Re: TS Login Problem to challenge the brightest TS Guru's

Tech-Archive recommends: Fix windows errors by optimizing your registry

Lance - below are suggestions on what else you can check.

First of all, it is not very likely that group policy corruption on PDC has
something to do with the problem you are seeing. There are no per-user Group
Policy settings that control access to Terminal Services. All of them are
per-computer, so if one user can't logon, none of them should have been able
to.

1) Check user properties for the new users. On "Terminal Services Profile"
page there is a check box called "Deny this user permissions to log on to
any Terminal Server". It should be unchecked.
2) Check user rights assignment on the Terminal Server. Open "Local Security
Settings" tool (secpol.msc), go to Local Policies -> User Rights
Assignment -> Allow log on through Terminal Services. It should have two
groups in it - Administrators and Remote Desktop Users.
3) Check user rights assignment on the domain controller. The policy of
concern there is called "Deny log on through Terminal Services". Make sure
it does not have anything suspicious, namely Users group and such.
4) Check permissions on TS Connection object (aka listener aka winstation)
on the Terminal Server. Go to Terminal Services Configuration (tscc.msc) ->
Connections -> rdp-tcp Properties -> Permissions tab. "Remote Desktop Users"
group should be in the list and have "User Access" and "Guest Access"
checked.
5) Make sure all users are in the LOCAL Remote Desktop Users group on the
Terminal Server. If you have a domain-wide "Remote Desktop Users" group or
other group that includes all users that need access to TS, you can include
that group as a member of the local group.
6) You can also check resultant set of policy on the DC. In "Active
Directory Users and Computers" right click on the OU that contains all your
users (new and old ones), go to "All Tasks", "Resultant set of policy
(planning)". This will help you see what exact policies apply to which users
and how.

Hope it helps.

--
Maxim Oustiougov,
Terminal Services Program Manager

This posting is provided "AS IS" with no warranties, and confers no rights.

"Lance" <Lance@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B2927049-B893-449A-8237-0FFC231F757D@xxxxxxxxxxxxxxxx
Hi Maxim, thanks for reading.

Yes they get an error message which is the following:

"To logon to this remote computer, you must have terminal server user
access
permission on this computer. By default, members of the Remote Desktop
Users
group have these permissions. If you are not a member of the Remote
Desktop
Users group or another group that has these permissions, or if the Remote
Desktop Users group does not have these permissions, you must be granted
these permissions manually."

Why I get this message makes no sense as the new users are members of the
Remote Desktop Users Group together will all the old users. In fact all
the
new users are members of exactly the same groups as the old users and have
exactly the same group policy permissions.

Hope it makes more sense to you??

Thanks for your help.

Lance

"Maxim Oustiougov [MSFT]" wrote:

Lance - do new users get an error message while trying to logon? What is
it?

--
Maxim Oustiougov,
Terminal Services Program Manager

This posting is provided "AS IS" with no warranties, and confers no
rights.

"Lance" <Lance@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AC7A0B71-ACCB-497C-BDFC-E13E4C974FE8@xxxxxxxxxxxxxxxx
I am running 3 x Windows ENT 2003 Servers, 2 of which are running TS
(one
is
a test server the other a production server).

Everything has been working beautifully until the group policy on the
PDC
became corrupted, don't ask me how I have no idea it just did.

When I went to try and edit it would give me some strange message about
it
not existing and all this hieroglyphics would appear in the error
message.
Weird, and no it was not a virus.

Anyway I managed to restore the group policy on the PDC however ever
since
then any new users I attempt to add to AD will not log on to the TS.

All the users which existed prior to the group policy being replaced
work
fine, but any new ones just wont log on. Their permissions etc are all
identical to the ones which can log on.

I have checked the Security Audit Logs and the failed to log on users
get
event ID 672 (authentication ticket request) and 673 (service ticket
request)
both with no result code or failure code. Then that is it, nothing else
is
logged!

The successful users get the same, however they also get event ID 540
(successful network logon).

Like I said everyone is a member of the remote user group, every user
has
exactly the same permissions, it is just that every new user created
can
not
log on.

I have checked licensing and there are plenty left.

Any help would be greatly appreciated; even a way of resetting the AD &
Group Policy to system default without losing user data would be great.
I
would rather not have to start building the PDC from scratch.

Thanks heaps for reading.

Hope someone can help.





.

Quantcast