What am I doing wrong? Teminal Services help

vinbuckvinbuck Member Posts: 785
I'm trying to complete exercise 3 in Ch 2 lesson 5 of the MS Press book which deals with Terminal Server and I am running up against what I think is a user privileges issue.

I have two virtual servers (Linux host in Virtualbox) that run Server 2K3 - they are:

server01.contoso.com - domain controller
server02.contoso.com - member server

The instructions tell you to create a user in active directory on Server01 named "Lorrin Smith-Bates" (abbrev: LSB). It then tells you to create a global security account named "Contoso Terminal Server Users" (abbrev : CTSU). It instructs you to add LSB to the CTSU group. It then instructs you to add the CTSU group to the Print Operators group. Then it tells you to log off of server01, log in to server02 and add CTSU group to the Remote Desktop Users group under local users and groups.

After all that is done you are supposed to login to server01 as LSB (which it lets me do) and try to remote desktop to server02 with the LSB user account. When I try to do this I get the following error message.

"To log on to this remote computer, you must have Terminal Server User Access permissions on this computer. By default, members of the Remote Desktop users group have these permissions. If you are not a member of the Remote Desktop Users Group or another group that has these permissions, or if the Remote Desktop User group does not have these permissions, you must be granted these permissions manually"

When I checked the Remote Desktop Users group on Server02, it does have the permissions to logon through terminal services.

What am I missing?
Cisco was my first networking love, but my "other" router is a Mikrotik...

Comments

  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    Check group policy: computer configuration\windows settings\security settings\local policies\user rights assignment\allow log on through terminal services
  • vinbuckvinbuck Member Posts: 785
    That particular option is listed as "not defined" in the domain group policy. Would that still override the local group policy setting?
    Cisco was my first networking love, but my "other" router is a Mikrotik...
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    That particular option is listed as "not defined" in the domain group policy. Would that still override the local group policy setting?
    No it wouldn't (hence the "not defined").

    Login to the Server02 directly as the user (LSB) and open a command prompt, type "whoami /groups" and look for the local Remote Desktop Users group near the top of the list. Can you confirm it shows up?
  • RobertKaucherRobertKaucher Member Posts: 4,298 ■■■■■■■■■■
    I just want to add a bit of experience here, which may or may not apply.

    When a GPO is defined (for example you set it to deny log on through terminal services) and then is set back to undefined it sometimes sticks on the old setting. I have seen this in test labs so many times. A user sets GPOs in a lab and then sets them back to "undefined" but they still get applied. Try defining the GPOs to allow logon through TS just in case.
  • vinbuckvinbuck Member Posts: 785
    astorrs wrote: »
    No it wouldn't (hence the "not defined").

    Login to the Server02 directly as the user (LSB) and open a command prompt, type "whoami /groups" and look for the local Remote Desktop Users group near the top of the list. Can you confirm it shows up?

    I executed that command while logged into server02 as LSB and it shows BUILTIN\Remote Desktop Users as the second listing.
    Cisco was my first networking love, but my "other" router is a Mikrotik...
  • dalesdales Member Posts: 225
    I think that the remote desktop group is a builtin group thats not actually given any permissions. In the past I came across this issue and decided that you have to assign the RDUG to the remote desktop permissions of the server.

    I think the group name is just a helpful name in active directory but is not actually given any real power until you add the remote desktop users group to the select remote users options in the servers systems properties.
    Kind Regards
    Dale Scriven

    Twitter:dscriven
    Blog: vhorizon.co.uk
  • vinbuckvinbuck Member Posts: 785
    I decided to add the LSB user directly to the local policy of "Allow log on through Terminal Services" on server02 and it still denies access with the same message. Something else has to be restricting this but I can't figure out what
    Cisco was my first networking love, but my "other" router is a Mikrotik...
  • dalesdales Member Posts: 225
    By default only administrators are allowed to logon by RDP to any server (I think they have to be domain admins to log onto a DC st in the default domain policy I think) I think the interactive logon only allows someone to logon at the console of the server (i.e sat in front of it not through an RDP session

    You should be able to resolve this by adding the remote desktop UG to the remote desktop permissions buttom in the servers system CPL.
    Kind Regards
    Dale Scriven

    Twitter:dscriven
    Blog: vhorizon.co.uk
  • vinbuckvinbuck Member Posts: 785
    dales wrote: »
    By default only administrators are allowed to logon by RDP to any server (I think they have to be domain admins to log onto a DC st in the default domain policy I think) I think the interactive logon only allows someone to logon at the console of the server (i.e sat in front of it not through an RDP session

    You should be able to resolve this by adding the remote desktop UG to the remote desktop permissions buttom in the servers system CPL.

    I think you might be thinking about Windows XP system properties....it has a button to add users and groups where the Server 2003 system properties remote tab does not (at least on mine anyway)

    I added the user LSB to the local secuirty policy setting for "allow logon through terminal services" and I added LSB to the Remote Desktop Users group ( I checked and this group is also listed in the local security policy as having access)

    Still no joy icon_sad.gif
    Cisco was my first networking love, but my "other" router is a Mikrotik...
  • RobertKaucherRobertKaucher Member Posts: 4,298 ■■■■■■■■■■
    Which version of 2003 is this? R2? And is it patched?

    I have had this issue with Server 2003 (pre R2) demos that were unpatched. Try adding the user to the local Server Ops group. If that works, then we can start to narrow things down more.
  • vinbuckvinbuck Member Posts: 785
    Which version of 2003 is this? R2? And is it patched?

    I have had this issue with Server 2003 (pre R2) demos that were unpatched. Try adding the user to the local Server Ops group. If that works, then we can start to narrow things down more.

    I have

    Server 2003 R2
    Enterprise Edition
    Service Pack 2

    (it is a demo btw)


    I went to local users and groups but found no Server Ops group.
    Cisco was my first networking love, but my "other" router is a Mikrotik...
Sign In or Register to comment.