Terminal Server Users Can't log in

We have started having a problem with our Terminal Server. It was in service
for about a year and worked correctly. Last week after some Windows Updates
and a Registry Edit that was intended to fix a problem with Great Plains the
users started reporting that they could not log in. All of the Administrator
group uses could log in but no one else. The users are set up with
permissions in Active Directory on the Terminal Server tab in Active
Directory for the ones that should have access. The server and domain
controller are both Windows 2003 servers.

I tried to restore the server using a Windows ASR backup but after it
formated the hard drive it said it could not read the backup file. Because
we wanted to restore it with the same name and IP I deleted the server from
AD. I rebuilt the server and did a full reinstall of Windows server, made it
a Terminal Server and set up everything as it had been. This time I did put
the liscensing server on the domain controller instead of the terminal
server so that when I get time I can add a backup Terminal Server.

The user still could not log in. I checked everything in the Group Policy
and it looks OK. The users get a message that they are not allowed to log in
because they don't have premissions. The allow users to log in remotely is
set on both the local and domain group policy but it does not seem to work.

If I go into the Terminal Server Configuration and add a user they can then
log in OK. How do I get Terminal Server to talk to Active Directory for it's
info again? Did I lose something when I deleted the server from Active
Directory?

hi,
add the AD users or AD group of users to local Remote Desktop Users.
--
Dragos CAMARA
MCSA Windows 2003 server


"Bill Cart" wrote:

> We have started having a problem with our Terminal Server. It was in service
> for about a year and worked correctly. Last week after some Windows Updates
> and a Registry Edit that was intended to fix a problem with Great Plains the
> users started reporting that they could not log in. All of the Administrator
> group uses could log in but no one else. The users are set up with
> permissions in Active Directory on the Terminal Server tab in Active
> Directory for the ones that should have access. The server and domain
> controller are both Windows 2003 servers.
>
> I tried to restore the server using a Windows ASR backup but after it
> formated the hard drive it said it could not read the backup file. Because
> we wanted to restore it with the same name and IP I deleted the server from
> AD. I rebuilt the server and did a full reinstall of Windows server, made it
> a Terminal Server and set up everything as it had been. This time I did put
> the liscensing server on the domain controller instead of the terminal
> server so that when I get time I can add a backup Terminal Server.
>
> The user still could not log in. I checked everything in the Group Policy
> and it looks OK. The users get a message that they are not allowed to log in
> because they don't have premissions. The allow users to log in remotely is
> set on both the local and domain group policy but it does not seem to work.
>
> If I go into the Terminal Server Configuration and add a user they can then
> log in OK. How do I get Terminal Server to talk to Active Directory for it's
> info again? Did I lose something when I deleted the server from Active
> Directory?
>
>
>

We have not been doing it with groups. We have been using the Terminal
Server profile tab in the user AD properties. This worked OK before. That
way if the user is a manager or supervisor we give them rights when we
create their profile and we don't have to remember to add them to another
group.

I tried adding a test user to the Remote Desktop Users group in AD on the
domain controller (which already has TS permissions on the local server by
default) but the account could still not access the terminal server until I
added the user to the local TS permissions. It almost acts as if this
computer is not seeing all of the AD permissions.

I can go into mmc and see that this server is inheriting the domain AD
settings for password length, etc so I don't understand why it will not
honor the users profile settings.

Our Windows Update Server recently "upgraded" us to the new version of
Remote Desktop client and it always shows a default of the local server
(e.g. server\username) instead of just the domain. Is there a problem with
this new version? In testing I have been using domain\username but it does
not help.

In what may be a related problem if I try (as administrator) to copy a file
to a shared directory on this server I get an Access Denied error message.

