Here's a problem that I have been researching for weeks (literally)!
We have a 2000 AD domain at work and we want to have ordinary users log onto member servers as protected remote desktops.
The domain configuration is as follows:
* 2 x DC configured additionally as DNS forwarders
* 1 x TS license servers (no licences installed because all clients are 2000 pro and carry all necessary licenses)
* 1 x print/file server
* 1 x SQL server (for Citrix)
* Several member servers.
There are (or should be) 3 domain administrators, myself and 2 others and outside of those there will be three classes of user:
* Those with local server only administrator privileges (various application and server/service owner/support groups)
* Clients who are ordinary users (supported by aforementioned support groups) and have access to a limited desktop.
* Anonymous clients using Citrix published applications
The problem is that no matter what I do I cannot log on to any server using anything less than a domain administrator (and that includes not being able to log on using local administrators). The following things I know:
* This is not a TS only thing as it applies to direct console logons and remote control software such as Dameware ... I therefore assume this is a rights issue and not licensing.
* We do not have this issue in our NT 4 domain therefore I assume this is a uniquely AD oriented issue.
* If I log on to a Windows 2003 member server (though we intend to migrate it to 2003, it is currently a 2000 domain) I have no issues ... I therefore assume this is a pure Windows 2000 oriented issue. It was not necessary on this server to set the "log on locally" right on the server itself.
* I am not exceeding the limit of remote admin sessions.
The solutions I have tried so far are (from memory):
* I have created users on local member servers, added them to the local server administrator group and then attempted to logon, I get the message, “The local policy of this system does not permit you to logon interactively”.
* I have set "log on locally" on the local 2000 server.
* I have set "log on locally" on the DC
* I have changed local group policy using "gpedit.msc" adding the user to the list of allowed users for logging on locally and it makes no difference at all. Similar has been tried on the DC's.
Outside of that I have surfed the net, MS knowledgebase and so and I am still no wiser, this was easy in an NT style domain and based on the fact that I recall no issues on my home 2003 domain that seems to be OK but using AD on Windows 2000 I just don't seem to get it.
Any advice on this issue greatly appreciated
We have a 2000 AD domain at work and we want to have ordinary users log onto member servers as protected remote desktops.
The domain configuration is as follows:
* 2 x DC configured additionally as DNS forwarders
* 1 x TS license servers (no licences installed because all clients are 2000 pro and carry all necessary licenses)
* 1 x print/file server
* 1 x SQL server (for Citrix)
* Several member servers.
There are (or should be) 3 domain administrators, myself and 2 others and outside of those there will be three classes of user:
* Those with local server only administrator privileges (various application and server/service owner/support groups)
* Clients who are ordinary users (supported by aforementioned support groups) and have access to a limited desktop.
* Anonymous clients using Citrix published applications
The problem is that no matter what I do I cannot log on to any server using anything less than a domain administrator (and that includes not being able to log on using local administrators). The following things I know:
* This is not a TS only thing as it applies to direct console logons and remote control software such as Dameware ... I therefore assume this is a rights issue and not licensing.
* We do not have this issue in our NT 4 domain therefore I assume this is a uniquely AD oriented issue.
* If I log on to a Windows 2003 member server (though we intend to migrate it to 2003, it is currently a 2000 domain) I have no issues ... I therefore assume this is a pure Windows 2000 oriented issue. It was not necessary on this server to set the "log on locally" right on the server itself.
* I am not exceeding the limit of remote admin sessions.
The solutions I have tried so far are (from memory):
* I have created users on local member servers, added them to the local server administrator group and then attempted to logon, I get the message, “The local policy of this system does not permit you to logon interactively”.
* I have set "log on locally" on the local 2000 server.
* I have set "log on locally" on the DC
* I have changed local group policy using "gpedit.msc" adding the user to the list of allowed users for logging on locally and it makes no difference at all. Similar has been tried on the DC's.
Outside of that I have surfed the net, MS knowledgebase and so and I am still no wiser, this was easy in an NT style domain and based on the fact that I recall no issues on my home 2003 domain that seems to be OK but using AD on Windows 2000 I just don't seem to get it.
Any advice on this issue greatly appreciated
