"Allow logon through Terminal Services" user right missing
Symptoms:
- any administrator can logon to TS;
- non-administrator users get “To log on to this computer, you must be
granted the allow log on the through Terminal Services right. By default,
member of the Remote Desktop User Group have this right. If you are not a
member of the Remote Desktop User Group or other group that has this right,
you must be granted this right manuallyâ€
Environment:
- W2K3 R2 (portuguese);
- DC;
- TerminalServer in AppMode w/5 device CAL;
- SystemProperties -> "Enable Remote Desktop on this computer" is ON;
- users belong to the "Remote Desktop Users" group;
- users "Deny this user permisssions to log on to any Terminal Server" is OFF;
- "Local Security Settings" -> "User Rights Assignment -> "Allow logon
through Terminal Services" is ... missing!!!! This entry just isn't there!!!
It's of no use to tell me to check the "Allow logon through Terminal
Services" user right: it just isnt' there!
I've installed and configured several w2k and w2k3 and this was the first
time i saw this. Better, i didn't saw it...
Several persons saw this, so, although i spend a lot of time with the
computers, it's not an eyes problem...
Been around this for hours, seen houndreds of web pages, no luck. Can some
one help... Please... An aspirin would also be welcome...
-ajoaosilva
Re: "Allow logon through Terminal Services" user right missing
Hi
Is that software in Portuguese?
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
Re: "Allow logon through Terminal Services" user right missing
I forgot you need to make these users members of security group "Remote
Desktop Users", and this group already has the permission tologon through
TS.
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"ajoaosilva" <ajoaosilva@discussions.microsoft.com> wrote in message
news:755F60EA-2846-43AF-87EB-D254DCE9555E@microsoft.com...
> Symptoms:
> - any administrator can logon to TS;
> - non-administrator users get "To log on to this computer, you must be
> granted the allow log on the through Terminal Services right. By default,
> member of the Remote Desktop User Group have this right. If you are not a
> member of the Remote Desktop User Group or other group that has this
> right,
> you must be granted this right manually"
>
> Environment:
> - W2K3 R2 (portuguese);
> - DC;
> - TerminalServer in AppMode w/5 device CAL;
> - SystemProperties -> "Enable Remote Desktop on this computer" is ON;
> - users belong to the "Remote Desktop Users" group;
> - users "Deny this user permisssions to log on to any Terminal Server" is
> OFF;
> - "Local Security Settings" -> "User Rights Assignment -> "Allow logon
> through Terminal Services" is ... missing!!!! This entry just isn't
> there!!!
>
> It's of no use to tell me to check the "Allow logon through Terminal
> Services" user right: it just isnt' there!
> I've installed and configured several w2k and w2k3 and this was the first
> time i saw this. Better, i didn't saw it...
>
> Several persons saw this, so, although i spend a lot of time with the
> computers, it's not an eyes problem...
> Been around this for hours, seen houndreds of web pages, no luck. Can some
> one help... Please... An aspirin would also be welcome...
>
> -ajoaosilva
Re: "Allow logon through Terminal Services" user right missing
Yes. It's a portuguese version of w2k3. I translated all the messages.
The only "allow" user right is the "Allow logon locally" (Permitir iniciar
sessão localmente).
"Jorge Silva" wrote:
> Hi
> Is that software in Portuguese?
>
> --
> I hope that the information above helps you
>
> Good Luck
> Jorge Silva
> MCSA
> Systems Administrator
> "ajoaosilva" <ajoaosilva@discussions.microsoft.com> wrote in message
> news:755F60EA-2846-43AF-87EB-D254DCE9555E@microsoft.com...
> > Symptoms:
> > - any administrator can logon to TS;
> > - non-administrator users get "To log on to this computer, you must be
> > granted the allow log on the through Terminal Services right. By default,
> > member of the Remote Desktop User Group have this right. If you are not a
> > member of the Remote Desktop User Group or other group that has this
> > right,
> > you must be granted this right manually"
> >
> > Environment:
> > - W2K3 R2 (portuguese);
> > - DC;
> > - TerminalServer in AppMode w/5 device CAL;
> > - SystemProperties -> "Enable Remote Desktop on this computer" is ON;
> > - users belong to the "Remote Desktop Users" group;
> > - users "Deny this user permisssions to log on to any Terminal Server" is
> > OFF;
> > - "Local Security Settings" -> "User Rights Assignment -> "Allow logon
> > through Terminal Services" is ... missing!!!! This entry just isn't
> > there!!!
