Jump to content

Users are not authorized for remote login

Guest Eli

By Guest Eli
in Windows NT Server

 Share

Recommended Posts

Guest Eli

Guest Eli

Posted
Posted

Windows 2008 sp1

AD is on a separate 2008 server

Installed terminal services, everything looks fine

Added group to TS gateway policies “domain”\TS

TS is a group I created in AD where to put users who can login to terminal

services.

First I added users to TS, tried to log in – connection refused.

Added the user to TS and Remote Desktop group same thing.

The error is

The connection was denied because the user account is not authorized for

remote login

What am I missing?

  • Replies 4
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Morgan che

Guest Morgan che

Posted
Posted

RE: Users are not authorized for remote login

 

Hi,

 

From your description, I suspect this issue appears to Terminal Services

access permission. Typically, there are two settings that must be

configured before establishing Remote Desktop sessions. The first one is

that remote connections must be enabled ; the other one is users must be

granted permission to connect to the server. I think you have already done

the first one. So, let's focus on the second.

 

By default, the administrators group and Remote Desktop Users group have

permissions to logon to TS. So, generally speaking, we can simply add your

created groups into one of these groups to let them logon to TS. Because

you have added it to Remote Desktop Users group, please check the

following.I list the rights that a user needs to have to establish a remote

desktop connection to a terminal server:

 

1. Allow log on through Terminal Services

2. Rdp-Tcp connection "User Access" and "Guest Access" permissions

3. "Allow logon to Terminal Server" in the user property

 

Please perform the following steps to check them one by one to check

permissions:

 

Step 1: Allow logon through Terminal Services

-------------------------------------------

To connect to terminal server properly, users need to be granted the "Allow

logon through Terminal Services" right. If the server is a domain

controller, users also need to have "Allow logon locally" right. I

understand that you have checked the local access policy rights. Please

also check the group policies that are applied to the domain or OU as they

have higher priority and will override the configuration of local policy.

 

1. Logon as administrator, click Start -> Run, type "rsop.msc" in the text

box, and click OK.

2. Locate the [Computer Configuration\Windows Settings\Security

Settings\Local Policies\User Rights Assignment] item.

3. Check the "Allow log on locally" item to see whether this policy is

defined. If so, the "Source GPO" column displays the policy that defines

this policy. Please ensure "Administrators", "Remote Desktop Users",

"Backup Operators", "Account Operators", "Print Operators", "Server

Operators" are granted this right. If it is different, please configure the

corresponding policy to grant the permission.

4. Check the "Allow log on through Terminal Services" item to see whether

this policy is defined. If so, the "Source GPO" column displays the policy

that defines this policy. Please ensure "Administrators", "Remote Desktop

Users", and any other desired users are granted this right. If it is

different, please configure the corresponding policy to grant the

permission.

5. Check the "Deny log on locally" item to see whether this policy is

defined. If so, the "Source GPO" column displays the policy that defines

this policy. Please ensure that the user or any user groups that remote

user belongs to is not included in this right. If so, please modify the

corresponding policy to remove them.

6. Check the "Deny log on through Terminal Services" item to see whether

this policy is defined. If so, the "Source GPO" column displays the policy

that defines this policy. Please ensure that the user or any user groups

that remote user belongs to is not included in this right. If so, please

modify the corresponding policy to remove them.

7. Click Start -> Run, type "cmd" in the text box, and click OK.

8. Run the following command to refresh policy on both the domain

controller and the terminal server:

 

Gpupdate /force

 

9. Wait for a while so that the group policy is replicated and then try to

connect to the server again.

 

Step 2: Allow logon to Terminal Server

------------------------------------

To grant a user these permissions, start either the Active Directory Users

and Computers snap-in or the Local Users And Groups snap-in, open the

user's properties, click the Terminal Services Profile tab, and then click

to select the Allow logon to Terminal Server check box.

 

Step 3: Check TS permission

----------------------------

1. Open the Terminal Services Configuration snap-in.

2. Right click the Rdp-Tcp item, and click Properties.

3. In the Permissions tab, click "Advanced".

4. By default, administrators group and Remote Desktop Users group have

been granted the permissions. You can also add other users and groups and

grant them the corresponding permissions.

 

After checking the steps above and this issue still persist, please check

security settings on General tab of Terminal Services Configuration

snap-in. In security level, dose it set 'negotiate'? In Encryption level,

dose it set 'Client Compatible'?

 

As for 'Added group to TS gateway policies ?€?domain?€�\TS>', could you

please explain it more? How do you configure it? Also, please test to logon

to TS on other computer to see the symbols?

 

 

Hope this helps.

