Guest HMO Fallen Angel Posted July 12, 2007 Posted July 12, 2007 Hi eveybody, Before, we used to have a windows 2000 as our domain controller and it was the terminal server too, and we can RDC to this server. Then, we got a new server, installed win 2003 server 'migrated' our 2000 domain to a 2003 domain and right now they are co-existing. We did this because we need to move our application from the win 2000 server to the new 2003 server. Right now users are connecting to the 2000 server using using terminal server without any problems. I have already installed terminal server and its licenses on the new win 2003 server but when i try to connect using RDC i'm getting the error: "To log on this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote Desktop group or another group thas has this right, or if the Remote Desktop User group does not have this right, you must be grantes this right manually" I'm trying (on the win 2003 server) the local computer policy/computer configuration/ windows setting/ security settings/local policies/user rights assignment/ Allow log on terminal services and allow the Remote Desktop User group, but there is no Remote Desktop User group available. I tried then selecting a single user and allowing this option for this user and is still not working. What can be the problem? I don't have any problem connecting to the 2003 as an administrator. I need to make this work before we can dcpromo the win 2000 server and just keep the 2003 server Any help will be really appreciated. -- HMO Fallen Angel
Guest Vera Noest [MVP] Posted July 12, 2007 Posted July 12, 2007 Re: REMOTE DESKTOP CONNECTION So the 2003 server is a DC, correct? I assume that it is *not* recommended to run TS on a DC, for both performance and -most of all-security reasons. After all, by installing TS, you turn your DC into a multi-user workstation! Can't you demote the W2K server to a member server and then upgrade it to 2003? That would give you a 2003 domain with a dedicated TS, which is a much better environment. That said, you'll have to make your users members of the Domain Local built-in group Remote Desktop Users in AD and add that group to this setting in the Default Domain Controller Policy: Computer Configuration - Windows Settings - Security Settings - Local Policies - User rights Assignment "Allow log on through Terminal Services" _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?= <HMOFallenAngel@discussions.microsoft.com> wrote on 12 jul 2007 in microsoft.public.windows.terminal_services: > Hi eveybody, > Before, we used to have a windows 2000 as our domain controller > and it was the terminal server too, and we can RDC to this > server. Then, we got a new server, installed win 2003 server > 'migrated' our 2000 domain to a 2003 domain and right now they > are co-existing. We did this because we need to move our > application from the win 2000 server to the new 2003 server. > Right now users are connecting to the 2000 server using using > terminal server without any problems. > I have already installed terminal server and its licenses on the > new win 2003 server but when i try to connect using RDC i'm > getting the error: > > "To log on this remote computer, you must be granted the Allow > log on through Terminal Services right. By default, members of > the Remote Desktop Users group have this right. If you are not a > member of the Remote Desktop group or another group thas has > this right, or if the Remote Desktop User group does not have > this right, you must be grantes this right manually" > > I'm trying (on the win 2003 server) the local computer > policy/computer configuration/ windows setting/ security > settings/local policies/user rights assignment/ Allow log on > terminal services and allow the Remote Desktop User group, but > there is no Remote Desktop User group available. I tried then > selecting a single user and allowing this option for this user > and is still not working. > > What can be the problem? I don't have any problem connecting to > the 2003 as an administrator. > > I need to make this work before we can dcpromo the win 2000 > server and just keep the 2003 server > > Any help will be really appreciated.
