RE: The local policy of this system does not allow you to log on inter
From: Patrick Rouse (PatrickRouse_at_discussions.microsoft.com)
Date: 02/15/05
- Next message: Josh: "RE: The local policy of this system does not allow you to log on i"
- Previous message: Steven Wong: "Re: TS 2nd login"
- In reply to: Josh: "The local policy of this system does not allow you to log on inter"
- Next in thread: Josh: "RE: The local policy of this system does not allow you to log on i"
- Reply: Josh: "RE: The local policy of this system does not allow you to log on i"
- Reply: Josh: "RE: The local policy of this system does not allow you to log on i"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 14 Feb 2005 20:33:03 -0800
If the server is a 2003 Member Server, then the only things required for RDP
Logon are:
1. Member of the local Remote Desktop User's Group, or a group with User &
Guest Permissions to the RDP-Tcp connection.
2. An activated 2003 TSLS that can be located by the 2003 TS.
3. TSCALs registered on the TSLS that are the same kind (per-user or per
device) as the licensing mode of the TS.
Users do NOT require the logon locally right for 2003 TS, except when the TS
is also a DC. If your TS is a 2003 Member Server and you altered the Default
Domain Controllers Policy to allow Domain Users to logon locally, all you've
done is lessened the security on your DCs. The logon locally right in 2003
Member Servers allows users to logon to the Console of the server.
Check the event log on the TS for errors when users logon via RDP and get
denied access to logon.
Patrick Rouse
Microsoft MVP - Terminal Server
http://www.workthin.com
"Josh" wrote:
> I have a question regarding an issue that I have come across. When
> trying to login with
> remote desktop to a terminal server I receive the following error
> message "Local policy does not
> permit you to log on interactively". I checked in the default domain
> controller GPO for "Allow Logon Locally", but the user and its group is
> already
> added. I also checked "Deny Logon Locally" and nothing is configured.
> The users that are having problems are part of domain
> users group, unlike myself which am part of the administrators group
> and
> logon fine remotely. I am trying to logon to the Terminal Server
> machine and not another workstation
> The problem only occurs when I am trying to login remotely using
> remote
> desktop as a domain user. I also can logon fine when physically sitting
> behind the machine, whether as user or admin.
>
> We are running 2003 servers (1 Domain Controller w/License Server for
> Term Serv and 1 Term Server) and XP Pro/2000 Pro
> machines
>
> I am setting up a 2003 Active Directory/License Server. A 2003 Terminal
> Server member server. And an XP Pro member workstation.
>
> I am trying to get the 2003 Server to host user desktops.
>
> Here are all of the things I have tried:
>
> I have tried creating new OU's and placing the users and/or pc's in
> them, but I am still getting the error when I log on from the workstation
> with a user without domain admin rights.
>
> Right click my computer, select the remote tab, select the check box to
> allow users to connect. You must also add the users or group to the remote
> desktop users group in the domain.
>
> I have added the group Domain Users to the Builtin Group Remote Desktop
> Users
>
> I have created an OU named Terminal Server and placed the remote pc and
> the Terminal Server inside it.
> I created a GPO named Terminal Server Policy and linked it to the
> Terminal Server OU. I edited the GPO and defined "Allow Log on
> locally" to Administrators and Remote Desktop Users. I did the same
> for "Allow Log on through Terminal Services". I closed all open pages
> and ran gpupdate /force
> I tried to logon from remote desktop and got the same error.
>
> Tried adding the users directly to the remote desktop group.
>
> Remote desktop users group must be granted the "allow logon through
> terminal services"
>
> Access the 'terminal services configuration" snapin from administrative
> templates. Highlight connections and access the properties of the RDP-TCP
> object. go to the permissions tab and verify the remote desktop users group
> is listed and has allow user and allow guest access.
>
> Logon to the problem computer at the console and check Local Security Policy
> [secpol.msc]. TS users need to be in the Remote Desktop Users group and that
> group needs to have the user right for "allow logon through Terminal
> Services". Go to security settings/local policies/user rights. Note that
> deny logon through TS will override a user's "allow" user right. If you can
> not configure the user right in Local Security Policy you will need to find
> the overriding Group Policy, gpresult and RSOP can help with that, or create
> an OU for the TS with it's own GPO to configure the user rights to your
> needs
>
> Make sure your passwords are not blank
>
> Remote desktops only allow 2 sessions per server. You could have two
> sessions hung. Make sure there are no sessions active.
>
>
> If anyone has any suggestions, let me know. I see that this is pretty much
> a dead issue and have tried a lot of things.
>
- Next message: Josh: "RE: The local policy of this system does not allow you to log on i"
- Previous message: Steven Wong: "Re: TS 2nd login"
- In reply to: Josh: "The local policy of this system does not allow you to log on inter"
- Next in thread: Josh: "RE: The local policy of this system does not allow you to log on i"
- Reply: Josh: "RE: The local policy of this system does not allow you to log on i"
- Reply: Josh: "RE: The local policy of this system does not allow you to log on i"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
