Re: Terminal Server and Local Policy

From: Bruce Sanderson (Bruce.Sanderson_at_junk.junk)
Date: 10/01/04


Date: Fri, 1 Oct 2004 13:31:04 -0700

It is not a question of "user profiles" (you can have those on Windows 98
also, although it is not the default configuration), but rather a question
of "user accounts" - Domain Name and Username.

1. A Terminal Server can not "override" client (local desktop/workstation)
settings. Group Policies sent from a Domain Controller can do this, but
there is no way for a member server (i.e. Terminal Server) to do it.

2. Is the problem that people can not logon to the Windows XP and 2000
workstations, or after they are logged on to the workstation and launch the
icon to connect to the Terminal Server, they can not logon to the Terminal
Server? (i.e. what do you mean by "come in and try").

3. Are the workstations members of the same domain as the Terminal Server?

4. If the problem is that the people can not logon to the workstation ("when
they come in"); to be able to logon, the domain user account must be a
member of a local group on the workstation that has the "Logon locally"
right.

  Second, when the person goes to logon at the workstation, are they using a
Domain user account or a Local User account? On the "Log on to Windows"
panel, click "Options" and make sure that the Domain Name is correctly
selected in the "Log on to:" box. Local user accounts almost certainly
won't be able to logon remotely to a Terminal Server, although it may be
possible to set things up so they can, it is not usually done and will
create administrative problems.

5. If the problem is that the user's can logon to the client workstation
using a Domain User account, but can not logon to the Terminal Server
remotely;
  a. to be able to logon via Terminal Services, the useraccount must have
the "logon via Terminal Services" right. They message you describe means to
me that the user's account does not have this right.
  b. With Windows 2003, the default is that members of the server's local
"Remote Desktop Users" group have the right to logon via Terminal Services.
Being a member of the server's local "Users" group is not sufficient.
  c. what client are you using for connecting to the Terminal Server?
     i. if you are using the Remote Desktop Client, make sure that the
Domain name is correctly selected in the "Log on to:" box on the "Log On to
Windows" panel when the user connects to the server and that the username
shown in the "User name:" box is a member of the "Remote Desktop Users"
group
    ii. if you are using a Citrix client, (e.g. to launch a "published
application"), this is often configured to "pass through" the client
workstation's current user's credentials to the server automatically. If
this is what is being done, make sure that the domain\username combination
used to logon to the client workstation (see 4) is a member of the server's
"Remote Desktop Users" group.

6. Although the default is the members of the server's "Remote Desktop
Users" group can logon via Terminal Services, this too can be changed. On
the server, open the Terminal Services Configuration mmc, click
"Connections" item in the left pane, right click on the connection type in
the right pane (e.g. RDT-Tcp) and select Properties. Select the Permissions
tab. By default, Remote Desktop Users will appear in the list and will have
"User Access" and "Guest Access" allowed.

-- 
Bruce Sanderson MVP
It's perfectly useless to know the right answer to the wrong question.
"Donny" <danyluk75@hotmail.com> wrote in message 
news:192701c4a7da$d97921c0$a301280a@phx.gbl...
> Here is my situation, hopefully someone can help out.  I
> have a 2003 Terminal Server and about 50 users that
> connect.  The desktops are Windows 98, 2000 and XP.
> Everyone comes in and logs on to the domain and has an
> Icon for the Terminal Server connection where they can
> access specifica applications.  The problem that I am
> having is only on the XP and 2000 machines.  I am assuming
> do to the fact that they use user profiles.  When they
> come in and try to log on to the domain it is giving an
> error saying that they are not allowed to log on locally.
> Some how the Server is overiding there local desktops
> permissions or profile and not allowing them to log onto
> the machine.  How can I correct this? 


Relevant Pages

  • Re: Cant log on locally to XP after RDP session
    ... To control the ability to logon to your Terminal Servers via Remote Desktop, use membership of each server's local Remote Desktop Users group, except for DCs where you would use a combination of the Domain Local RDU group and RDP-Tcp listener object permissions. ... The "Deny this user permissions to log on to any Terminal Server" check box in the user account properties is *not* used in most cases. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: GPO problems when logon to kerberos-realm
    ... when I put the same policy on an OU with e.g. a Windows ... problem when logon to a Terminal Server. ...
    (microsoft.public.windows.group_policy)
  • Re: Cant log on locally to XP after RDP session
    ... To control the ability to logon to your Terminal Servers via Remote ... use membership of each server's local Remote Desktop Users ... The "Deny this user permissions to log on to any Terminal Server" ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: Windows XP Sp2 - Unable to logon intecactively Remote dekstop
    ... Must be a holdover right due to the upgrade from Windows 2000? ... I've used remote desktop at work and decided to enable it on my ... I received the logon ... >>> creating a new account with the same results. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: Windows XP Sp2 - Unable to logon intecactively Remote dekstop
    ... > I recently upgraded my Windows 2000 Pro machine at home to Windows XP ... I've used remote desktop at work and decided to enable ... > that the local policy does not permit me to logon interactively. ... > administrator account. ...
    (microsoft.public.windowsxp.work_remotely)