Guest HMO Fallen Angel Posted July 12, 2007 Posted July 12, 2007 Re: REMOTE DESKTOP CONNECTION thanks for your reply Vera, the main reason for having only 1 server is, of course, money. So, after we can move everything to the new one we'll see what we can do with the old 2000 server. About the Remote Desktop Users Group, my problem is that i don't have that group, or i can't see it on my Active Directory, or is there any trick to access this group? -- HMO Fallen Angel "Vera Noest [MVP]" wrote: > So the 2003 server is a DC, correct? > I assume that it is *not* recommended to run TS on a DC, for both > performance and -most of all-security reasons. After all, by > installing TS, you turn your DC into a multi-user workstation! > Can't you demote the W2K server to a member server and then upgrade > it to 2003? That would give you a 2003 domain with a dedicated TS, > which is a much better environment. > > That said, you'll have to make your users members of the Domain > Local built-in group Remote Desktop Users in AD and add that group to > this setting in the Default Domain Controller Policy: > Computer Configuration - Windows Settings - Security Settings - Local > Policies - User rights Assignment > "Allow log on through Terminal Services" > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?= > <HMOFallenAngel@discussions.microsoft.com> wrote on 12 jul 2007 in > microsoft.public.windows.terminal_services: > > > Hi eveybody, > > Before, we used to have a windows 2000 as our domain controller > > and it was the terminal server too, and we can RDC to this > > server. Then, we got a new server, installed win 2003 server > > 'migrated' our 2000 domain to a 2003 domain and right now they > > are co-existing. We did this because we need to move our > > application from the win 2000 server to the new 2003 server. > > Right now users are connecting to the 2000 server using using > > terminal server without any problems. > > I have already installed terminal server and its licenses on the > > new win 2003 server but when i try to connect using RDC i'm > > getting the error: > > > > "To log on this remote computer, you must be granted the Allow > > log on through Terminal Services right. By default, members of > > the Remote Desktop Users group have this right. If you are not a > > member of the Remote Desktop group or another group thas has > > this right, or if the Remote Desktop User group does not have > > this right, you must be grantes this right manually" > > > > I'm trying (on the win 2003 server) the local computer > > policy/computer configuration/ windows setting/ security > > settings/local policies/user rights assignment/ Allow log on > > terminal services and allow the Remote Desktop User group, but > > there is no Remote Desktop User group available. I tried then > > selecting a single user and allowing this option for this user > > and is still not working. > > > > What can be the problem? I don't have any problem connecting to > > the 2003 as an administrator. > > > > I need to make this work before we can dcpromo the win 2000 > > server and just keep the 2003 server > > > > Any help will be really appreciated. >
Guest Vera Noest [MVP] Posted July 13, 2007 Posted July 13, 2007 Re: REMOTE DESKTOP CONNECTION Mmm, it should be there, at least after a fresh install of AD on a 2003 server. But maybe it's not created when the 2003 server is made a DC in an existing W2K AD. I've never done any of this myself, so no guarantees, but I guess that you could manually create a Domain Local security group "Terminal Server Users" and add that group to the user right assignment "Allow log on through Terminal Services" in the Default Domain Controller Policy. Note that I would *not* call this manually created group "Remote Desktop Users", to be able to distinguish it from the Builtin group. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?= <HMOFallenAngel@discussions.microsoft.com> wrote on 13 jul 2007 in microsoft.public.windows.terminal_services: > thanks for your reply Vera, > the main reason for having only 1 server is, of course, money. > So, after we can move everything to the new one we'll see what > we can do with the old 2000 server. > About the Remote Desktop Users Group, my problem is that i don't > have that group, or i can't see it on my Active Directory, or > is there any trick to access this group?