> >
> > It's of no use to tell me to check the "Allow logon through Terminal
> > Services" user right: it just isnt' there!
> > I've installed and configured several w2k and w2k3 and this was the first
> > time i saw this. Better, i didn't saw it...
> >
> > Several persons saw this, so, although i spend a lot of time with the
> > computers, it's not an eyes problem...
> > Been around this for hours, seen houndreds of web pages, no luck. Can some
> > one help... Please... An aspirin would also be welcome...
> >
> > -ajoaosilva
>
>
>
Re: "Allow logon through Terminal Services" user right missing
Already mentioned that in the initial post. No work either.
"Jorge Silva" wrote:
> I forgot you need to make these users members of security group "Remote
> Desktop Users", and this group already has the permission tologon through
> TS.
>
> --
> I hope that the information above helps you
>
> Good Luck
> Jorge Silva
> MCSA
> Systems Administrator
> "ajoaosilva" <ajoaosilva@discussions.microsoft.com> wrote in message
> news:755F60EA-2846-43AF-87EB-D254DCE9555E@microsoft.com...
> > Symptoms:
> > - any administrator can logon to TS;
> > - non-administrator users get "To log on to this computer, you must be
> > granted the allow log on the through Terminal Services right. By default,
> > member of the Remote Desktop User Group have this right. If you are not a
> > member of the Remote Desktop User Group or other group that has this
> > right,
> > you must be granted this right manually"
> >
> > Environment:
> > - W2K3 R2 (portuguese);
> > - DC;
> > - TerminalServer in AppMode w/5 device CAL;
> > - SystemProperties -> "Enable Remote Desktop on this computer" is ON;
> > - users belong to the "Remote Desktop Users" group;
> > - users "Deny this user permisssions to log on to any Terminal Server" is
> > OFF;
> > - "Local Security Settings" -> "User Rights Assignment -> "Allow logon
> > through Terminal Services" is ... missing!!!! This entry just isn't
> > there!!!
> >
> > It's of no use to tell me to check the "Allow logon through Terminal
> > Services" user right: it just isnt' there!
> > I've installed and configured several w2k and w2k3 and this was the first
> > time i saw this. Better, i didn't saw it...
> >
> > Several persons saw this, so, although i spend a lot of time with the
> > computers, it's not an eyes problem...
> > Been around this for hours, seen houndreds of web pages, no luck. Can some
> > one help... Please... An aspirin would also be welcome...
> >
> > -ajoaosilva
>
>
>
Re: "Allow logon through Terminal Services" user right missing
sounds that you're a little confused or maybe I am!!!
Let me explain...
"Allow logon locally" = (Permitir iniciar sessão localmente).
But
"allow log on the through Terminal Services right" is not the same as
(Permitir iniciar sessão localmente).
You see in Windows 2000 you need (only in DCs) to grant this right to allow
the users to logon through TS, but that changed in Windows 2003. In Windows
2003 you no longer need to allow "logon locally" right, instead you need to
allow log on the through Terminal Services right and the Remote Desktop
Users security group already have this right granted in DCs and member
servers...
Re: "Allow logon through Terminal Services" user right missing
a little correction only on member servers the "Remote Desktop Users"
security group have the right to log on the through Terminal Services.
Re: "Allow logon through Terminal Services" user right missing
That may explain why, although the users are in that group, they still can't
logon.
Therefore i would have to activate the "Allow logon through Terminal
Services" for that group. The problem is that the user right is not on the
list! The list is an item short! That is my problem.
