Only Administrators can log in?

[Guest Dearg O''Bartuin]

Hello all,

 

I have an unusual case. I recently took over the support of A TS environment

for a client.

On this network only those in the administrators group can log in using TS.

I have checked all group policies and in turn disabled all apart from the

default domain policy and made sure log on using Terminal Server was enabled

with the remote desktop users group.

 

Is there a way of completely disabling all group policies and starting again

without deleting these policies allowing me to return back if any problems

arise?

 

My ideal situation would be to have two groups

 

1. Administrators

2. Users

 

I would like administrators & all users to be allowed access via terminal

services. However i would like to apply separate permissions to each group

where administrators have access to the control panel, run command etc etc.

 

If i can work out how to fix the existing problems and allow remote desktop

connection group to log in i should be fine with the rest.

 

Thank you,

--

Tricky

--

Tricky

[Guest Vera Noest [MVP]]

Re: Only Administrators can log in?

 

Which OS is the Terminal Server running?

What is the exact error message that normal users get when they try

to log on?

Is the TS a member server in the domain, or is it running on a

Domain Controller?

Assuming that the TS runs 2003, have you made sure that the users

are member of the *local* Remote Desktop Users group on the TS?

Also make sure that the "Allow logon to Terminal Server" checkbox

is checked in the properties of the user account in AD, and verify

the permissions on the rdp-tcp connection, in Terminal Services

Configuration.

 

Regarding the Group Policies: check first which GPO are applied to

the TS and normal users, by using the Resultant Set of Polcies

(RSoP). The, in the applied GPOs, check for the setting under:

 

Computer Configuration - Windows Settings - Security Settings -

Local Policies - User rights Assignment

"Allow log on through Terminal Services"

 

You can temporarily disable all GPOs on the TS by placing the TS in

a separate OU (that's recomneded anyway, and needed later on) and

then block inheritance of all GPOs on that OU.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?RGVhcmcgTycnQmFydHVpbg==?=

<DeargOBartuin@discussions.microsoft.com> wrote on 26 nov 2007 in

microsoft.public.windows.terminal_services:

> Hello all,

>

> I have an unusual case. I recently took over the support of A TS

> environment for a client.

> On this network only those in the administrators group can log

> in using TS. I have checked all group policies and in turn

> disabled all apart from the default domain policy and made sure

> log on using Terminal Server was enabled with the remote desktop

> users group.

>

> Is there a way of completely disabling all group policies and

> starting again without deleting these policies allowing me to

> return back if any problems arise?

>

> My ideal situation would be to have two groups

>

> 1. Administrators

> 2. Users

>

> I would like administrators & all users to be allowed access via

> terminal services. However i would like to apply separate

> permissions to each group where administrators have access to

> the control panel, run command etc etc.

>

> If i can work out how to fix the existing problems and allow

> remote desktop connection group to log in i should be fine with

> the rest.

>

> Thank you,