Guest HMO Fallen Angel Posted July 13, 2007 Posted July 13, 2007 Re: REMOTE DESKTOP CONNECTION ok should I do this using "net localgroup groupname /Add" ?? -- HMO Fallen Angel "Vera Noest [MVP]" wrote: > Mmm, it should be there, at least after a fresh install of AD on a > 2003 server. But maybe it's not created when the 2003 server is made > a DC in an existing W2K AD. > I've never done any of this myself, so no guarantees, but I guess > that you could manually create a Domain Local security group > "Terminal Server Users" and add that group to the user right > assignment "Allow log on through Terminal Services" in the Default > Domain Controller Policy. > > Note that I would *not* call this manually created group "Remote > Desktop Users", to be able to distinguish it from the Builtin group. > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?= > <HMOFallenAngel@discussions.microsoft.com> wrote on 13 jul 2007 in > microsoft.public.windows.terminal_services: > > > thanks for your reply Vera, > > the main reason for having only 1 server is, of course, money. > > So, after we can move everything to the new one we'll see what > > we can do with the old 2000 server. > > About the Remote Desktop Users Group, my problem is that i don't > > have that group, or i can't see it on my Active Directory, or > > is there any trick to access this group? >
Guest Vera Noest [MVP] Posted July 14, 2007 Posted July 14, 2007 Re: REMOTE DESKTOP CONNECTION I'd use the GUI of Active Directory Users and Computers in Administrative Tools. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?= <HMOFallenAngel@discussions.microsoft.com> wrote on 14 jul 2007 in microsoft.public.windows.terminal_services: > ok > should I do this using "net localgroup groupname /Add" ??
Guest HMO Fallen Angel Posted July 17, 2007 Posted July 17, 2007 Re: REMOTE DESKTOP CONNECTION Hi Vera, well, i was about to do this, but i remembered have seen 'terminal server users' group somewhere in my server. So, If i go to my AD and try adding users to a specific group, this 'terminal server users' groupo is NOT there. Then, I went to my policy editor to the computer configuration/windows serrings/security settings/local policies/user rights assigment/ and on the 'allow log on through terminal services properties' the "TERMINAL SERVER USER" group is already 'allowed' but I can't see this group on my AD. So i'm not sure if i have to create this group using the same name or what to do. Also, i tried and added a user directly on the 'allow log on through terminal services propierties' policy and i'm still unable to RDC using this user (should i be able to do it or not) Should I continue and create the 'terminal server user' group anyways? If so, the group is all capital letters on the policy setting, shoul i create it using all capitals too or it doesn't matter? -- HMO Fallen Angel "Vera Noest [MVP]" wrote: > I'd use the GUI of Active Directory Users and Computers in > Administrative Tools. > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?= > <HMOFallenAngel@discussions.microsoft.com> wrote on 14 jul 2007 in > microsoft.public.windows.terminal_services: > > > ok > > should I do this using "net localgroup groupname /Add" ?? >
Guest Vera Noest [MVP] Posted July 17, 2007 Posted July 17, 2007 Re: REMOTE DESKTOP CONNECTION I hardly dare to give you any more advice, since your setup is completely unfamiliar to me. I've never performed an inplace upgrade of any OS, just to avoid problems like these. That said, I would create a group with a completely different name and then add that group to the Logon Locally user right policy. Recreating the TERMINAL SERVER USER group might work, but it's also possible that the recreated group gets another SID and would only add to the confusion. If it works with a freshly created group and you are sure that the TERMINAL SERVER USER doesn't exist, then you can delete it from the user right assignment policy. WARNING: before changing anything at all, make sure that you have a working backup! Note that you have to assign the user right in the Default Domain Controller Policy, not in the Default Domain Policy. You could try if this solves the porblem by first adding a single test user account to it. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?= <HMOFallenAngel@discussions.microsoft.com> wrote on 17 jul 2007 in microsoft.public.windows.terminal_services: > Hi Vera, > well, i was about to do this, but i remembered have seen > 'terminal server users' group somewhere in my server. > So, If i go to my AD and try adding users to a specific group, > this 'terminal server users' groupo is NOT there. > Then, I went to my policy editor to the computer > configuration/windows serrings/security settings/local > policies/user rights assigment/ and on the 'allow log on through > terminal services properties' the "TERMINAL SERVER USER" group > is already 'allowed' but I can't see this group on my AD. So i'm > not sure if i have to create this group using the same name or > what to do. Also, i tried and added a user directly on the > 'allow log on through terminal services propierties' policy and > i'm still unable to RDC using this user (should i be able to do > it or not) Should I continue and create the 'terminal server > user' group anyways? If so, the group is all capital letters on > the policy setting, shoul i create it using all capitals too or > it doesn't matter?
