rdp logon interactively issue with xp pro upgrades 3

[Melissabrooks]

Hi, I'm struggling with RDP. I've got 25 machines, 12 of which came loaded with windows xp pro, and the other 13 were upgraded to xp pro from windows 2000. I can RDP into any of the machines that had XP pro loaded by Dell, but the 13 machines that have the volume license upgrades give me the following error:

"the local policy of this system does not permit you to logon interactively"

I searched thru the FAQ's and did a keyword search, but didn't find anything that helped. All of these machines are on a windows 2000 domain. I looked thru technet and found an article PSS ID 285793, and tried what it suggested, with no luck. I've checked the rdp setup of all machines, and from what I can tell, they are all the same.

Please help!

Thank you,
mb

 

[bcastner]

Under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.
In the right pane of the Group Policy dialog box, right-click Log on locally, and then click Security.
Click to select the Define these policy settings check box, click Add, and then click Browse.
Click those users to whom you want to grant the "Log on locally" policy, click Add, and then click OK two times. To select multiple users or groups, press and hold the CTRL key down, and then click individual objects.
Click OK to close the Security Policy Setting dialog box.

Make sure you add the Group "Remote Desktop users"

 

[bcastner]

Let me expand a bit on the above.

. RD assumes that the elegible username and passwords were added to the RD Host as local usernames and passwords, or are authenticated users as part of a Domain.

. It further assumes these users were added in the RD Host service manually.

To use the computer's local group policy to enable Remote Desktop:
Click Start, click Run, type gpedit.msc, and then click OK.
In the Group Policy editor, click to expand Computer Configuration, click to expand Administrative Templates, click to expand Windows Components, and then click to expand Terminal Services.
Double-click the Do not allow new client connections policy.
Set the policy to disabled, and then click OK.

You can also use the following procedure to enable Remote Desktop; however, if you use the preceding procedure, the following configuration is overridden:
Right-click My Computer and click Properties.
Click the Remote tab.
In the Remote Desktop section, click to Allow users to connect remotely to this computer, and then click OK.

NOTE: This setting, Remote Desktop, is disabled by default on Windows XP Professional.

 

[Melissabrooks]

Hi Bcastner,

I went thru these steps on 2 of the machines that are not working with no luck. I wasn't able to locate the group "remote desktop users". What is baffling to me is why it works on the oem machines and not the upgraded ones. all have been configured the same way to allow RDP, with only the oem installs working.

I'm trying to log on as both the primary user of that machine, as well as the domain administrator, with the same results.

Thank you for the details written out above.

mb

 

[ravashaak]

First, make sure you've followed Bcastner's sage advice.

I am not sure if this will help. However, you might try logging onto one of the stubborn machines with a domain admin account. Then, from the command-line, type the following:

gpupdate /force

After the command terminates, reboot. Then attempt an RDP logon.

I have an intermittent RDP issue that I correct via the above command. In fact, I plan to post about it soon in an effort to track down the root cause. Hope this helps!

 

[Melissabrooks]

Thank you ravashaak, I did as much of what's written above as possible, the only thing that I stumbled on was the "Make sure you add the Group "Remote Desktop users"" part, as I didn't see that group available and wasn't sure if I was to create it? I did as you said above regarding gpudate /force which seemed to function correctly, but even after reboot the problem persisted.
Could there have been a default setting on the windows 2000 pro machines that when I did the upgrade to xp pro, the setting followed across, thus creating the conflict? I've followed the microsoft instructions on how to enable rdp on an xp machine, and it only worked on the oem installs.

:-(
mb

 

[bcastner]

You are doing an Admin logon?

http://support.microsoft.com/?kbid=289289

 

[Melissabrooks]

The "add remote users" part now makes sense. So, in my latest attempt, I logged on as local admin on the machine, did as the instructions from the kbid article you have listed, added the user as instructed from the domain (not a local account), and it still didn't work. it says that the domain administrator already has remote access as well, but no login name works, same error with every username I try. All the machines have the latest patches on them, but I'm wondering if xp pro sp2 will help if/when it's available?

mb

 

[bcastner]

Ah.

Add the users as local users with the same username and passwords as used on the Domain logon.

 

[Melissabrooks]

It's me again, I created a local user on the machine of the same name and password as the domain user, and made them a member of the local administrator group. I rdp'd to the machine and tried both loging on to the domain and the local machine using the username, and still got the same error....

I hope this doesn't turn out to be something stupid i've done! it will be quite embarrassing!

Should I call microsoft, are they effective at resolving issues like this?

thx
mb

 

[bcastner]

Two more things to check:

Go to "Control Panel" -> "Performance and Maintenance" -> "Administrative Tools" -> "Local Security Policy"
Expand "Local Policies" -> "User Rights Assignment"
Check that "Access this computer from the network" has these groups included "Guests" and "Everyone"
Check that "Deny access to this computer from the network" doesn't contain the above groups


Go to "Local Security Policy" Expand "Local Policies" -"Security options"
Check that "Accounts: Limit local account use of blank passwords to console login only" is disabled

Reboot.

If that does not work, call MSFT.

 

[Melissabrooks]

Bcastner,

Thank you for all your input, this last step did not work as well, So something must really be amiss. I'll call them, and post if they can resolve it.

mb

 

[Melissabrooks]

Microsoft was able to resolve this issue. I think bcastner was real close, and may have even mentioned this without me catching it:
gpedit.msc
local computer policy
expand window settings
expand security settings
expand local policies
click on user rights assignment
on the right, rt click on "allow logon through terminal services" select properties. add the administrators group and the remote desktop users group.

This is appearently gets set when you turn on "allow users to connect remotely to this computer" or is on by default with a fresh xp pro install, as all my oem xp machines had this set. the machines that were 2000 pro upgraded to xp pro had no entries in this field. Adding them fixed the problem. Thank you bcastner, I think you may have been trying to lead me in this direction.

mb

 

[bcastner]

Glad you got it sorted.

Bill