Re: RDP/TS GPO Settings - Users unable to logon

Hi,

Most likely the helpdesk guys are logging on to a domain controller.
Logging in to a domain controller is restricted to Admins and Backup
Operators.
Others will be denied because they are not allowed to logon locally
(interactive logon).

Hope this helps.

Raj

On Nov 13, 9:37 pm, JD Smith <strik...@xxxxxxxxx> wrote:
No, they aren't part of the deny logon. Looks like it has to do with
the "Allow Logon Locally". When I add that group to that, it works.
Not sure if we want to change that though for fear screwing up a
service or something like that.

Thanks for the help.

JD

On Nov 8, 12:14 pm, "Jorge Silva" <jorgesilva...@xxxxxxxxxxx> wrote:



Hi

Check if that user is member of that group that is denied to logon in TS,
also check if that user is member of any group that is member of that Group
that isn't allowed to logon into TS.

--

===================================
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
===================================

"JD Smith" <strik...@xxxxxxxxx> wrote in message

news:1194533126.126968.212750@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Here is the setup.

Members Server OU has a GPO Policy applied (Contains nothing with RDP/
TS, just Windows Updates pointing to our WSUS).

Under the Members Server OU I have the following OUs: Location1 &
Location2

On Location1 I have a new GPO Policy that is defining the following:

Computer Configuration --> Windows Settings --> Security Settings -->
Local Policies --> User Rights Assignment

Allow logon through Terminal Services -> DOMAIN\IT_HELPDESK;DOMAIN
\Domain Admins
Deny logon through Terminal Services -> DOMAIN\USER_ACCT1

When I have one of the helpdesk guys try to RDP any of the servers in
the Location1 OU, they get the message that they do not have access.
If I RDP to the server (Domain Admin group) and run gpedit.msc on the
local machine, I can see the settings are applied so policy is
working.

I created a Test OU and applied the same policy to it and it works
with no problem. What else might be causing the helpdesk guys from
not having access?

Thanks,
JD- Hide quoted text -

- Show quoted text -- Hide quoted text -

- Show quoted text -


.

Relevant Pages

  • Failure audit events not being logged
    ... It's the only domain controller ... policy", so that the Success and Failuer of Account Logon and Logon Events, ... "Local Policies", "Audit policy"). ... Is there a bug related to the logging of failed logon attempts??? ...
    (microsoft.public.windows.server.security)
  • AD - Win98 Client Logon Failure
    ... domain controller, our 100 Win98 clients started having ... While logging in, the Win98 clients are displaying the ... or access to your logon service has been denied". ...
    (microsoft.public.win2000.active_directory)
  • Re: Auditing User logon/logoff events.
    ... u say in the document like i enabled "Account logon events" only in domain ... Then i am getting 672,673 event ids in my domain controllers event viewer. ... can see this log in domain controller security log. ...
    (microsoft.public.win2000.security)
  • Re: Security Event 676 - Kerberos Failure Code 6
    ... was a Proxy Server who had the Internal DNS server, as well as the ISP DNS ... Under the domain admins, and Enterprise Admins, the apply group policy was ... that was an error (only the gateway of the Domain Controller was configed to ...
    (microsoft.public.win2000.security)
  • Re: Active Directory in a mess
    ... I don't know what backup of domain controller you have, ... Basically I've inherited a network at short notice, ... justified when one of the admins re-connected a previous DC after it ... DNS error on the main DC, "DNS received a critical failure from the ...
    (microsoft.public.win2000.active_directory)