Guest HMO Fallen Angel Posted July 17, 2007 Posted July 17, 2007 Re: REMOTE DESKTOP CONNECTION I have to add the new group to the Logon Locally user right policy or to the allow log on through terminal services? -- HMO Fallen Angel "Vera Noest [MVP]" wrote: > I hardly dare to give you any more advice, since your setup is > completely unfamiliar to me. I've never performed an inplace > upgrade of any OS, just to avoid problems like these. > > That said, I would create a group with a completely different name > and then add that group to the Logon Locally user right policy. > Recreating the TERMINAL SERVER USER group might work, but it's also > possible that the recreated group gets another SID and would only > add to the confusion. If it works with a freshly created group and > you are sure that the TERMINAL SERVER USER doesn't exist, then you > can delete it from the user right assignment policy. > > WARNING: before changing anything at all, make sure that you have a > working backup! > > Note that you have to assign the user right in the Default Domain > Controller Policy, not in the Default Domain Policy. > You could try if this solves the porblem by first adding a single > test user account to it. > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?= > <HMOFallenAngel@discussions.microsoft.com> wrote on 17 jul 2007 in > microsoft.public.windows.terminal_services: > > > Hi Vera, > > well, i was about to do this, but i remembered have seen > > 'terminal server users' group somewhere in my server. > > So, If i go to my AD and try adding users to a specific group, > > this 'terminal server users' groupo is NOT there. > > Then, I went to my policy editor to the computer > > configuration/windows serrings/security settings/local > > policies/user rights assigment/ and on the 'allow log on through > > terminal services properties' the "TERMINAL SERVER USER" group > > is already 'allowed' but I can't see this group on my AD. So i'm > > not sure if i have to create this group using the same name or > > what to do. Also, i tried and added a user directly on the > > 'allow log on through terminal services propierties' policy and > > i'm still unable to RDC using this user (should i be able to do > > it or not) Should I continue and create the 'terminal server > > user' group anyways? If so, the group is all capital letters on > > the policy setting, shoul i create it using all capitals too or > > it doesn't matter? >
Guest Vera Noest [MVP] Posted July 18, 2007 Posted July 18, 2007 Re: REMOTE DESKTOP CONNECTION Sorry, I mixed your post up with someone else who has a W2K DC as TS. In your case, it should be allow log on through terminal services. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?= <HMOFallenAngel@discussions.microsoft.com> wrote on 18 jul 2007 in microsoft.public.windows.terminal_services: > I have to add the new group to the Logon Locally user right > policy or to the allow log on through terminal services?
Guest HMO Fallen Angel Posted July 19, 2007 Posted July 19, 2007 Re: REMOTE DESKTOP CONNECTION should i create the group under 'Builtin' or at the same level of builtin, computers, users?? -- HMO Fallen Angel "Vera Noest [MVP]" wrote: > Sorry, I mixed your post up with someone else who has a W2K DC as TS. > In your case, it should be allow log on through terminal services. > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?= > <HMOFallenAngel@discussions.microsoft.com> wrote on 18 jul 2007 in > microsoft.public.windows.terminal_services: > > > I have to add the new group to the Logon Locally user right > > policy or to the allow log on through terminal services? >
Guest HMO Fallen Angel Posted July 19, 2007 Posted July 19, 2007 Re: REMOTE DESKTOP CONNECTION Should i create this group under 'builtin' or at the same level than builtin, computers, users ??? -- HMO Fallen Angel "Vera Noest [MVP]" wrote: > Sorry, I mixed your post up with someone else who has a W2K DC as TS. > In your case, it should be allow log on through terminal services. > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?= > <HMOFallenAngel@discussions.microsoft.com> wrote on 18 jul 2007 in > microsoft.public.windows.terminal_services: > > > I have to add the new group to the Logon Locally user right > > policy or to the allow log on through terminal services? >
Guest Vera Noest [MVP] Posted July 20, 2007 Posted July 20, 2007 Re: REMOTE DESKTOP CONNECTION Technically, I assume that it doesn't matter. But since the name of the preconfigured OU is "Builtin", that would be the only OU where I would *not* create it. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?= <HMOFallenAngel@discussions.microsoft.com> wrote on 20 jul 2007 in microsoft.public.windows.terminal_services: > should i create the group under 'Builtin' or at the same level > of builtin, computers, users??
