Re: TS Login Problem to challenge the brightest TS Guru's

You are welcome, Lance. It is a complex system, and even folks in Terminal
Server development team sometimes get confused by multiple levels of access
checks during Terminal Server logon :-). I'm glad I was able to help.

--
Maxim Oustiougov,
Terminal Services Program Manager

This posting is provided "AS IS" with no warranties, and confers no rights.

"Lance" <Lance@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:65061ECC-6890-4C40-BB70-34CB1DD4E6C8@xxxxxxxxxxxxxxxx
Hi Maxim,

Thank you for your suggestions, after thouroughly checking everyone I must
admit that I now feel trully humbled and slightly embarrased.

It turns out suggestion 5 in your list was the cause. When I had
origionally
set up TS I had added every user individually to the local RDU group. So
of
course when I created a new user on the DC they would not be able to log
in
until I also added them to the Local RDU Group on the TS. I have rectified
this problem by using a domain-wide RDU Group.

Thank you for much for your help and suggestions.

Regards,

Lance

"Maxim Oustiougov [MSFT]" wrote:

Lance - below are suggestions on what else you can check.

First of all, it is not very likely that group policy corruption on PDC
has
something to do with the problem you are seeing. There are no per-user
Group
Policy settings that control access to Terminal Services. All of them are
per-computer, so if one user can't logon, none of them should have been
able
to.

1) Check user properties for the new users. On "Terminal Services
Profile"
page there is a check box called "Deny this user permissions to log on to
any Terminal Server". It should be unchecked.
2) Check user rights assignment on the Terminal Server. Open "Local
Security
Settings" tool (secpol.msc), go to Local Policies -> User Rights
Assignment -> Allow log on through Terminal Services. It should have two
groups in it - Administrators and Remote Desktop Users.
3) Check user rights assignment on the domain controller. The policy of
concern there is called "Deny log on through Terminal Services". Make
sure
it does not have anything suspicious, namely Users group and such.
4) Check permissions on TS Connection object (aka listener aka
winstation)
on the Terminal Server. Go to Terminal Services Configuration
(tscc.msc) ->
Connections -> rdp-tcp Properties -> Permissions tab. "Remote Desktop
Users"
group should be in the list and have "User Access" and "Guest Access"
checked.
5) Make sure all users are in the LOCAL Remote Desktop Users group on the
Terminal Server. If you have a domain-wide "Remote Desktop Users" group
or
other group that includes all users that need access to TS, you can
include
that group as a member of the local group.
6) You can also check resultant set of policy on the DC. In "Active
Directory Users and Computers" right click on the OU that contains all
your
users (new and old ones), go to "All Tasks", "Resultant set of policy
(planning)". This will help you see what exact policies apply to which
users
and how.

Hope it helps.

--
Maxim Oustiougov,
Terminal Services Program Manager

This posting is provided "AS IS" with no warranties, and confers no
rights.

"Lance" <Lance@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B2927049-B893-449A-8237-0FFC231F757D@xxxxxxxxxxxxxxxx
Hi Maxim, thanks for reading.

Yes they get an error message which is the following:

"To logon to this remote computer, you must have terminal server user
access
permission on this computer. By default, members of the Remote Desktop
Users
group have these permissions. If you are not a member of the Remote
Desktop
Users group or another group that has these permissions, or if the
Remote
Desktop Users group does not have these permissions, you must be
granted
these permissions manually."

Why I get this message makes no sense as the new users are members of
the
Remote Desktop Users Group together will all the old users. In fact all
the
new users are members of exactly the same groups as the old users and
have
exactly the same group policy permissions.

Hope it makes more sense to you??

Thanks for your help.

Lance

"Maxim Oustiougov [MSFT]" wrote:

Lance - do new users get an error message while trying to logon? What
is
it?

--
Maxim Oustiougov,
Terminal Services Program Manager

This posting is provided "AS IS" with no warranties, and confers no
rights.

"Lance" <Lance@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AC7A0B71-ACCB-497C-BDFC-E13E4C974FE8@xxxxxxxxxxxxxxxx
I am running 3 x Windows ENT 2003 Servers, 2 of which are running TS
(one
is
a test server the other a production server).

Everything has been working beautifully until the group policy on
the
PDC
became corrupted, don't ask me how I have no idea it just did.

When I went to try and edit it would give me some strange message
about
it
not existing and all this hieroglyphics would appear in the error
message.
Weird, and no it was not a virus.

Anyway I managed to restore the group policy on the PDC however ever
since
then any new users I attempt to add to AD will not log on to the TS.

All the users which existed prior to the group policy being replaced
work
fine, but any new ones just wont log on. Their permissions etc are
all
identical to the ones which can log on.

I have checked the Security Audit Logs and the failed to log on
users
get
event ID 672 (authentication ticket request) and 673 (service ticket
request)
both with no result code or failure code. Then that is it, nothing
else
is
logged!

The successful users get the same, however they also get event ID
540
(successful network logon).

Like I said everyone is a member of the remote user group, every
user
has
exactly the same permissions, it is just that every new user created
can
not
log on.

I have checked licensing and there are plenty left.

Any help would be greatly appreciated; even a way of resetting the
AD &
Group Policy to system default without losing user data would be
great.
I
would rather not have to start building the PDC from scratch.

Thanks heaps for reading.

Hope someone can help.








.