Re: Terminal Server and Local Policy

From: Bruce Sanderson (Bruce.Sanderson_at_junk.junk)
Date: 10/01/04

Date: Fri, 1 Oct 2004 13:31:04 -0700

It is not a question of "user profiles" (you can have those on Windows 98
also, although it is not the default configuration), but rather a question
of "user accounts" - Domain Name and Username.

1. A Terminal Server can not "override" client (local desktop/workstation)
settings. Group Policies sent from a Domain Controller can do this, but
there is no way for a member server (i.e. Terminal Server) to do it.

2. Is the problem that people can not logon to the Windows XP and 2000
workstations, or after they are logged on to the workstation and launch the
icon to connect to the Terminal Server, they can not logon to the Terminal
Server? (i.e. what do you mean by "come in and try").

3. Are the workstations members of the same domain as the Terminal Server?

4. If the problem is that the people can not logon to the workstation ("when
they come in"); to be able to logon, the domain user account must be a
member of a local group on the workstation that has the "Logon locally"

  Second, when the person goes to logon at the workstation, are they using a
Domain user account or a Local User account? On the "Log on to Windows"
panel, click "Options" and make sure that the Domain Name is correctly
selected in the "Log on to:" box. Local user accounts almost certainly
won't be able to logon remotely to a Terminal Server, although it may be
possible to set things up so they can, it is not usually done and will
create administrative problems.

5. If the problem is that the user's can logon to the client workstation
using a Domain User account, but can not logon to the Terminal Server
  a. to be able to logon via Terminal Services, the useraccount must have
the "logon via Terminal Services" right. They message you describe means to
me that the user's account does not have this right.
  b. With Windows 2003, the default is that members of the server's local
"Remote Desktop Users" group have the right to logon via Terminal Services.
Being a member of the server's local "Users" group is not sufficient.
  c. what client are you using for connecting to the Terminal Server?
     i. if you are using the Remote Desktop Client, make sure that the
Domain name is correctly selected in the "Log on to:" box on the "Log On to
Windows" panel when the user connects to the server and that the username
shown in the "User name:" box is a member of the "Remote Desktop Users"
    ii. if you are using a Citrix client, (e.g. to launch a "published
application"), this is often configured to "pass through" the client
workstation's current user's credentials to the server automatically. If
this is what is being done, make sure that the domain\username combination
used to logon to the client workstation (see 4) is a member of the server's
"Remote Desktop Users" group.

6. Although the default is the members of the server's "Remote Desktop
Users" group can logon via Terminal Services, this too can be changed. On
the server, open the Terminal Services Configuration mmc, click
"Connections" item in the left pane, right click on the connection type in
the right pane (e.g. RDT-Tcp) and select Properties. Select the Permissions
tab. By default, Remote Desktop Users will appear in the list and will have
"User Access" and "Guest Access" allowed.

Bruce Sanderson MVP
It's perfectly useless to know the right answer to the wrong question.
"Donny" <> wrote in message 
> Here is my situation, hopefully someone can help out.  I
> have a 2003 Terminal Server and about 50 users that
> connect.  The desktops are Windows 98, 2000 and XP.
> Everyone comes in and logs on to the domain and has an
> Icon for the Terminal Server connection where they can
> access specifica applications.  The problem that I am
> having is only on the XP and 2000 machines.  I am assuming
> do to the fact that they use user profiles.  When they
> come in and try to log on to the domain it is giving an
> error saying that they are not allowed to log on locally.
> Some how the Server is overiding there local desktops
> permissions or profile and not allowing them to log onto
> the machine.  How can I correct this?