RE: Not granted logon right
I've seen a few similar posts quite some time ago, could be that
this is fixed in SP2.
Anyway, here's TP's answer to an identical problem:
Which error message are you receiving?
Is it this message:
To log on to this remote computer, you must be granted the
Allow log on through Terminal Services right. By default,
members of the Remote Desktop Users group have this
right. If you are not a member of the Remote Desktop Users
group or another group that has this right, or if the Remote
Desktop User group does not have this right, you must be
granted this right manually.
Or this message:
To log on to this remote computer, you must have Terminal
Server User Access permissions on this computer. By default,
members of the Remote Desktop Users group have these
permissions. If you are not a member of the Remote Desktop
Users group or another group that has these permissions, or
if the Remote Desktop User group does not have these
permissions, you must be granted these permissions manually.
********************
If you are receiving the first message, please complete the
following steps, and then attempt to logon as the test user:
1. On the TS, open the Local Security Policy
2. Expand Local Policies on the left, select
User Rights Assignment
3. Double-click "Allow log on through Terminal Services" on
the right
4. If Remote Desktop Users is in the list, select it and then
click the Remove button
5. Make sure "Define these policy settings" is checked, if it
exists.
6. Click the OK button to save your changes
7. Open a command prompt window and type gpupdate
8. Back in your Local Security Policy window, double-click
"Allow log on through Terminal Services"
9. Click the Add button, and type "Remote Desktop Users",
without the quotes, and click OK
10. Make sure "Define these policy settings" is checked, if it
exists.
11. Click the OK button to save your changes
12. Open up a command prompt window and type gpupdate
The other thing for you to consider is if you have a Group Policy
Object that is setting the security policies for your TS.
********************
If you are receiving the second message, please complete the
following steps, and then attempt to logon as the test user:
1. On the TS, start Terminal Services Configuration
2. Double-click rdp-tcp on the right hand side and select
the Permissions tab
3. If you HAVE NOT customized your permissions, click on
the Advanced button, then click the Default button, and
click OK to save your changes and SKIP the remaining
steps
4. If you HAVE customized your permissions, click on
Remote Desktop Users if it is in the list and click the
Remove button
5. Click the OK button to save your changes
6. Double-click rdp-tcp on the right hand side and select
the Permissions tab
7. Click the Add button, and type in "Remote Desktop Users",
without the quotes, and click OK
8. Check User Access under the Allow column.
9. Click the OK button to save your changes
It seems that every once in a while the connection object
permissions get messed up. Even though they appear
correct, the server behaves as if they are set wrong.
Based on what you have said I think this is what happened
to you. By clicking the default button you caused the
server to rewrite the security key using the default
permissions. FYI, the security is stored here:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations
\RDP-Tcp\Security
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting:
http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?YWx0ZXJlZA==?= <altered@discussions.microsoft.com> wrote
on 26 sep 2008 in microsoft.public.windows.terminal_services:
> One other note, these users are a member of a group which is a
> member of the "remote desktop users" group (nested). As a test
> I did explicitly add a member to the remote desktop group, but
> no luck.
>
> "altered" wrote:
>
>> Hi, I have an odd issue on our DC's. We have approx 30 DC's
>> and I have non domain admins who are grated access to remote
>> desktop into DC's via the remote desktop group in Active
>> Directory (Builtin container). The members of the group are
>> able to access 2/3 of the DC's but on the other 1/3 they
>> receive the prompt stating they must be granted the logon
>> through Terminal Services right.
>>
>> The remote desktop group exists by default on the TS
>> connection. In addition the remote desktop group is specified
>> in the Default Domain Controller policy for the logon through
>> Terminal Services right.
>>
>> Replication is not an issue, group memberships have been fully
>> replicated.
>>
>> Here's the kicker, if I remove the Remote Desktop group from
>> the connection property and the re-add it, they are able to
>> login. In testing, the DC's have been rebooted as well with no
>> status change.
>>
>> DC's are 2003 SP1
>>
>> Thanks for any assistance you can provide!