+ Reply to Thread
Results 1 to 12 of 12
  1. M&C: Far Side of the Net vinbuck's Avatar
    Join Date
    Jul 2008
    Location
    Jackson, MS
    Posts
    774

    Certifications
    CSA (Certified Sandwich Artist - Retired), MCP, CCNP, CCNA, MTCNA, MTCRE, MTCTCE, HE IPv6 Enthusiast
    #1

    Default What am I doing wrong? Teminal Services help

    I'm trying to complete exercise 3 in Ch 2 lesson 5 of the MS Press book which deals with Terminal Server and I am running up against what I think is a user privileges issue.

    I have two virtual servers (Linux host in Virtualbox) that run Server 2K3 - they are:

    server01.contoso.com - domain controller
    server02.contoso.com - member server

    The instructions tell you to create a user in active directory on Server01 named "Lorrin Smith-Bates" (abbrev: LSB). It then tells you to create a global security account named "Contoso Terminal Server Users" (abbrev : CTSU). It instructs you to add LSB to the CTSU group. It then instructs you to add the CTSU group to the Print Operators group. Then it tells you to log off of server01, log in to server02 and add CTSU group to the Remote Desktop Users group under local users and groups.

    After all that is done you are supposed to login to server01 as LSB (which it lets me do) and try to remote desktop to server02 with the LSB user account. When I try to do this I get the following error message.

    "To log on to this remote computer, you must have Terminal Server User Access permissions on this computer. By default, members of the Remote Desktop users group have these permissions. If you are not a member of the Remote Desktop Users Group or another group that has these permissions, or if the Remote Desktop User group does not have these permissions, you must be granted these permissions manually"

    When I checked the Remote Desktop Users group on Server02, it does have the permissions to logon through terminal services.

    What am I missing?
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #2
    Check group policy: computer configuration\windows settings\security settings\local policies\user rights assignment\allow log on through terminal services
    Reply With Quote Quote  

  4. M&C: Far Side of the Net vinbuck's Avatar
    Join Date
    Jul 2008
    Location
    Jackson, MS
    Posts
    774

    Certifications
    CSA (Certified Sandwich Artist - Retired), MCP, CCNP, CCNA, MTCNA, MTCRE, MTCTCE, HE IPv6 Enthusiast
    #3
    That particular option is listed as "not defined" in the domain group policy. Would that still override the local group policy setting?
    Reply With Quote Quote  

  5. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #4
    Quote Originally Posted by MississippiGuardsman View Post
    That particular option is listed as "not defined" in the domain group policy. Would that still override the local group policy setting?
    No it wouldn't (hence the "not defined").

    Login to the Server02 directly as the user (LSB) and open a command prompt, type "whoami /groups" and look for the local Remote Desktop Users group near the top of the list. Can you confirm it shows up?
    Reply With Quote Quote  

  6. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #5
    I just want to add a bit of experience here, which may or may not apply.

    When a GPO is defined (for example you set it to deny log on through terminal services) and then is set back to undefined it sometimes sticks on the old setting. I have seen this in test labs so many times. A user sets GPOs in a lab and then sets them back to "undefined" but they still get applied. Try defining the GPOs to allow logon through TS just in case.
    Reply With Quote Quote  

  7. M&C: Far Side of the Net vinbuck's Avatar
    Join Date
    Jul 2008
    Location
    Jackson, MS
    Posts
    774

    Certifications
    CSA (Certified Sandwich Artist - Retired), MCP, CCNP, CCNA, MTCNA, MTCRE, MTCTCE, HE IPv6 Enthusiast
    #6
    Quote Originally Posted by astorrs View Post
    No it wouldn't (hence the "not defined").

    Login to the Server02 directly as the user (LSB) and open a command prompt, type "whoami /groups" and look for the local Remote Desktop Users group near the top of the list. Can you confirm it shows up?
    I executed that command while logged into server02 as LSB and it shows BUILTIN\Remote Desktop Users as the second listing.
    Reply With Quote Quote  

  8. Its all smoke and mirrors dales's Avatar
    Join Date
    Jan 2008
    Posts
    223

    Certifications
    vExpert 2014+2015, VCP5-DT,VCP3+5, CCE-V, CCE-AD, CCP-AD ,CCEE, CCAA XenApp, CCA Netscaler,Xenapp 6.5,Xendesktop 5 & Xenserver 6,MCSA, MCDST, MCP, A+
    #7
    I think that the remote desktop group is a builtin group thats not actually given any permissions. In the past I came across this issue and decided that you have to assign the RDUG to the remote desktop permissions of the server.