"Dragos CAMARA" <(E-Mail Removed)> wrote in message
news:5E3B22D1-F6FD-4737-AA73-(E-Mail Removed)...
> hi,
> add the AD users or AD group of users to local Remote Desktop Users.
> --
> Dragos CAMARA
> MCSA Windows 2003 server
>
>
> "Bill Cart" wrote:
>
>> We have started having a problem with our Terminal Server. It was in
>> service
>> for about a year and worked correctly. Last week after some Windows
>> Updates
>> and a Registry Edit that was intended to fix a problem with Great Plains
>> the
>> users started reporting that they could not log in. All of the
>> Administrator
>> group uses could log in but no one else. The users are set up with
>> permissions in Active Directory on the Terminal Server tab in Active
>> Directory for the ones that should have access. The server and domain
>> controller are both Windows 2003 servers.
>>
>> I tried to restore the server using a Windows ASR backup but after it
>> formated the hard drive it said it could not read the backup file.
>> Because
>> we wanted to restore it with the same name and IP I deleted the server
>> from
>> AD. I rebuilt the server and did a full reinstall of Windows server, made
>> it
>> a Terminal Server and set up everything as it had been. This time I did
>> put
>> the liscensing server on the domain controller instead of the terminal
>> server so that when I get time I can add a backup Terminal Server.
>>
>> The user still could not log in. I checked everything in the Group Policy
>> and it looks OK. The users get a message that they are not allowed to log
>> in
>> because they don't have premissions. The allow users to log in remotely
>> is
>> set on both the local and domain group policy but it does not seem to
>> work.
>>
>> If I go into the Terminal Server Configuration and add a user they can
>> then
>> log in OK. How do I get Terminal Server to talk to Active Directory for
>> it's
>> info again? Did I lose something when I deleted the server from Active
>> Directory?
>>
>>
>>

hi,
Remote Desktop Users from AD dosen't have by default rights to logon through
terminal server on TS member server, that group is used for DC wich have
terminal services installed.
You can use local group Remote Desktop Users of TS member server, or create
another group on AD and add that to local group, or create a GPO and link to
OU where that TS reside and add on allow logi throught Terminal services that
group (computer configuration->security settings->local policies->user rights
assignement).
The TS profile tab on AD user is intended for what profile to load when a
user is logon on TS, not for the rights to login on TS.
--
Dragos CAMARA
MCSA Windows 2003 server


"Bill Cart" wrote:

> We have not been doing it with groups. We have been using the Terminal
> Server profile tab in the user AD properties. This worked OK before. That
> way if the user is a manager or supervisor we give them rights when we
> create their profile and we don't have to remember to add them to another
> group.
>
> I tried adding a test user to the Remote Desktop Users group in AD on the
> domain controller (which already has TS permissions on the local server by
> default) but the account could still not access the terminal server until I
> added the user to the local TS permissions. It almost acts as if this
> computer is not seeing all of the AD permissions.
>
> I can go into mmc and see that this server is inheriting the domain AD
> settings for password length, etc so I don't understand why it will not
> honor the users profile settings.
>
> Our Windows Update Server recently "upgraded" us to the new version of
> Remote Desktop client and it always shows a default of the local server
> (e.g. server\username) instead of just the domain. Is there a problem with
> this new version? In testing I have been using domain\username but it does
> not help.
>
> In what may be a related problem if I try (as administrator) to copy a file
> to a shared directory on this server I get an Access Denied error message.
>
> "Dragos CAMARA" <(E-Mail Removed)> wrote in message
> news:5E3B22D1-F6FD-4737-AA73-(E-Mail Removed)...
> > hi,
> > add the AD users or AD group of users to local Remote Desktop Users.
> > --
> > Dragos CAMARA
> > MCSA Windows 2003 server
> >
> >
> > "Bill Cart" wrote:
> >
> >> We have started having a problem with our Terminal Server. It was in
> >> service
> >> for about a year and worked correctly. Last week after some Windows
> >> Updates
> >> and a Registry Edit that was intended to fix a problem with Great Plains
> >> the
> >> users started reporting that they could not log in. All of the
> >> Administrator
> >> group uses could log in but no one else. The users are set up with
> >> permissions in Active Directory on the Terminal Server tab in Active
> >> Directory for the ones that should have access. The server and domain
> >> controller are both Windows 2003 servers.
> >>
> >> I tried to restore the server using a Windows ASR backup but after it
> >> formated the hard drive it said it could not read the backup file.
> >> Because
> >> we wanted to restore it with the same name and IP I deleted the server
> >> from
> >> AD. I rebuilt the server and did a full reinstall of Windows server, made
> >> it
> >> a Terminal Server and set up everything as it had been. This time I did
> >> put
> >> the liscensing server on the domain controller instead of the terminal
> >> server so that when I get time I can add a backup Terminal Server.
> >>
> >> The user still could not log in. I checked everything in the Group Policy
> >> and it looks OK. The users get a message that they are not allowed to log
> >> in
> >> because they don't have premissions. The allow users to log in remotely
> >> is
> >> set on both the local and domain group policy but it does not seem to
> >> work.
> >>
> >> If I go into the Terminal Server Configuration and add a user they can
> >> then
> >> log in OK. How do I get Terminal Server to talk to Active Directory for
> >> it's
> >> info again? Did I lose something when I deleted the server from Active
> >> Directory?
> >>
> >>
> >>
>
>
>

The TS profile tab in AD has a checkbox on the bottom that says "Allow login
to Terminal Server".

