Cannot make remote desktop connection to domain controller

[900ss]

Hi

I am stuck trying to give a user with delegated admin rights a remote desktop connection to my server.

I have run the Delegation Wizard so that user can manage users of my domain.
I have added that user to the Server Operators group.
And, I have added that user to the permitted Remote Users.

But when I try and connecti I get "The local policy of this system does not permit you to log on interactively".

Can anyone tell me what step I have missed out?

Thanks

Alex

 

[dcsnetwiz]

Make sure the terminal server login box is checked. AD users and computers - find the users profile. Under the users profile click on the Terminal Services Profile Tab. At the bottom there should be a box labeled "allow logon to terminal server. Is that checked? If not, check it and it should work. Let me know

NetWiz

 

[900ss]

Thanks for the feedback, but the "allow logon to terminal server" box is checked for that user.

Any other thoughts?

 

[dcsnetwiz]

Has the users account been added to the remote section under My Computer? If this user has not been added to the Administrators account, or if there are under a restricted account, the domain user account will have to be added with this section.

NetWiz

 

[900ss]

Thanks again

I have made the user a member of the "Server Operators" Built In group which should allow him to logon to the domain controller. He is also a member of the "Remote Desktop Users" built in group.

I am not sure what you meant when you said "remote section under My Computer". All of the above was done under Active DIrectory Users & Computers. I cannot see anything under My Computer or Computer Management.

 

[dcsnetwiz]

Right Click My Computer - Properties - REMOTE TAB. Has the user been added to this box. I understand the other steps that you have done... But if the user is not part of the Administrators group, then he needs to be added to this box.

http://support.microsoft.com/?kbid=289289

Is this user part of the Remote Operators Group as well?

 

[900ss]

Hi

Yes, the user is listed in the list of Remote Desktop Users under My Computer Properties. He is also in the Remote Desktop Users group in Active Directory. He is not an Administrator. I am trying to delegate permission to perform a few limited Administrative tasks to this user.

Thanks

 

[dcsnetwiz]

There is definately something with the restricted account keeping this user from logging in using TS. Double check your group policies and groups to see if something is disabling his TS profile. Does it work if he is added under the Administrator group?

 

[900ss]

Hi

Yes, if I make him a member of the Administrators built-in group he can log in with no problems. I will dig into the Group Policies.

Thanks again

 

[900ss]

Hi

Found it at last. In the Default Domain Policy I went to:

Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment | Allow Logon to Terminal Services.

By default this was Not Defined. I had to define it and add my delegated admin user. But there is a gotcha. You need to also add the Administrators group otherwise you have locked them out of remote admin.

Thanks for all your suggestions.