    I think the group name is just a helpful name in active directory but is not actually given any real power until you add the remote desktop users group to the select remote users options in the servers systems properties.
    Kind Regards
    Dale Scriven

    Twitter:dscriven
    Blog: vhorizon.co.uk
    Reply With Quote Quote  

  9. M&C: Far Side of the Net vinbuck's Avatar
    Join Date
    Jul 2008
    Location
    Jackson, MS
    Posts
    774

    Certifications
    CSA (Certified Sandwich Artist - Retired), MCP, CCNP, CCNA, MTCNA, MTCRE, MTCTCE, HE IPv6 Enthusiast
    #8
    I decided to add the LSB user directly to the local policy of "Allow log on through Terminal Services" on server02 and it still denies access with the same message. Something else has to be restricting this but I can't figure out what
    Reply With Quote Quote  

  10. Its all smoke and mirrors dales's Avatar
    Join Date
    Jan 2008
    Posts
    223

    Certifications
    vExpert 2014+2015, VCP5-DT,VCP3+5, CCE-V, CCE-AD, CCP-AD ,CCEE, CCAA XenApp, CCA Netscaler,Xenapp 6.5,Xendesktop 5 & Xenserver 6,MCSA, MCDST, MCP, A+
    #9
    By default only administrators are allowed to logon by RDP to any server (I think they have to be domain admins to log onto a DC st in the default domain policy I think) I think the interactive logon only allows someone to logon at the console of the server (i.e sat in front of it not through an RDP session

    You should be able to resolve this by adding the remote desktop UG to the remote desktop permissions buttom in the servers system CPL.
    Kind Regards
    Dale Scriven

    Twitter:dscriven
    Blog: vhorizon.co.uk
    Reply With Quote Quote  

  11. M&C: Far Side of the Net vinbuck's Avatar
    Join Date
    Jul 2008
    Location
    Jackson, MS
    Posts
    774

    Certifications
    CSA (Certified Sandwich Artist - Retired), MCP, CCNP, CCNA, MTCNA, MTCRE, MTCTCE, HE IPv6 Enthusiast
    #10
    Quote Originally Posted by dales View Post
    By default only administrators are allowed to logon by RDP to any server (I think they have to be domain admins to log onto a DC st in the default domain policy I think) I think the interactive logon only allows someone to logon at the console of the server (i.e sat in front of it not through an RDP session

    You should be able to resolve this by adding the remote desktop UG to the remote desktop permissions buttom in the servers system CPL.
    I think you might be thinking about Windows XP system properties....it has a button to add users and groups where the Server 2003 system properties remote tab does not (at least on mine anyway)

    I added the user LSB to the local secuirty policy setting for "allow logon through terminal services" and I added LSB to the Remote Desktop Users group ( I checked and this group is also listed in the local security policy as having access)

    Still no joy
    Reply With Quote Quote  

  12. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #11
    Which version of 2003 is this? R2? And is it patched?

    I have had this issue with Server 2003 (pre R2) demos that were unpatched. Try adding the user to the local Server Ops group. If that works, then we can start to narrow things down more.
    Reply With Quote Quote  

  13. M&C: Far Side of the Net vinbuck's Avatar
    Join Date
    Jul 2008
    Location
    Jackson, MS
    Posts
    774

    Certifications
    CSA (Certified Sandwich Artist - Retired), MCP, CCNP, CCNA, MTCNA, MTCRE, MTCTCE, HE IPv6 Enthusiast
    #12
    Quote Originally Posted by RobertKaucher View Post
    Which version of 2003 is this? R2? And is it patched?

    I have had this issue with Server 2003 (pre R2) demos that were unpatched. Try adding the user to the local Server Ops group. If that works, then we can start to narrow things down more.
    I have

    Server 2003 R2
    Enterprise Edition
    Service Pack 2

    (it is a demo btw)


    I went to local users and groups but found no Server Ops group.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks