Re: TS Login Problem to challenge the brightest TS Guru's

Sorry, I'm not finding that program on the 2003 server. I have it on my
workstation but don't find anything about Terminal Services when I ran it.
Even ran it from the TS but it looks the same. IMHO, I doubt that domain
permissions would apply since it is only one of 7 2003 Terminal Servers.

"Vera Noest [MVP]" wrote:

The Terminal Services profile tab is apart of the domain account.
In Maxim's instructions, he was referring to AD account properties.
Since you have an NT 4 DC, you will have to run User manager for
Domains (I think it's usrmgr.exe, look for it in the \system32
folder) from the 2003 TS and connect to the NT 4 DC to see those
settings.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Q2FybCBDYXJwZW50ZXI=?= <Carl
Carpenter@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 02 feb 2007 in
microsoft.public.windows.terminal_services:

I have several Windows 2003 Standard Edition R2 servers running
as Terminal Servers. All have been configured the same.
Suddenly, one of them has decided to give me the same message
that Lance received. We are not running AD nor is it
functioning as a domain controller. I tried to follow the
instructions you sent Lance, but had difficulty with a couple of
them.

1. Where is the Terminal Services Profile page?

2. Checked it. Complies.

3. Probably doesn't apply since we're still a NT4 network.
Don't know where to find what you referred to.

4. Checked it. Complies.

5. Checked it. Complies.

6. NA, not running AD.

Another similar post suggested running mstsc.exe from the
command prompt. Since they didn't specify which machine to run
it from, I tried it from the faulty TS. Received the same
message.

Where else do I need to check?

Carl Carpenter
IT Manager
Hill Country Community MHMR Center

"Maxim Oustiougov [MSFT]" wrote:

You are welcome, Lance. It is a complex system, and even folks
in Terminal Server development team sometimes get confused by
multiple levels of access checks during Terminal Server logon
:-). I'm glad I was able to help.

--
Maxim Oustiougov,
Terminal Services Program Manager

This posting is provided "AS IS" with no warranties, and
confers no rights.

"Lance" <Lance@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:65061ECC-6890-4C40-BB70-34CB1DD4E6C8@xxxxxxxxxxxxxxxx
Hi Maxim,

Thank you for your suggestions, after thouroughly checking
everyone I must admit that I now feel trully humbled and
slightly embarrased.

It turns out suggestion 5 in your list was the cause. When I
had origionally
set up TS I had added every user individually to the local
RDU group. So of
course when I created a new user on the DC they would not be
able to log in
until I also added them to the Local RDU Group on the TS. I
have rectified this problem by using a domain-wide RDU Group.

Thank you for much for your help and suggestions.

Regards,

Lance

"Maxim Oustiougov [MSFT]" wrote:

Lance - below are suggestions on what else you can check.

First of all, it is not very likely that group policy
corruption on PDC has
something to do with the problem you are seeing. There are
no per-user Group
Policy settings that control access to Terminal Services.
All of them are per-computer, so if one user can't logon,
none of them should have been able
to.

1) Check user properties for the new users. On "Terminal
Services Profile"
page there is a check box called "Deny this user permissions
to log on to any Terminal Server". It should be unchecked.
2) Check user rights assignment on the Terminal Server. Open
"Local Security
Settings" tool (secpol.msc), go to Local Policies -> User
Rights Assignment -> Allow log on through Terminal Services.
It should have two groups in it - Administrators and Remote
Desktop Users. 3) Check user rights assignment on the domain
controller. The policy of concern there is called "Deny log
on through Terminal Services". Make sure
it does not have anything suspicious, namely Users group and
such. 4) Check permissions on TS Connection object (aka
listener aka winstation)
on the Terminal Server. Go to Terminal Services
Configuration (tscc.msc) ->
Connections -> rdp-tcp Properties -> Permissions tab.
"Remote Desktop Users"
group should be in the list and have "User Access" and
"Guest Access" checked.
5) Make sure all users are in the LOCAL Remote Desktop Users
group on the Terminal Server. If you have a domain-wide
"Remote Desktop Users" group or
other group that includes all users that need access to TS,
you can include
that group as a member of the local group.
6) You can also check resultant set of policy on the DC. In
"Active Directory Users and Computers" right click on the OU
that contains all your
users (new and old ones), go to "All Tasks", "Resultant set
of policy (planning)". This will help you see what exact
policies apply to which users
and how.

Hope it helps.

--
Maxim Oustiougov,
Terminal Services Program Manager

This posting is provided "AS IS" with no warranties, and
confers no rights.

"Lance" <Lance@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B2927049-B893-449A-8237-0FFC231F757D@xxxxxxxxxxxxxxxx
Hi Maxim, thanks for reading.

Yes they get an error message which is the following:

"To logon to this remote computer, you must have terminal
server user access
permission on this computer. By default, members of the
Remote Desktop Users
group have these permissions. If you are not a member of
the Remote Desktop
Users group or another group that has these permissions,
or if the Remote
Desktop Users group does not have these permissions, you
must be granted
these permissions manually."

Why I get this message makes no sense as the new users are
members of the
Remote Desktop Users Group together will all the old
users. In fact all the
new users are members of exactly the same groups as the
old users and have
exactly the same group policy permissions.

Hope it makes more sense to you??

Thanks for your help.

Lance

"Maxim Oustiougov [MSFT]" wrote:

Lance - do new users get an error message while trying to
logon? What is
it?

--
Maxim Oustiougov,
Terminal Services Program Manager

This posting is provided "AS IS" with no warranties, and
confers no rights.

"Lance" <Lance@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:AC7A0B71-ACCB-497C-BDFC-E13E4C974FE8@xxxxxxxxxxxxxxxx
I am running 3 x Windows ENT 2003 Servers, 2 of which
are running TS (one
is
a test server the other a production server).

Everything has been working beautifully until the group
policy on the
PDC
became corrupted, don't ask me how I have no idea it
just did.

When I went to try and edit it would give me some
strange message about
it
not existing and all this hieroglyphics would appear in
the error message.
Weird, and no it was not a virus.

Anyway I managed to restore the group policy on the PDC
however ever since
then any new users I attempt to add to AD will not log
on to the TS.

All the users which existed prior to the group policy
being replaced work
fine, but any new ones just wont log on. Their
permissions etc are all
identical to the ones which can log on.

I have checked the Security Audit Logs and the failed
to log on users
get
event ID 672 (authentication ticket request) and 673
(service ticket request)
both with no result code or failure code. Then that is
it, nothing else
is
logged!

The successful users get the same, however they also
get event ID 540
(successful network logon).

Like I said everyone is a member of the remote user
group, every user
has
exactly the same permissions, it is just that every new
user created can
not
log on.

I have checked licensing and there are plenty left.

Any help would be greatly appreciated; even a way of
resetting the AD &
Group Policy to system default without losing user data
would be great.
I
would rather not have to start building the PDC from
scratch.

Thanks heaps for reading.

Hope someone can help.

.