Re: RDP/TS GPO Settings - Users unable to logon

If you have created these users(Helpdek) people with domain admin privilege
or delegation,I presume they shouldn't have any problem with logging on to
the TS.

But in server 2003 you have to change the GPO as "Logon interactively" for
the users/groups to log on TS.

"Nirvana" wrote:

Hi,

Most likely the helpdesk guys are logging on to a domain controller.
Logging in to a domain controller is restricted to Admins and Backup
Operators.
Others will be denied because they are not allowed to logon locally
(interactive logon).

Hope this helps.

Raj

On Nov 13, 9:37 pm, JD Smith <strik...@xxxxxxxxx> wrote:
No, they aren't part of the deny logon. Looks like it has to do with
the "Allow Logon Locally". When I add that group to that, it works.
Not sure if we want to change that though for fear screwing up a
service or something like that.

Thanks for the help.

JD

On Nov 8, 12:14 pm, "Jorge Silva" <jorgesilva...@xxxxxxxxxxx> wrote:



Hi

Check if that user is member of that group that is denied to logon in TS,
also check if that user is member of any group that is member of that Group
that isn't allowed to logon into TS.

--

===================================
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
===================================

"JD Smith" <strik...@xxxxxxxxx> wrote in message

news:1194533126.126968.212750@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Here is the setup.

Members Server OU has a GPO Policy applied (Contains nothing with RDP/
TS, just Windows Updates pointing to our WSUS).

Under the Members Server OU I have the following OUs: Location1 &
Location2

On Location1 I have a new GPO Policy that is defining the following:

Computer Configuration --> Windows Settings --> Security Settings -->
Local Policies --> User Rights Assignment

Allow logon through Terminal Services -> DOMAIN\IT_HELPDESK;DOMAIN
\Domain Admins
Deny logon through Terminal Services -> DOMAIN\USER_ACCT1

When I have one of the helpdesk guys try to RDP any of the servers in
the Location1 OU, they get the message that they do not have access.
If I RDP to the server (Domain Admin group) and run gpedit.msc on the
local machine, I can see the settings are applied so policy is
working.

I created a Test OU and applied the same policy to it and it works
with no problem. What else might be causing the helpdesk guys from
not having access?

Thanks,
JD- Hide quoted text -

- Show quoted text -- Hide quoted text -

- Show quoted text -



.

Relevant Pages

  • Re: Turn Off User Logging (Event Log)
    ... only do "Failure" since hopefully most will successfully logon... ... I believe Domain policies will override the local policies though... ... My issue though is that I would like to turn off the event logging ...
    (microsoft.public.win2000.security)
  • RE: Events 40960 & 40961
    ... the user etchee attempts to logon from workstation WS1, ... other users that can do so fine from this workstation. ... What am I looking for in the winlogon and userenv logging? ... Start Registry Editor. ...
    (microsoft.public.windowsxp.general)
  • Re: Login Errors Seem to indicate we are being hacked?
    ... I have turned on diagnostic logging on SMTP. ... we could turn something off on our own SMTP server to stop the devils from ... Logon Failure: ... Caller User Name: SERVER01$ ...
    (microsoft.public.windows.server.sbs)
  • RE: Logging for Remote Web Workplace?
    ... Category: Account Logon ... However, even the user is logging on domain, the client will not ... This newsgroup only focuses on SBS technical issues. ... you may want to contact Microsoft CSS directly. ...
    (microsoft.public.windows.server.sbs)
  • Logging on locally after RD session
    ... install and configure all the needed stuff without leaving my room. ... When I asked the user to logon locally and start working he received ... went back to that machine, logged on as the domain admin, openned the ... had local logon privilege. ...
    (microsoft.public.windowsxp.work_remotely)