remote desktop to win2003 server console connect

[pm0023]

Hi,

I have just setup some servers and have been trying to configure the terminal services/remote desktop to them. The servers run logged on with an AD user account, and after the inital problem of not being able to remotly console connect to this, resolved by including the user in 'allow logon though terminal services' in secpol.msc.
Now I can connect to the server with the servers user account, but this only seems to work if the user is logged on already. The problem I now have is if the server has been rebooted, I can't log on with the user account, as I get a 'to logon to this remote console session, you must have administrative permissions on this computer'. This is true, I added the servers user account to the 'administrators' group and I can logon fine. (I also tried adding to the 'Remote Deksotp User' group but this made no difference).

Can anyone assist with this, I don't want to set the user account as a local admin, but I would like to the ability to logon in the event of reboot or powerfailure.

thanks in advance....

 

[itsp1965]

PM, did you try the following;

right-click MyComputer-->Select the Remote Tab-->Under the Section for Remote Desktop click on Select Remote Users and add the users/groups you want to have access to the server.

Hope this helps.

 

[pm0023]

yes thats already been tried.

but my main area of concern is the fact that I can console connect to an open session. but not create a new one with these user accounts...

 

[Roadki11]

If you are running TS in Remote Administration mode the user need to be members of the admin group in order to connect. If you want non-admins to connect you need to set the TS in Application mode and install a TS license server.

RoadKi11

 

[itsp1965]

That's not entirely true Roadkill. If you go into the RDP-TCP properties of the TS Config connect tool you can set permissions of the RDP-TCP connection type to limit what users can do in an RDP session (Go to Connections-->right click on RDP-TCP Select Properties-->Permissions). This allows for non-admin users to connect via RDP for remote access.

 

[Roadki11]

Thanks for correcting my erroneous post. Not sure why you would do that except to circumvent licensing.

 

[pm0023]

thanks for the reply. I'm not too bothered about licencing, as this is still for admin purposes only. And we don't want to have to use the slow KVM remotly or walk to the server room when the unit needs to reboot, just to logon.

I have checked out your suggestion though, and added our user to the Permissions dialog with Full rights, but still getting the error....

 

[itsp1965]

PM, check to make sure that your security change made through group policy has been applied to this server.

 

[pm0023]

'allow logon though terminal services' was the 1st thing I did. Do I need to adjust any other parts of the policy?

 

[itsp1965]

Yes I understand that but did you check the local security policy on the server itself to ensure that the change has been applied.

 

[pm0023]

oh, I see what you mean, and yes I can confirm that this has been applied.

 

[itsp1965]

PM, I don't know if you confirmed this already, but have you also enabled the "log on locally" right for this user in the security policy?

 

[pm0023]

ok just done some more tests, this is interesting.

add user to 'remote desktop users' allows logon without 'console connect' ticked. with 'console connect' ticked I get the error message.

'log on locally' shows no change.

if I just connect without console connect ticked, when usnig the machine locally I don't get access to the logged on session.

GRRR, this is annoying me now as I'm sure we actually had it working last week, when we first tested it.
Now it only seems to work if I add this user to the admin group.

any more advice/sugestions very welcome.....