I did add my test user to the Remote Desktop Users group and they still
can't logon.

"Dragos CAMARA" <(E-Mail Removed)> wrote in message
news:1C141736-DEFC-44B4-A848-(E-Mail Removed)...
> hi,
> Remote Desktop Users from AD dosen't have by default rights to logon
> through
> terminal server on TS member server, that group is used for DC wich have
> terminal services installed.
> You can use local group Remote Desktop Users of TS member server, or
> create
> another group on AD and add that to local group, or create a GPO and link
> to
> OU where that TS reside and add on allow logi throught Terminal services
> that
> group (computer configuration->security settings->local policies->user
> rights
> assignement).
> The TS profile tab on AD user is intended for what profile to load when a
> user is logon on TS, not for the rights to login on TS.
> --
> Dragos CAMARA
> MCSA Windows 2003 server
>
>
> "Bill Cart" wrote:
>
>> We have not been doing it with groups. We have been using the Terminal
>> Server profile tab in the user AD properties. This worked OK before. That
>> way if the user is a manager or supervisor we give them rights when we
>> create their profile and we don't have to remember to add them to another
>> group.
>>
>> I tried adding a test user to the Remote Desktop Users group in AD on the
>> domain controller (which already has TS permissions on the local server
>> by
>> default) but the account could still not access the terminal server until
>> I
>> added the user to the local TS permissions. It almost acts as if this
>> computer is not seeing all of the AD permissions.
>>
>> I can go into mmc and see that this server is inheriting the domain AD
>> settings for password length, etc so I don't understand why it will not
>> honor the users profile settings.
>>
>> Our Windows Update Server recently "upgraded" us to the new version of
>> Remote Desktop client and it always shows a default of the local server
>> (e.g. server\username) instead of just the domain. Is there a problem
>> with
>> this new version? In testing I have been using domain\username but it
>> does
>> not help.
>>
>> In what may be a related problem if I try (as administrator) to copy a
>> file
>> to a shared directory on this server I get an Access Denied error
>> message.
>>
>> "Dragos CAMARA" <(E-Mail Removed)> wrote in message
>> news:5E3B22D1-F6FD-4737-AA73-(E-Mail Removed)...
>> > hi,
>> > add the AD users or AD group of users to local Remote Desktop Users.
>> > --
>> > Dragos CAMARA
>> > MCSA Windows 2003 server
>> >
>> >
>> > "Bill Cart" wrote:
>> >
>> >> We have started having a problem with our Terminal Server. It was in
>> >> service
>> >> for about a year and worked correctly. Last week after some Windows
>> >> Updates
>> >> and a Registry Edit that was intended to fix a problem with Great
>> >> Plains
>> >> the
>> >> users started reporting that they could not log in. All of the
>> >> Administrator
>> >> group uses could log in but no one else. The users are set up with
>> >> permissions in Active Directory on the Terminal Server tab in Active
>> >> Directory for the ones that should have access. The server and domain
>> >> controller are both Windows 2003 servers.
>> >>
>> >> I tried to restore the server using a Windows ASR backup but after it
>> >> formated the hard drive it said it could not read the backup file.
>> >> Because
>> >> we wanted to restore it with the same name and IP I deleted the server
>> >> from
>> >> AD. I rebuilt the server and did a full reinstall of Windows server,
>> >> made
>> >> it
>> >> a Terminal Server and set up everything as it had been. This time I
>> >> did
>> >> put
>> >> the liscensing server on the domain controller instead of the terminal
>> >> server so that when I get time I can add a backup Terminal Server.
>> >>
>> >> The user still could not log in. I checked everything in the Group
>> >> Policy
>> >> and it looks OK. The users get a message that they are not allowed to
>> >> log
>> >> in
>> >> because they don't have premissions. The allow users to log in
>> >> remotely
>> >> is
>> >> set on both the local and domain group policy but it does not seem to
>> >> work.
>> >>
>> >> If I go into the Terminal Server Configuration and add a user they can
>> >> then
>> >> log in OK. How do I get Terminal Server to talk to Active Directory
>> >> for
>> >> it's
>> >> info again? Did I lose something when I deleted the server from Active
>> >> Directory?
>> >>
>> >>
>> >>
>>
>>
>>

hi,
go to Terminal Server Configuration RDP-TCP permisions and check if local
Remote Desktop users have permisions to connect.
If you uncheck Allow login through to terminal services then the user will
can't logon, but the check dosen't assure you that user will have this rights.
--
Dragos CAMARA
MCSA Windows 2003 server


"Bill Cart" wrote:

