Terminal Services Logon

Gav0

Ive just installed TS on a windows 2003 server for use in TS Server mode. but when i try to connect remotley i get the message "to log onto this remote computer you must have terminal server access permissions on this computer"

I'm trying to connect using the Local Admin account but i added it to the Remote Desktop Users group anyway to no avail. When i create new local users and try to connect and logon i get the same error even though i added them to the RDU group too.

ive checked the local security policy on the machine and Administrators and Remote desktop Users both have rights to logon using terminal services.

can anyone help with this at all?

before i installed TS the local admin account could connect using remote administration mode with no problems. then i installed TS server mode and straight after trhe reboot it wouldnt let me log on,

any help would be appreciated, thanks

eurotrash

Is this a domain?

Gav0

Yes but its a member server not a DC

I'm not aware of any Domain policies that ive set that could be causing this thogh

Webmaster

and/or did you install TS on a domain controller?

support.microsoft.com:80/support/kb/articles/Q247/9/89.ASP&NoWebContent=1

www.microsoft.com/windowsserver2003/community/centers/terminal/terminal_faq.mspx

Webmaster

<---needs more caffeine...

eurotrash

You might want to try running an RSoP on the server and user, just to see if there are any problems in the policies (look in the User Rights Assignment in Comp Config).

eurotrash

Also go and check your user's properties, check the Terminal Services Profile tab and make sure that Allow logon to terminal server is checked.

Gav0

No i havent installed TS on a domain controller - do i need to?

I will run RSOP and see what i get, thanks

Webmaster

Was this the complete error message: "To log on to this remote computer, you must have Terminal Server User Access Permissions on this computer. By default, members of the Remote Desktop group have these permissions. If you are not a member of the Remote Desktop Users group or another group that has these permissions, or if the Remote Desktop User group does not have these permissions, you must be granted these permissions manually."

No i havent installed TS on a domain controller - do i need to?

No, if you had it would need additional configuration, but you didn't so ignore my first reply, I hadn't read yours yet when I posted that.

Gav0

yes that was the full message.

Rsop didnt show any restrictions in Admin templates/windows components/terminal services nor in user rights assignments but i checked event viewer and it had an entry stating that 'the grace period has expired'. it is possible that i have previously installed TS on another server on the domain.

my understanding was that the 120 day count down started when the server issued its 1st temp license.

could it be that it has detected that another server on the domain has used up all the grace period? if so i'd expect a different error message wouldnt you?

eurotrash

_omni_ wrote:

Also go and check your user's properties, check the Terminal Services Profile tab and make sure that Allow logon to terminal server is checked.

Did you check that?

Gav0

Sorry yes id did check that. I'm trying to logon as local admin so under the TS Profile tab the option 'deny tis user permissions to log onto any terminal server' is unchecked.

as well as the error in event viewer about the grace period expiring, when ever i try to log on a warning is entered into event view that 'a license server could not be contacted'.

it seems to suggest that this may be a license issue but this is the 1st time TS has been installed on this box (its a new build) and i specified 'I will contact a license server within 120 days' option during set-up!

I have just done exactly the same on an old pc with 2003 on in a workgroup and it works as expected.

wierd Huh?

eurotrash

Check Terminal Services Configuration (mmc) for any problems and play with the settings.

And is the account you are using to log on a member of Domain Admins?

(Obviously if it is a licensing issue, nothing will work short of uninstalling TS, which is what I did on my comp when the trial ran out).

Danman32

Was TS installed so that the terminal server operates as a TS application server, or is TS being used strictly for remote administration, which is really remote desktop with only 2 user access restricted to admins both by policy and by security permissions to the RDP-TCP?

When TS is installed to operate in Application mode, proper rights are assigned to the appropriate groups, and proper permissions are set to RCP-TCP so that users can access the connection to log in. In this case, you may have to add the users to the proper groups.

When TS is not installed, the RDP is still installed, but the permissions are configured that only admins have access to the connection (RDP-TCP) as well as permission to actually log in through TS. Remote Desktop checkbox has to be checked as well for this to work.

From your error message, it seems the problem is with RDP-TCP permissions. Through Administrative Tools, go to the Terminal Services Configuration console, go to the properties of the RDP-TCP connection, select the Permissions tab, and verify the proper security principles have permission to at least user access.

Usually if the problem is the 'access to server through TS' right, the error is 'you do not have permission to log in interactively'. With W2K, you needed log on locally rights for TS. In W2K3 the right to the server through TS was separated from access locally, but the client still reports it the same way.

Danman32

Oh, one other area to check: # of allowed concurrent connections. This is checked through Network Adapter tab of same dialog. in remote admin licensing mode, only 2 are allowed max. I think though if this were the problem, you would get a different logon error.

Also check the TS license setting by selecting the server node in the same console. If TS was not installed, only Remote Admin is available.

agustinchernitsky

Okey... If it is a member server and you are not using a domain admin or local admin, add the user to the Remote desktop users grp.

This grp must have the "allow logon thru Termina services" perms.

And also check the usr is allowed to logon thru TSR on the user properties.

If you installed the licensing server, and a 120 day period has passed, just remove the TSR components and use only the administration mode... if you need to use as an app server, you will need to purchase the licenses.

usrhlp

This is quite an easy fix at least for me anyway.

After creating your Terminal Services Server and License Server add all the relevant users to the REMOTE DESKTOP users group.

Now go to the following location

START -> PROGRAMS -> Administrative Tools -> DOMAIN CONTROLLER SECURITY POLICY

Open Security Settings
Open User Rights Assignment
Open Allow log on through terminal services

Put a tick in Define these policy settings
Add REMOTE DESKTOP USERS

Press APPLY then OK (if you are as **** as me!)

You should now have the local security policy showing remote desktop users in allow log on through terminal services.

Now click START -> RUN

type CMD

and type

GPUPDATE

wait for group policy to refresh and reapply the new local security settings.

Now try logging onto the terminal server using the user you gave REMOTE DESKTOP access to and all things should work fine.

I feel this is a stupid bug within windows (and we expected bug free windows??) that does NOT update the local security policy of the Terminal Server.

I believe this will answer your question, it certainly did mine when I had this exact error two hours ago.

Usrhlp

kaur812

Have you changed system time/date lately, if you did Windows may think that you are trying to get over this 120 day trial period and does not let you log into terminal server any more.