Only Administrators can log in?

  • Thread starter Thread starter Dearg O''Bartuin
  • Start date Start date
D

Dearg O''Bartuin

Guest
Hello all,

I have an unusual case. I recently took over the support of A TS environment
for a client.
On this network only those in the administrators group can log in using TS.
I have checked all group policies and in turn disabled all apart from the
default domain policy and made sure log on using Terminal Server was enabled
with the remote desktop users group.

Is there a way of completely disabling all group policies and starting again
without deleting these policies allowing me to return back if any problems
arise?

My ideal situation would be to have two groups

1. Administrators
2. Users

I would like administrators & all users to be allowed access via terminal
services. However i would like to apply separate permissions to each group
where administrators have access to the control panel, run command etc etc.

If i can work out how to fix the existing problems and allow remote desktop
connection group to log in i should be fine with the rest.

Thank you,
--
Tricky
--
Tricky
 
Re: Only Administrators can log in?

Which OS is the Terminal Server running?
What is the exact error message that normal users get when they try
to log on?
Is the TS a member server in the domain, or is it running on a
Domain Controller?
Assuming that the TS runs 2003, have you made sure that the users
are member of the *local* Remote Desktop Users group on the TS?
Also make sure that the "Allow logon to Terminal Server" checkbox
is checked in the properties of the user account in AD, and verify
the permissions on the rdp-tcp connection, in Terminal Services
Configuration.

Regarding the Group Policies: check first which GPO are applied to
the TS and normal users, by using the Resultant Set of Polcies
(RSoP). The, in the applied GPOs, check for the setting under:

Computer Configuration - Windows Settings - Security Settings -
Local Policies - User rights Assignment
"Allow log on through Terminal Services"

You can temporarily disable all GPOs on the TS by placing the TS in
a separate OU (that's recomneded anyway, and needed later on) and
then block inheritance of all GPOs on that OU.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?RGVhcmcgTycnQmFydHVpbg==?=
<DeargOBartuin@discussions.microsoft.com> wrote on 26 nov 2007 in
microsoft.public.windows.terminal_services:

> Hello all,
>
> I have an unusual case. I recently took over the support of A TS
> environment for a client.
> On this network only those in the administrators group can log
> in using TS. I have checked all group policies and in turn
> disabled all apart from the default domain policy and made sure
> log on using Terminal Server was enabled with the remote desktop
> users group.
>
> Is there a way of completely disabling all group policies and
> starting again without deleting these policies allowing me to
> return back if any problems arise?
>
> My ideal situation would be to have two groups
>
> 1. Administrators
> 2. Users
>
> I would like administrators & all users to be allowed access via
> terminal services. However i would like to apply separate
> permissions to each group where administrators have access to
> the control panel, run command etc etc.
>
> If i can work out how to fix the existing problems and allow
> remote desktop connection group to log in i should be fine with
> the rest.
>
> Thank you,
 
Back
Top