The local policy of this system does not allow you to log on inter

From: Josh (Josh_at_discussions.microsoft.com)
Date: 02/14/05 

Date: Mon, 14 Feb 2005 15:27:01 -0800

I have a question regarding an issue that I have come across. When
trying to login with
remote desktop to a terminal server I receive the following error
message "Local policy does not
permit you to log on interactively". I checked in the default domain
controller GPO for "Allow Logon Locally", but the user and its group is
already
added. I also checked "Deny Logon Locally" and nothing is configured.
The users that are having problems are part of domain
users group, unlike myself which am part of the administrators group
and
logon fine remotely. I am trying to logon to the Terminal Server
machine and not another workstation
    The problem only occurs when I am trying to login remotely using
remote
desktop as a domain user. I also can logon fine when physically sitting
behind the machine, whether as user or admin.

We are running 2003 servers (1 Domain Controller w/License Server for
Term Serv and 1 Term Server) and XP Pro/2000 Pro
machines

I am setting up a 2003 Active Directory/License Server. A 2003 Terminal
Server member server. And an XP Pro member workstation.

I am trying to get the 2003 Server to host user desktops.

Here are all of the things I have tried:

I have tried creating new OU's and placing the users and/or pc's in
them, but I am still getting the error when I log on from the workstation
with a user without domain admin rights.

Right click my computer, select the remote tab, select the check box to
allow users to connect. You must also add the users or group to the remote
desktop users group in the domain.

I have added the group Domain Users to the Builtin Group Remote Desktop
Users

I have created an OU named Terminal Server and placed the remote pc and
the Terminal Server inside it.
I created a GPO named Terminal Server Policy and linked it to the
Terminal Server OU. I edited the GPO and defined "Allow Log on
locally" to Administrators and Remote Desktop Users. I did the same
for "Allow Log on through Terminal Services". I closed all open pages
and ran gpupdate /force
I tried to logon from remote desktop and got the same error.

Tried adding the users directly to the remote desktop group.

Remote desktop users group must be granted the "allow logon through
terminal services"

Access the 'terminal services configuration" snapin from administrative
templates. Highlight connections and access the properties of the RDP-TCP
object. go to the permissions tab and verify the remote desktop users group
is listed and has allow user and allow guest access.

Logon to the problem computer at the console and check Local Security Policy
[secpol.msc]. TS users need to be in the Remote Desktop Users group and that
group needs to have the user right for "allow logon through Terminal
Services". Go to security settings/local policies/user rights. Note that
deny logon through TS will override a user's "allow" user right. If you can
not configure the user right in Local Security Policy you will need to find
the overriding Group Policy, gpresult and RSOP can help with that, or create
an OU for the TS with it's own GPO to configure the user rights to your
needs

Make sure your passwords are not blank

Remote desktops only allow 2 sessions per server. You could have two
sessions hung. Make sure there are no sessions active.

If anyone has any suggestions, let me know. I see that this is pretty much
a dead issue and have tried a lot of things.

Relevant Pages

  • RE: Tracing source of remote logons
    ... Logon type 10 is interpreted to RemoteInteractive. ... easy to distinguish true console logons from a remote desktop session. ... Open 'Server Management console', navigate to Users snap-in. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Users Cant Log Into Local Machine That Is Attached To A Domai
    ... Are you trying to access to a T.S server? ... Are you trying to access via RDC (Remote desktop connection) to a Windows ... Terminal Services Client Error Message: You Do Not Have Access to Logon to ... You do not have access to logon to the Session. ...
    (microsoft.public.windows.server.active_directory)
  • RE: security logon failures
    ... who can access it and remote desktop is disabled. ... logon advapi which is showing up under failure, ... SBSNTSRV2 is your only server, If so, As you said, the only one who can ... server have remote desktop enabled and one or multiple client computer are ...
    (microsoft.public.windows.server.sbs)
  • Re: Terminal Server and Local Policy
    ... It is not a question of "user profiles" (you can have those on Windows 98 ... A Terminal Server can not "override" client ... icon to connect to the Terminal Server, they can not logon to the Terminal ... "Remote Desktop Users" group have the right to logon via Terminal Services. ...
    (microsoft.public.windows.server.general)
  • Re: Cant log on locally to XP after RDP session
    ... To control the ability to logon to your Terminal Servers via Remote Desktop, use membership of each server's local Remote Desktop Users group, except for DCs where you would use a combination of the Domain Local RDU group and RDP-Tcp listener object permissions. ... The "Deny this user permissions to log on to any Terminal Server" check box in the user account properties is *not* used in most cases. ...
    (microsoft.public.windowsxp.work_remotely)