 

 

Sincerely

Morgan Che

Microsoft Online Support

Microsoft Global Technical Support Center

 

Get Secure! - http://www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

 

--------------------

--->Thread-Topic: Users are not authorized for remote login

--->thread-index: AcjygM4c4sGvIM5PStKCCUSqoZwyuA==

--->X-WBNR-Posting-Host: 207.46.193.207

--->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam>

--->Subject: Users are not authorized for remote login

--->Date: Wed, 30 Jul 2008 13:14:00 -0700

--->Lines: 13

--->Message-ID: <17AED4C5-BF7C-4F1C-BC1E-08DC98ED56B9@microsoft.com>

--->MIME-Version: 1.0

--->Content-Type: text/plain;

---> charset="Utf-8"

--->Content-Transfer-Encoding: 8bit

--->X-Newsreader: Microsoft CDO for Windows 2000

--->Content-Class: urn:content-classes:message

--->Importance: normal

--->Priority: normal

--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119

--->Newsgroups: microsoft.public.windows.terminal_services

--->Path: TK2MSFTNGHUB02.phx.gbl

--->Xref: TK2MSFTNGHUB02.phx.gbl

microsoft.public.windows.terminal_services:19526

--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->

--->Windows 2008 sp1

--->AD is on a separate 2008 server

--->Installed terminal services, everything looks fine

--->Added group to TS gateway policies “domain�\TS

--->TS is a group I created in AD where to put users who can login to

terminal

--->services.

--->First I added users to TS, tried to log in – connection refused.

--->Added the user to TS and Remote Desktop group same thing.

--->The error is

--->The connection was denied because the user account is not authorized

for

--->remote login

--->What am I missing?

--->

--->

Guest Morgan che

Guest Morgan che

Posted
Posted

RE: Users are not authorized for remote login

 

Hi,

 

From your description, I suspect this issue appears to Terminal Services

access permission. Typically, there are two settings that must be

configured before establishing Remote Desktop sessions. The first one is

that remote connections must be enabled ; the other one is users must be

granted permission to connect to the server. I think you have already done

the first one. So, let's focus on the second.

 

By default, the administrators group and Remote Desktop Users group have

permissions to logon to TS. So, generally speaking, we can simply add your

created groups into one of these groups to let them logon to TS. Because

you have added it to Remote Desktop Users group, please check the

following.I list the rights that a user needs to have to establish a remote

desktop connection to a terminal server:

 

1. Allow log on through Terminal Services

2. Rdp-Tcp connection "User Access" and "Guest Access" permissions

3. "Allow logon to Terminal Server" in the user property

 

Please perform the following steps to check them one by one to check

permissions:

 

Step 1: Allow logon through Terminal Services

-------------------------------------------

To connect to terminal server properly, users need to be granted the "Allow

logon through Terminal Services" right. If the server is a domain

controller, users also need to have "Allow logon locally" right. I

understand that you have checked the local access policy rights. Please

also check the group policies that are applied to the domain or OU as they

have higher priority and will override the configuration of local policy.

 

1. Logon as administrator, click Start -> Run, type "rsop.msc" in the text

box, and click OK.

2. Locate the [Computer Configuration\Windows Settings\Security

Settings\Local Policies\User Rights Assignment] item.

3. Check the "Allow log on locally" item to see whether this policy is

defined. If so, the "Source GPO" column displays the policy that defines

this policy. Please ensure "Administrators", "Remote Desktop Users",

"Backup Operators", "Account Operators", "Print Operators", "Server

Operators" are granted this right. If it is different, please configure the

corresponding policy to grant the permission.

4. Check the "Allow log on through Terminal Services" item to see whether

this policy is defined. If so, the "Source GPO" column displays the policy

that defines this policy. Please ensure "Administrators", "Remote Desktop

Users", and any other desired users are granted this right. If it is

different, please configure the corresponding policy to grant the

permission.

5. Check the "Deny log on locally" item to see whether this policy is

defined. If so, the "Source GPO" column displays the policy that defines

this policy. Please ensure that the user or any user groups that remote

user belongs to is not included in this right. If so, please modify the

corresponding policy to remove them.

6. Check the "Deny log on through Terminal Services" item to see whether

this policy is defined. If so, the "Source GPO" column displays the policy

that defines this policy. Please ensure that the user or any user groups

that remote user belongs to is not included in this right. If so, please

modify the corresponding policy to remove them.

7. Click Start -> Run, type "cmd" in the text box, and click OK.

8. Run the following command to refresh policy on both the domain

controller and the terminal server:

 

Gpupdate /force

 

9. Wait for a while so that the group policy is replicated and then try to

connect to the server again.

