"You do not have access to logon to this session" on domain controller
in [Terminal Services]
|
From: Dave on 31 Aug 2005 16:48 After promoting our server (Windows 2003) to a domain controller, we are no longer able to log into Terminal Services with any user other than the domain administrator account. We have tried adding other users to all the AD admin groups, and they still cannot access it. They receive the message "you do not have access to logon to this session". I have checked Terminal services manager, and all connections are cleared when they try to login. I have set all AD policies regarding "Log on locally" etc. to "undefined" with no success. I have also tried defining these policies, and explicitly adding these users with no success. I have tried editing the policies at the domain level, the domain controllers OU, and the users` OU. After each change in policy, I`ve run the gpupdate command. I have also tried rebooting the server. When I right click on "My Computer" on this server, and select "Properties" and then "Remote", the Select Remote Users button is grayed out. However, the checkbox to allow users to access the machine remotely is checked. I have verified that the users password is (very) complex, using over 12 digits and using letters, numbers, and characters. The "Allow logon to Terminal Server" is checked in the users` properties. Is this by design? Is the Administrator account the only account that can log in remotely on a Windows 2003 domain controller? Unfortunately, I have had to resort to demoting this server back to a member server for the time being. Please help.
From: Vera Noest [MVP] on 31 Aug 2005 17:16 You have to explicitly give the users the right to "Log on Locally", in your Domain Controller Security Policy. I assume that you know that this setup is *not* recommended? A Terminal Server is a multi-user workstation. Apart from potential performance problems (a Terminal Server is internally tuned differently), you are risking the stability and security of your Domain Controller. Imagine all of your users working at the physical console of the server and using it as their personal workstation, simultaneously. Do you really want them to do that on your Domain Controller? _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ Dave <take(a)friggin.guess> wrote on 31 aug 2005 in microsoft.public.windows.terminal_services: > After promoting our server (Windows 2003) to a domain > controller, we are no longer able to log into Terminal Services > with any user other than the domain administrator account. We > have tried adding other users to all the AD admin groups, and > they still cannot access it. They receive the message "you do > not have access to logon to this session". I have checked > Terminal services manager, and all connections are cleared when > they try to login. I have set all AD policies regarding "Log on > locally" etc. to "undefined" with no success. I have also tried > defining these policies, and explicitly adding these users with > no success. I have tried editing the policies at the domain > level, the domain controllers OU, and the users` OU. After each > change in policy, I`ve run the gpupdate command. I have also > tried rebooting the server. When I right click on "My Computer" > on this server, and select "Properties" and then "Remote", the > Select Remote Users button is grayed out. However, the checkbox > to allow users to access the machine remotely is checked. I have > verified that the users password is (very) complex, using over > 12 digits and using letters, numbers, and characters. The "Allow > logon to Terminal Server" is checked in the users` properties. > Is this by design? Is the Administrator account the only account > that can log in remotely on a Windows 2003 domain controller? > Unfortunately, I have had to resort to demoting this server back > to a member server for the time being. > Please help.
From: Dave on 31 Aug 2005 17:49 Vera Noest [MVP] wrote: > You have to explicitly give the users the right to "Log on > Locally", in your Domain Controller Security Policy. > I have already set this in the domain controllers policy, both at the OU level (AD Users and Computers, <domain name>, Domain Controllers properties, Group Policy object) and at the domain controller machine level (MMC Group Policy snap-in, Local Computer). Is there somewhere else I need to check for this? > I assume that you know that this setup is *not* recommended? > A Terminal Server is a multi-user workstation. Apart from <snip> Yes I am aware. We need a seperate user to be able to log into the machine and have administrative access, but not have domain level administrative access. MMC`s will not do the trick.
From: Vera Noest [MVP] on 1 Sep 2005 06:16 Dave <take(a)friggin.guess> wrote on 31 aug 2005 in microsoft.public.windows.terminal_services: > Vera Noest [MVP] wrote: > >> You have to explicitly give the users the right to "Log on >> Locally", in your Domain Controller Security Policy. >> > I have already set this in the domain controllers policy, both > at the OU level (AD Users and Computers, <domain name>, Domain > Controllers properties, Group Policy object) and at the domain > controller machine level (MMC Group Policy snap-in, Local > Computer). Is there somewhere else I need to check for this? No. The user is not trying to connect to the console session, is he? Because that is impossible for non-Administrators on a DC. >> I assume that you know that this setup is *not* recommended? >> A Terminal Server is a multi-user workstation. Apart from > > <snip> > > Yes I am aware. We need a seperate user to be able to log into > the machine and have administrative access, but not have domain > level administrative access. MMC`s will not do the trick. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___
From: Dave on 1 Sep 2005 10:28
Vera Noest [MVP] wrote: > Dave <take(a)friggin.guess> wrote on 31 aug 2005 in > microsoft.public.windows.terminal_services: > > >>Vera Noest [MVP] wrote: >> >> >>>You have to explicitly give the users the right to "Log on >>>Locally", in your Domain Controller Security Policy. >>> >> >>I have already set this in the domain controllers policy, both >>at the OU level (AD Users and Computers, <domain name>, Domain >>Controllers properties, Group Policy object) and at the domain >>controller machine level (MMC Group Policy snap-in, Local >>Computer). Is there somewhere else I need to check for this? > > > No. > The user is not trying to connect to the console session, is he? > Because that is impossible for non-Administrators on a DC. Forgive my ignorance, but what do you mean by this? Do you mean is he trying to log onto the machine via terminal services as the same user that is logged in at the console? Right now, noone is logged in at the machine console. |