Not granted logon right

[Guest altered]

Hi, I have an odd issue on our DC's. We have approx 30 DC's and I have non

domain admins who are grated access to remote desktop into DC's via the

remote desktop group in Active Directory (Builtin container). The members of

the group are able to access 2/3 of the DC's but on the other 1/3 they

receive the prompt stating they must be granted the logon through Terminal

Services right.

 

The remote desktop group exists by default on the TS connection. In

addition the remote desktop group is specified in the Default Domain

Controller policy for the logon through Terminal Services right.

 

Replication is not an issue, group memberships have been fully replicated.

 

Here's the kicker, if I remove the Remote Desktop group from the connection

property and the re-add it, they are able to login. In testing, the DC's

have been rebooted as well with no status change.

 

DC's are 2003 SP1

 

Thanks for any assistance you can provide!

[Guest altered]

RE: Not granted logon right

 

One other note, these users are a member of a group which is a member of the

"remote desktop users" group (nested). As a test I did explicitly add a

member to the remote desktop group, but no luck.

 

"altered" wrote:

> Hi, I have an odd issue on our DC's. We have approx 30 DC's and I have non

> domain admins who are grated access to remote desktop into DC's via the

> remote desktop group in Active Directory (Builtin container). The members of

> the group are able to access 2/3 of the DC's but on the other 1/3 they

> receive the prompt stating they must be granted the logon through Terminal

> Services right.

>

> The remote desktop group exists by default on the TS connection. In

> addition the remote desktop group is specified in the Default Domain

> Controller policy for the logon through Terminal Services right.

>

> Replication is not an issue, group memberships have been fully replicated.

>

> Here's the kicker, if I remove the Remote Desktop group from the connection

> property and the re-add it, they are able to login. In testing, the DC's

> have been rebooted as well with no status change.

>

> DC's are 2003 SP1

>

> Thanks for any assistance you can provide!

[Guest Vera Noest [MVP]]

RE: Not granted logon right

 

I've seen a few similar posts quite some time ago, could be that

this is fixed in SP2.

Anyway, here's TP's answer to an identical problem:

 

Which error message are you receiving?

 

Is it this message:

 

To log on to this remote computer, you must be granted the

Allow log on through Terminal Services right. By default,

members of the Remote Desktop Users group have this

right. If you are not a member of the Remote Desktop Users

group or another group that has this right, or if the Remote

Desktop User group does not have this right, you must be

granted this right manually.

 

Or this message:

 

To log on to this remote computer, you must have Terminal

Server User Access permissions on this computer. By default,

members of the Remote Desktop Users group have these

permissions. If you are not a member of the Remote Desktop

Users group or another group that has these permissions, or

if the Remote Desktop User group does not have these

permissions, you must be granted these permissions manually.

 

********************

If you are receiving the first message, please complete the

following steps, and then attempt to logon as the test user:

 

1. On the TS, open the Local Security Policy

2. Expand Local Policies on the left, select

User Rights Assignment

3. Double-click "Allow log on through Terminal Services" on

the right

4. If Remote Desktop Users is in the list, select it and then

click the Remove button

5. Make sure "Define these policy settings" is checked, if it

exists.

6. Click the OK button to save your changes

7. Open a command prompt window and type gpupdate

8. Back in your Local Security Policy window, double-click

"Allow log on through Terminal Services"

9. Click the Add button, and type "Remote Desktop Users",

without the quotes, and click OK

10. Make sure "Define these policy settings" is checked, if it

exists.

11. Click the OK button to save your changes

12. Open up a command prompt window and type gpupdate

 

The other thing for you to consider is if you have a Group Policy

Object that is setting the security policies for your TS.

 

********************

If you are receiving the second message, please complete the

following steps, and then attempt to logon as the test user:

 

1. On the TS, start Terminal Services Configuration

2. Double-click rdp-tcp on the right hand side and select

the Permissions tab

3. If you HAVE NOT customized your permissions, click on

the Advanced button, then click the Default button, and

click OK to save your changes and SKIP the remaining

steps

4. If you HAVE customized your permissions, click on

Remote Desktop Users if it is in the list and click the

Remove button

5. Click the OK button to save your changes

6. Double-click rdp-tcp on the right hand side and select

the Permissions tab

7. Click the Add button, and type in "Remote Desktop Users",

without the quotes, and click OK

8. Check User Access under the Allow column.

9. Click the OK button to save your changes

 

It seems that every once in a while the connection object

permissions get messed up. Even though they appear

correct, the server behaves as if they are set wrong.

 

Based on what you have said I think this is what happened

to you. By clicking the default button you caused the

server to rewrite the security key using the default

permissions. FYI, the security is stored here:

 

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations

\RDP-Tcp\Security

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?YWx0ZXJlZA==?= <altered@discussions.microsoft.com> wrote

on 26 sep 2008 in microsoft.public.windows.terminal_services:

> One other note, these users are a member of a group which is a

> member of the "remote desktop users" group (nested). As a test

> I did explicitly add a member to the remote desktop group, but

> no luck.

>

> "altered" wrote:

>

>> Hi, I have an odd issue on our DC's. We have approx 30 DC's

>> and I have non domain admins who are grated access to remote

>> desktop into DC's via the remote desktop group in Active

>> Directory (Builtin container). The members of the group are

>> able to access 2/3 of the DC's but on the other 1/3 they

>> receive the prompt stating they must be granted the logon

>> through Terminal Services right.

>>

>> The remote desktop group exists by default on the TS

>> connection. In addition the remote desktop group is specified

>> in the Default Domain Controller policy for the logon through

>> Terminal Services right.

>>

>> Replication is not an issue, group memberships have been fully

>> replicated.

>>

>> Here's the kicker, if I remove the Remote Desktop group from

>> the connection property and the re-add it, they are able to

>> login. In testing, the DC's have been rebooted as well with no

>> status change.

>>

>> DC's are 2003 SP1

>>

>> Thanks for any assistance you can provide!