Dell Desktop. She requests
software to be installed and I use RDC to logon to her computer
remotely using the administrator account to complete the request. I
log off and then she tries to logon locally JUST AS SHE WAS PRIOR TO
MY REMOTE LOGIN, and she gets the "Your logon privilege has been
disabled" error message. This error message is for TERMINAL SERVICES
LOGONS but
NOT FOR LOCAL LOGONS. So...why are we getting this message?
THe work-around above "allow logon to terminal server" in the AD Users
and Computers app masks the bug. It appears that once a remote login
takes place using RDC that the subsequent LOCAL logins use the REMOTE
DESKTOP CONNECTION login. You can reboot the computer and it will
then allow a local login without changing the "allow logon to terminal
server" setting in AD Users and Computers. Has anyone found a "fix"
for this?
David
Check the properties of the AD acct that cannot logon locally to the
machine. On the Terminal Services Profile tab, enable the "Allow logon
to terminal server" option. It appears that the computer gets "stuck"
in terminal services mode after a Remote Desktop user logs off. When a
domain user w/o the rights to logon via terminal services subsequently
tries to logon locally, they are denied access.
Two XP Pro machines with all updates. User locally logged onto
machine A using his AD logon. He logs off. From machine B I use
Remote Desktops to log on to machine A as the domain administrator.
I log off, which causes a disconnect. The user trys to locally log
onto machine A and gets "Your interactive logon privilege has been
disabled. Please contact your system administrator.". Local user
does a restart and can log on OK. This is repeatable and happens
with multiple instances of Machine A. If, instead of doing a log
off, I do a restart when I am finished with the remote access, the
user can log on locally. But either way, once I have logged on
through Remote Desktops, the machine must be rebooted (restarted) to
allow a local user to log on.
Is this a bug or design? If a bug, what to do to fix it? If
design.......?
- Follow-Ups:
- Re: Can't log on locally to XP after RDP session
- From: "Ken Zhao [MSFT]"
- Re: Can't log on locally to XP after RDP session
- References:
- Can't log on locally to XP after RDP session
- From: Glen Martin
- Re: Can't log on locally to XP after RDP session
- From: TP
- Can't log on locally to XP after RDP session
- Prev by Date: Re: Can't log on locally to XP after RDP session
- Next by Date: Can't ping machine acting as VPN server when connected to it
- Previous by thread: Re: Can't log on locally to XP after RDP session
- Next by thread: Re: Can't log on locally to XP after RDP session
- Index(es):
Relevant Pages
|
Loading
