RE: Users are not authorized for remote login
- From: v-morche@xxxxxxxxxxxxxxxxxxxx (Morgan che(MSFT))
- Date: Thu, 31 Jul 2008 10:32:32 GMT
Hi,
From your description, I suspect this issue appears to Terminal Servicesaccess permission. Typically, there are two settings that must be
configured before establishing Remote Desktop sessions. The first one is
that remote connections must be enabled ; the other one is users must be
granted permission to connect to the server. I think you have already done
the first one. So, let's focus on the second.
By default, the administrators group and Remote Desktop Users group have
permissions to logon to TS. So, generally speaking, we can simply add your
created groups into one of these groups to let them logon to TS. Because
you have added it to Remote Desktop Users group, please check the
following.I list the rights that a user needs to have to establish a remote
desktop connection to a terminal server:
1. Allow log on through Terminal Services
2. Rdp-Tcp connection "User Access" and "Guest Access" permissions
3. "Allow logon to Terminal Server" in the user property
Please perform the following steps to check them one by one to check
permissions:
Step 1: Allow logon through Terminal Services
-------------------------------------------
To connect to terminal server properly, users need to be granted the "Allow
logon through Terminal Services" right. If the server is a domain
controller, users also need to have "Allow logon locally" right. I
understand that you have checked the local access policy rights. Please
also check the group policies that are applied to the domain or OU as they
have higher priority and will override the configuration of local policy.
1. Logon as administrator, click Start -> Run, type "rsop.msc" in the text
box, and click OK.
2. Locate the [Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment] item.
3. Check the "Allow log on locally" item to see whether this policy is
defined. If so, the "Source GPO" column displays the policy that defines
this policy. Please ensure "Administrators", "Remote Desktop Users",
"Backup Operators", "Account Operators", "Print Operators", "Server
Operators" are granted this right. If it is different, please configure the
corresponding policy to grant the permission.
4. Check the "Allow log on through Terminal Services" item to see whether
this policy is defined. If so, the "Source GPO" column displays the policy
that defines this policy. Please ensure "Administrators", "Remote Desktop
Users", and any other desired users are granted this right. If it is
different, please configure the corresponding policy to grant the
permission.
5. Check the "Deny log on locally" item to see whether this policy is
defined. If so, the "Source GPO" column displays the policy that defines
this policy. Please ensure that the user or any user groups that remote
user belongs to is not included in this right. If so, please modify the
corresponding policy to remove them.
6. Check the "Deny log on through Terminal Services" item to see whether
this policy is defined. If so, the "Source GPO" column displays the policy
that defines this policy. Please ensure that the user or any user groups
that remote user belongs to is not included in this right. If so, please
modify the corresponding policy to remove them.
7. Click Start -> Run, type "cmd" in the text box, and click OK.
8. Run the following command to refresh policy on both the domain
controller and the terminal server:
Gpupdate /force
9. Wait for a while so that the group policy is replicated and then try to
connect to the server again.
Step 2: Allow logon to Terminal Server
------------------------------------
To grant a user these permissions, start either the Active Directory Users
and Computers snap-in or the Local Users And Groups snap-in, open the
user's properties, click the Terminal Services Profile tab, and then click
to select the Allow logon to Terminal Server check box.
Step 3: Check TS permission
----------------------------
1. Open the Terminal Services Configuration snap-in.
2. Right click the Rdp-Tcp item, and click Properties.
3. In the Permissions tab, click "Advanced".
4. By default, administrators group and Remote Desktop Users group have
been granted the permissions. You can also add other users and groups and
grant them the corresponding permissions.
After checking the steps above and this issue still persist, please check
security settings on General tab of Terminal Services Configuration
snap-in. In security level, dose it set 'negotiate'? In Encryption level,
dose it set 'Client Compatible'?
As for 'Added group to TS gateway policies ???domain???\TS>', could you
please explain it more? How do you configure it? Also, please test to logon
to TS on other computer to see the symbols?
Hope this helps.
Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
--->Thread-Topic: Users are not authorized for remote login
--->thread-index: AcjygM4c4sGvIM5PStKCCUSqoZwyuA==
--->X-WBNR-Posting-Host: 207.46.193.207
--->From: =?Utf-8?B?RWxp?= <eli@xxxxxxxxxxxxxxxx>
--->Subject: Users are not authorized for remote login
--->Date: Wed, 30 Jul 2008 13:14:00 -0700
--->Lines: 13
--->Message-ID: <17AED4C5-BF7C-4F1C-BC1E-08DC98ED56B9@xxxxxxxxxxxxx>
--->MIME-Version: 1.0
--->Content-Type: text/plain;
---> charset="Utf-8"
--->Content-Transfer-Encoding: 8bit
--->X-Newsreader: Microsoft CDO for Windows 2000
--->Content-Class: urn:content-classes:message
--->Importance: normal
--->Priority: normal
--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119
--->Newsgroups: microsoft.public.windows.terminal_services
--->Path: TK2MSFTNGHUB02.phx.gbl
--->Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.terminal_services:19526
--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->X-Tomcat-NG: microsoft.public.windows.terminal_services
--->
--->Windows 2008 sp1
--->AD is on a separate 2008 server
--->Installed terminal services, everything looks fine
--->Added group to TS gateway policies â??domainâ??\TS
--->TS is a group I created in AD where to put users who can login to
terminal
--->services.
--->First I added users to TS, tried to log in â?? connection refused.
--->Added the user to TS and Remote Desktop group same thing.
--->The error is
--->The connection was denied because the user account is not authorized
for
--->remote login
--->What am I missing?
--->
--->
.
- Prev by Date: Re: Application caching
- Next by Date: RE: Users are not authorized for remote login
- Previous by thread: Same path to user home folder except by logon server (3 sites/DCs)
- Next by thread: RE: Users are not authorized for remote login
- Index(es):
Relevant Pages
|
Loading