> The TS profile tab in AD has a checkbox on the bottom that says "Allow login
> to Terminal Server".
>
> I did add my test user to the Remote Desktop Users group and they still
> can't logon.
>
> "Dragos CAMARA" <(E-Mail Removed)> wrote in message
> news:1C141736-DEFC-44B4-A848-(E-Mail Removed)...
> > hi,
> > Remote Desktop Users from AD dosen't have by default rights to logon
> > through
> > terminal server on TS member server, that group is used for DC wich have
> > terminal services installed.
> > You can use local group Remote Desktop Users of TS member server, or
> > create
> > another group on AD and add that to local group, or create a GPO and link
> > to
> > OU where that TS reside and add on allow logi throught Terminal services
> > that
> > group (computer configuration->security settings->local policies->user
> > rights
> > assignement).
> > The TS profile tab on AD user is intended for what profile to load when a
> > user is logon on TS, not for the rights to login on TS.
> > --
> > Dragos CAMARA
> > MCSA Windows 2003 server
> >
> >
> > "Bill Cart" wrote:
> >
> >> We have not been doing it with groups. We have been using the Terminal
> >> Server profile tab in the user AD properties. This worked OK before. That
> >> way if the user is a manager or supervisor we give them rights when we
> >> create their profile and we don't have to remember to add them to another
> >> group.
> >>
> >> I tried adding a test user to the Remote Desktop Users group in AD on the
> >> domain controller (which already has TS permissions on the local server
> >> by
> >> default) but the account could still not access the terminal server until
> >> I
> >> added the user to the local TS permissions. It almost acts as if this
> >> computer is not seeing all of the AD permissions.
> >>
> >> I can go into mmc and see that this server is inheriting the domain AD
> >> settings for password length, etc so I don't understand why it will not
> >> honor the users profile settings.
> >>
> >> Our Windows Update Server recently "upgraded" us to the new version of
> >> Remote Desktop client and it always shows a default of the local server
> >> (e.g. server\username) instead of just the domain. Is there a problem
> >> with
> >> this new version? In testing I have been using domain\username but it
> >> does
> >> not help.
> >>
> >> In what may be a related problem if I try (as administrator) to copy a
> >> file
> >> to a shared directory on this server I get an Access Denied error
> >> message.
> >>
> >> "Dragos CAMARA" <(E-Mail Removed)> wrote in message
> >> news:5E3B22D1-F6FD-4737-AA73-(E-Mail Removed)...
> >> > hi,
> >> > add the AD users or AD group of users to local Remote Desktop Users.
> >> > --
> >> > Dragos CAMARA
> >> > MCSA Windows 2003 server
> >> >
> >> >
> >> > "Bill Cart" wrote:
> >> >
> >> >> We have started having a problem with our Terminal Server. It was in
> >> >> service
> >> >> for about a year and worked correctly. Last week after some Windows
> >> >> Updates
> >> >> and a Registry Edit that was intended to fix a problem with Great
> >> >> Plains
> >> >> the
> >> >> users started reporting that they could not log in. All of the
> >> >> Administrator
> >> >> group uses could log in but no one else. The users are set up with
> >> >> permissions in Active Directory on the Terminal Server tab in Active
> >> >> Directory for the ones that should have access. The server and domain
> >> >> controller are both Windows 2003 servers.
> >> >>
> >> >> I tried to restore the server using a Windows ASR backup but after it
> >> >> formated the hard drive it said it could not read the backup file.
> >> >> Because
> >> >> we wanted to restore it with the same name and IP I deleted the server
> >> >> from
> >> >> AD. I rebuilt the server and did a full reinstall of Windows server,
> >> >> made
> >> >> it
> >> >> a Terminal Server and set up everything as it had been. This time I
> >> >> did
> >> >> put
> >> >> the liscensing server on the domain controller instead of the terminal
> >> >> server so that when I get time I can add a backup Terminal Server.
> >> >>
> >> >> The user still could not log in. I checked everything in the Group
> >> >> Policy
> >> >> and it looks OK. The users get a message that they are not allowed to
> >> >> log
> >> >> in
> >> >> because they don't have premissions. The allow users to log in
> >> >> remotely
> >> >> is
> >> >> set on both the local and domain group policy but it does not seem to
> >> >> work.
> >> >>
> >> >> If I go into the Terminal Server Configuration and add a user they can
> >> >> then
> >> >> log in OK. How do I get Terminal Server to talk to Active Directory
> >> >> for
> >> >> it's
> >> >> info again? Did I lose something when I deleted the server from Active
> >> >> Directory?
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>