Guest HMO Fallen Angel Posted July 23, 2007 Posted July 23, 2007 Re: REMOTE DESKTOP CONNECTION You are right, it doesn't matter. It doesn't work in anyways any other idea? -- HMO Fallen Angel "Vera Noest [MVP]" wrote: > Technically, I assume that it doesn't matter. > But since the name of the preconfigured OU is "Builtin", that would > be the only OU where I would *not* create it. > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?= > <HMOFallenAngel@discussions.microsoft.com> wrote on 20 jul 2007 in > microsoft.public.windows.terminal_services: > > > should i create the group under 'Builtin' or at the same level > > of builtin, computers, users?? >
Guest Vera Noest [MVP] Posted July 23, 2007 Posted July 23, 2007 Re: REMOTE DESKTOP CONNECTION I'm sorry, no. As I said before, I don't dare to say anything more, since I don't understand what's going on. I would call Microsoft Support, or start from scratch, creating a completely new 2003 forest. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?= <HMOFallenAngel@discussions.microsoft.com> wrote on 23 jul 2007 in microsoft.public.windows.terminal_services: > You are right, it doesn't matter. It doesn't work in anyways > any other idea?
Guest HMO Fallen Angel Posted July 24, 2007 Posted July 24, 2007 Re: REMOTE DESKTOP CONNECTION I guess i'll have to do that. thanks so much for your help -- HMO Fallen Angel "Vera Noest [MVP]" wrote: > I'm sorry, no. As I said before, I don't dare to say anything more, > since I don't understand what's going on. > I would call Microsoft Support, or start from scratch, creating a > completely new 2003 forest. > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?= > <HMOFallenAngel@discussions.microsoft.com> wrote on 23 jul 2007 in > microsoft.public.windows.terminal_services: > > > You are right, it doesn't matter. It doesn't work in anyways > > any other idea? > >
Guest HMO Fallen Angel Posted July 24, 2007 Posted July 24, 2007 Re: REMOTE DESKTOP CONNECTION One more question. Even if i don't have the remote desktop user group, I tried adding a regular user directly to the allow connecting through terminal services entry and it doesn't work either. should this be part of the same 'migration' thing -- HMO Fallen Angel "HMO Fallen Angel" wrote: > I guess i'll have to do that. > thanks so much for your help > -- > HMO Fallen Angel > > > "Vera Noest [MVP]" wrote: > > > I'm sorry, no. As I said before, I don't dare to say anything more, > > since I don't understand what's going on. > > I would call Microsoft Support, or start from scratch, creating a > > completely new 2003 forest. > > _________________________________________________________ > > Vera Noest > > MCSE, CCEA, Microsoft MVP - Terminal Server > > TS troubleshooting: http://ts.veranoest.net > > ___ please respond in newsgroup, NOT by private email ___ > > > > =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?= > > <HMOFallenAngel@discussions.microsoft.com> wrote on 23 jul 2007 in > > microsoft.public.windows.terminal_services: > > > > > You are right, it doesn't matter. It doesn't work in anyways > > > any other idea? > > > >
Guest Vera Noest [MVP] Posted July 24, 2007 Posted July 24, 2007 Re: REMOTE DESKTOP CONNECTION Assuming that the user also has at least "User" permissions on the rdp-tcp connection, that should work, yes. But I've got the feeling that the issue is bigger than just the missing "Remote Desktop Users" group. Otherwise we would have solved the problem by now. That's why I personally would start from scratch. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?= <HMOFallenAngel@discussions.microsoft.com> wrote on 24 jul 2007 in microsoft.public.windows.terminal_services: > One more question. > Even if i don't have the remote desktop user group, I tried > adding a regular user directly to the allow connecting through > terminal services entry and it doesn't work either. should this > be part of the same 'migration' thing