 

Step 2: Allow logon to Terminal Server

------------------------------------

To grant a user these permissions, start either the Active Directory Users

and Computers snap-in or the Local Users And Groups snap-in, open the

user's properties, click the Terminal Services Profile tab, and then click

to select the Allow logon to Terminal Server check box.

 

Step 3: Check TS permission

----------------------------

1. Open the Terminal Services Configuration snap-in.

2. Right click the Rdp-Tcp item, and click Properties.

3. In the Permissions tab, click "Advanced".

4. By default, administrators group and Remote Desktop Users group have

been granted the permissions. You can also add other users and groups and

grant them the corresponding permissions.

 

After checking the steps above and this issue still persist, please check

security settings on General tab of Terminal Services Configuration

snap-in. In security level, dose it set 'negotiate'? In Encryption level,

dose it set 'Client Compatible'?

 

As for 'Added group to TS gateway policies ?€?domain?€�\TS>', could you

please explain it more? How do you configure it? Also, please test to logon

to TS on other computer to see the symbols?

 

 

Hope this helps.

 

 

Sincerely

Morgan Che

Microsoft Online Support

Microsoft Global Technical Support Center

 

Get Secure! - http://www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

 

--------------------

--->Thread-Topic: Users are not authorized for remote login

--->thread-index: AcjygM4c4sGvIM5PStKCCUSqoZwyuA==

--->X-WBNR-Posting-Host: 207.46.193.207

--->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam>

--->Subject: Users are not authorized for remote login

--->Date: Wed, 30 Jul 2008 13:14:00 -0700

--->Lines: 13

--->Message-ID: <17AED4C5-BF7C-4F1C-BC1E-08DC98ED56B9@microsoft.com>

--->MIME-Version: 1.0

--->Content-Type: text/plain;

---> charset="Utf-8"

--->Content-Transfer-Encoding: 8bit

--->X-Newsreader: Microsoft CDO for Windows 2000

--->Content-Class: urn:content-classes:message

--->Importance: normal

--->Priority: normal

--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119

--->Newsgroups: microsoft.public.windows.terminal_services

--->Path: TK2MSFTNGHUB02.phx.gbl

--->Xref: TK2MSFTNGHUB02.phx.gbl

microsoft.public.windows.terminal_services:19526

--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->

--->Windows 2008 sp1

--->AD is on a separate 2008 server

--->Installed terminal services, everything looks fine

--->Added group to TS gateway policies “domain�\TS

--->TS is a group I created in AD where to put users who can login to

terminal

--->services.

--->First I added users to TS, tried to log in – connection refused.

--->Added the user to TS and Remote Desktop group same thing.

--->The error is

--->The connection was denied because the user account is not authorized

for

--->remote login

--->What am I missing?

--->

--->

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Users are not authorized for remote login

 

Maybe you added the users to the AD group Remote Desktop Users?

 

You have to add them to the *local* Remote Desktop Users group on

the Terminal Server.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

*----------- Please reply in newsgroup -------------*

 

=?Utf-8?B?RWxp?= <eli@newsgroup.nospam> wrote on 30 jul 2008:

> Windows 2008 sp1

> AD is on a separate 2008 server

> Installed terminal services, everything looks fine

> Added group to TS gateway policies “domain”\TS

> TS is a group I created in AD where to put users who can login

> to terminal services.

> First I added users to TS, tried to log in – connection

> refused. Added the user to TS and Remote Desktop group same

> thing. The error is

> The connection was denied because the user account is not

> authorized for remote login

> What am I missing?

Guest Eli

Guest Eli

Posted
Posted

Re: Users are not authorized for remote login

 

Thanks for advise.

I added users to a new created group in AD, then added that group to "local"

remote destktop users on TS server and everything works fine now.

 

 

"Vera Noest [MVP]" wrote:

> Maybe you added the users to the AD group Remote Desktop Users?

>

> You have to add them to the *local* Remote Desktop Users group on

> the Terminal Server.

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> *----------- Please reply in newsgroup -------------*

>

> =?Utf-8?B?RWxp?= <eli@newsgroup.nospam> wrote on 30 jul 2008:

>

> > Windows 2008 sp1

> > AD is on a separate 2008 server

> > Installed terminal services, everything looks fine

> > Added group to TS gateway policies “domain�\TS

> > TS is a group I created in AD where to put users who can login

> > to terminal services.

> > First I added users to TS, tried to log in – connection

> > refused. Added the user to TS and Remote Desktop group same

> > thing. The error is

> > The connection was denied because the user account is not

> > authorized for remote login

> > What am I missing?

>

 Share
Go to topic listing
×
×
  • Create New...