Terminal Services Logon Problem

[byrne1]

When I try to log onto TS with a domain user account I get the following message:

"The local policy of this system does not permit you to logon interactively."

I have two servers: DBSERVER and TERMSERVER. All of my user accounts are on DBSERVER as it is the domain controller for my domain. TERMSERVER is just what the name implies - a server dedicated to running terminal services.

I can log into TERMSERVER fine w/ my domain admin account. When I try to logon w/ a generic domain user account I get the aforementioned message.

I hope that someone can help me out w/ this. Thanks!

 

[karmic]

Give the user rights to "log on locally". You'll find it in the security policies.

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[byrne1]

I've added this user to Default Domain Controller Security Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on locally. This does not fix the problem.

I also added this user to the Default Domain Security Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on locally. This does not fix the problem either.

 

[Shift838]

It is definately a rights issue. Just for a test take a test user or someone else and add them to the local admins group to see if they can logon, if so it is something with Access rights. All Terminal Server boxes require Logon Locally rights.

 

[karmic]

Youll have to set the log on locally policy on the terminal server, not the domain controller.

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[byrne1]

I created a new test user account, added it to the local admin group, and got the same message as before.

Is there some command that I have to issue to refresh the security policies to TERMSERVER or is this done automatically w/ Active Directory?

 

[byrne1]

Just out of curiosity I added the test user account to the domain admin group and I was then able to log onto TERMSERVER.

What's up w/ that? I certainly don't want my users to be members of the domain admin group. Is there a way around this?

 

[karmic]

BTW, is your terminal server licensed? and what mode is it running in? application server or remote administration?

http://support.microsoft.com/default.aspx?scid=kb;en-us;238162

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[byrne1]

But to add them to TERMSERVER wouldn't I have to set the user up locally on TERMSERVER as well? I want to have user management only on one server (DBSERVER) since it is the domain controller and have all of my user accounts there.

BTW, yes the term server is licensed and running as an app server.

 

[VRIT]

How about this:

Under the User Properties select the Terminal Services Profile tab. On this page at the bottom is a tick box, Allow logon to Terminal Server - is it ticked?

VRIT

 

[byrne1]

Me thinks the problem is solved. I did not have DBSERVER's IP address set up as a DNS server on TERMSERVER. Therefore, TERMSERVER could not see any of the DBSERVER user accounts. When I fixed this, I was able to add my user to the Remote Desktop Users group on TERMSERVER and, vioala (sp), problem solved.

Thanks to all for your input and help.