Guest HMO Fallen Angel Posted July 24, 2007 Posted July 24, 2007 Re: REMOTE DESKTOP CONNECTION I tried adding 'users' to the permissions on rdp-tcp and that worked. it's connecting to the terminal server and opening my application. I'm having now another problem which i dont' know if that's part of the application or of terminal server. If i log either as administrator or regular user, i open the application enter my sign in information and can work in it, and when i close the application, it never closes, the screen only goes blue and i have to disconnect the session. do you think this is part of terminal server or the application. -- HMO Fallen Angel "Vera Noest [MVP]" wrote: > Assuming that the user also has at least "User" permissions on the > rdp-tcp connection, that should work, yes. > But I've got the feeling that the issue is bigger than just the > missing "Remote Desktop Users" group. > Otherwise we would have solved the problem by now. That's why I > personally would start from scratch. > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?= > <HMOFallenAngel@discussions.microsoft.com> wrote on 24 jul 2007 in > microsoft.public.windows.terminal_services: > > > One more question. > > Even if i don't have the remote desktop user group, I tried > > adding a regular user directly to the allow connecting through > > terminal services entry and it doesn't work either. should this > > be part of the same 'migration' thing >
Guest Vera Noest [MVP] Posted July 24, 2007 Posted July 24, 2007 Re: REMOTE DESKTOP CONNECTION OK, I believed that we had covered the rdp-tcp permissions a long time ago in this multi-part story :-) But I'm glad that you can make the connections now. About your next problem: From: http://ts.veranoest.net/ts_faq_applications.htm#logoffsession Q: User sessions don't logoff when users quit their starting or published application A: If you define a Starting application, either in Terminal Services Configuration, a GPO or in the RDP client, the session should be automatically logged off when users quit the application. Sometimes, this doesn't happen and users are left with a session which only shows the desktop background, without the possibility to log off the session manually. The cause for this problem is a process which is still running in the session, preventing it from closing and logging off. The same can happen after quitting a Citrix published application. To solve the problem, open a connection to the Terminal Server and check in Task manager which process is keeping the session from closing. Some anti-virus applications are known to cause this behaviour. If you can't avoid running the process, you can use a work-around to log off user sessions. Create a batch file, containing something like this: cd <path_to_application> start /wait <application_executable> logoff Now define this batch file as the starting application. Or use the following vb script (courtesy of Steven Bendis) to launch your application, and define the vb script as the starting application. Dim objWshShell, objExec, strAppExe strAppExe = "<path_to_application>\<application_executable>" Set objWshShell = CreateObject("WScript.Shell") Set objExec = objWshShell.Exec(strAppExe) Do While objExec.Status = 0 WScript.Sleep 500 Loop Set objExec = objWshSHell.Exec("logoff") For a different solution to the problem, and a list of known processes which cause this behaviour, check: CTX891671 - Graceful Logoff from a Published Application Keeps Sessions in Active State http://support.citrix.com/article/CTX891671 _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?= <HMOFallenAngel@discussions.microsoft.com> wrote on 24 jul 2007 in microsoft.public.windows.terminal_services: > I tried adding 'users' to the permissions on rdp-tcp and that > worked. it's connecting to the terminal server and opening my > application. I'm having now another problem which i dont' know > if that's part of the application or of terminal server. > If i log either as administrator or regular user, i open the > application enter my sign in information and can work in it, and > when i close the application, it never closes, the screen only > goes blue and i have to disconnect the session. > do you think this is part of terminal server or the application.
Recommended Posts