Re: "Allow logon through Terminal Services" user right missing
sure...
take a look at
Security Configuration and Analysis How To...
http://technet2.microsoft.com/Window....mspx?mfr=true
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
Re: "Allow logon through Terminal Services" user right missing
I'm sorry, but something here is not right:
- i loged in as Administrator;
- opening dcpol.msc or dompol.msc yelds "Failed to open the group policy
object. You may not enough rights." (Falha ao abrir o objecto de polÃ*tica de
grupo. Poderá não ter os direitos apropriados.) Details: The specified domain
doesn't exist or could not be reached (O domÃ*nio especificado ou não existe
ou não pôde ser contactado.);
- created a new console, added the snap-in, picked the database
c:\windows\security\database\secedit.sdb (the only one i could find!) and got
"The access to the database was denied";
- opened the "Security templates" snap-in and couldn't find the missing
right anywhere. Is this some new R2 feature?
During a log inspection i found a c:\windows\security\logs\scedcpro.log file
that started with the followig lines:
----- begin trascript ----- begin trascript -----
-------------------------------------------
09/28/2006 15:02:09
Utilizador com privilégios administrativos com sessão iniciada.
** SeManageVolumePrivilege é ignorado para ser definido na polÃ*tica
predefinida porque pode quebrar clientes W2K.
** SeRemoteInteractiveLogonRight é ignorado para ser definido na polÃ*tica
predefinida porque pode quebrar clientes W2K.
** SeDenyRemoteInteractiveLogonRight é ignorado para ser definido na
polÃ*tica predefinida porque pode quebrar clientes W2K.
Direitos de utilizador de cópia no GPO OU: instalação limpa.
----Anular inicialização do motor de configuração...
Objecto de polÃ*ticas de grupo pré-definido in sysvol criado com êxito.
-------------------------------------------
09/28/2006 15:02:12
Utilizador com privilégios administrativos com sessão iniciada.
A analisar modelo C:\WINDOWS\inf\defltdc.inf.
----O motor de configuração foi inicializado com êxito.----
----A ler informações de configuração do modelo...
----Configurar direitos do utilizador...
Configurar S-1-5-32-545.
remover SeNetworkLogonRight.
remover SeChangeNotifyPrivilege.
Configurar S-1-5-32-555.
*** remover SeRemoteInteractiveLogonRight.
----- end trascript ----- end trascript -----
The lines starting with ** say that SeManageVolumePrivilege,
SeRemoteInteractiveLogonRight and SeDenyRemoteInteractiveLogonRight are
ignored to be defined in the default policy because it can break W2K
clientes. The SeRemoteInteractiveLogonRight is exactly the user right that is
missing.
The line strating with *** removes the SeRemoteInteractiveLogonRight (Allow
logon through Terminal Services) right from the "Remote Desktop Users" group.
This is why my users can't login to the server.
The full 664k log file (in portuguese) is available by email on request .
Maybe i've been too long around this problem, but can't i create an .inf
file like the one processed in this log, only adding that permission to the
"Remote Desktop Users" group? I don't belive it would bring the missing right
to the list, but the group users would logon. Hopefully...
Re: "Allow logon through Terminal Services" user right missing
Sounds to me like you are logging in as local administrator, not as
Domain Administrator, is that correct?
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting:
Re: "Allow logon through Terminal Services" user right missing
I'm login in with the only administrator profile i have, that belongs to the
domain admins group.
I'm login through remote desktop, but i belive that makes no diference. Does
it?
Re: "Allow logon through Terminal Services" user right missing
From your description I had the same problem as you are now. Make the
Terminal Services Group a member of the Remote Desktop Group.
That fixed the problem for me.
Hope this helps.
Dave
Re: "Allow logon through Terminal Services" user right missing
Just to rule it out, I would log on to the physical console of the
server and try to open the same policy. If you still get the "access
denied" error, then something seems really wrong, and I would phone
Microsoft Support.
Is there anything in the EventLog which shouldn't be there? Warnings
or errors about the network, policies not being applied, something
like that?
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?YWpvYW9zaWx2YQ==?=
<ajoaosilva@discussions.microsoft.com> wrote on 23 okt 2006 in
microsoft.public.windows.terminal_services:
> I'm login in with the only administrator profile i have, that
> belongs to the domain admins group.
> I'm login through remote desktop, but i belive that makes no
> diference. Does it?