Go Back   TechArena Community > Technical Support > Computer Help > Windows Server > Windows Server Help
Become a Member!
Forgot your username/password?
Tags Active Topics RSS Search Mark Forums Read

Sponsored Links



"Allow logon through Terminal Services" user right missing

Windows Server Help


Reply
 
Thread Tools Search this Thread
  #1  
Old 20-10-2006
ajoaosilva
 
Posts: n/a
"Allow logon through Terminal Services" user right missing

Symptoms:
- any administrator can logon to TS;
- non-administrator users get “To log on to this computer, you must be
granted the allow log on the through Terminal Services right. By default,
member of the Remote Desktop User Group have this right. If you are not a
member of the Remote Desktop User Group or other group that has this right,
you must be granted this right manually”

Environment:
- W2K3 R2 (portuguese);
- DC;
- TerminalServer in AppMode w/5 device CAL;
- SystemProperties -> "Enable Remote Desktop on this computer" is ON;
- users belong to the "Remote Desktop Users" group;
- users "Deny this user permisssions to log on to any Terminal Server" is OFF;
- "Local Security Settings" -> "User Rights Assignment -> "Allow logon
through Terminal Services" is ... missing!!!! This entry just isn't there!!!

It's of no use to tell me to check the "Allow logon through Terminal
Services" user right: it just isnt' there!
I've installed and configured several w2k and w2k3 and this was the first
time i saw this. Better, i didn't saw it...

Several persons saw this, so, although i spend a lot of time with the
computers, it's not an eyes problem...
Been around this for hours, seen houndreds of web pages, no luck. Can some
one help... Please... An aspirin would also be welcome...

-ajoaosilva

Reply With Quote
  #2  
Old 20-10-2006
Jorge Silva
 
Posts: n/a
Re: "Allow logon through Terminal Services" user right missing

Hi
Is that software in Portuguese?

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator
Reply With Quote
  #3  
Old 20-10-2006
Jorge Silva
 
Posts: n/a
Re: "Allow logon through Terminal Services" user right missing

I forgot you need to make these users members of security group "Remote
Desktop Users", and this group already has the permission tologon through
TS.

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator
"ajoaosilva" <ajoaosilva@discussions.microsoft.com> wrote in message
news:755F60EA-2846-43AF-87EB-D254DCE9555E@microsoft.com...
> Symptoms:
> - any administrator can logon to TS;
> - non-administrator users get "To log on to this computer, you must be
> granted the allow log on the through Terminal Services right. By default,
> member of the Remote Desktop User Group have this right. If you are not a
> member of the Remote Desktop User Group or other group that has this
> right,
> you must be granted this right manually"
>
> Environment:
> - W2K3 R2 (portuguese);
> - DC;
> - TerminalServer in AppMode w/5 device CAL;
> - SystemProperties -> "Enable Remote Desktop on this computer" is ON;
> - users belong to the "Remote Desktop Users" group;
> - users "Deny this user permisssions to log on to any Terminal Server" is
> OFF;
> - "Local Security Settings" -> "User Rights Assignment -> "Allow logon
> through Terminal Services" is ... missing!!!! This entry just isn't
> there!!!
>
> It's of no use to tell me to check the "Allow logon through Terminal
> Services" user right: it just isnt' there!
> I've installed and configured several w2k and w2k3 and this was the first
> time i saw this. Better, i didn't saw it...
>
> Several persons saw this, so, although i spend a lot of time with the
> computers, it's not an eyes problem...
> Been around this for hours, seen houndreds of web pages, no luck. Can some
> one help... Please... An aspirin would also be welcome...
>
> -ajoaosilva



Reply With Quote
  #4  
Old 21-10-2006
ajoaosilva
 
Posts: n/a
Re: "Allow logon through Terminal Services" user right missing

Yes. It's a portuguese version of w2k3. I translated all the messages.
The only "allow" user right is the "Allow logon locally" (Permitir iniciar
sessão localmente).

"Jorge Silva" wrote:

> Hi
> Is that software in Portuguese?
>
> --
> I hope that the information above helps you
>
> Good Luck
> Jorge Silva
> MCSA
> Systems Administrator
> "ajoaosilva" <ajoaosilva@discussions.microsoft.com> wrote in message
> news:755F60EA-2846-43AF-87EB-D254DCE9555E@microsoft.com...
> > Symptoms:
> > - any administrator can logon to TS;
> > - non-administrator users get "To log on to this computer, you must be
> > granted the allow log on the through Terminal Services right. By default,
> > member of the Remote Desktop User Group have this right. If you are not a
> > member of the Remote Desktop User Group or other group that has this
> > right,
> > you must be granted this right manually"
> >
> > Environment:
> > - W2K3 R2 (portuguese);
> > - DC;
> > - TerminalServer in AppMode w/5 device CAL;
> > - SystemProperties -> "Enable Remote Desktop on this computer" is ON;
> > - users belong to the "Remote Desktop Users" group;
> > - users "Deny this user permisssions to log on to any Terminal Server" is
> > OFF;
> > - "Local Security Settings" -> "User Rights Assignment -> "Allow logon
> > through Terminal Services" is ... missing!!!! This entry just isn't
> > there!!!
> >
> > It's of no use to tell me to check the "Allow logon through Terminal
> > Services" user right: it just isnt' there!
> > I've installed and configured several w2k and w2k3 and this was the first
> > time i saw this. Better, i didn't saw it...
> >
> > Several persons saw this, so, although i spend a lot of time with the
> > computers, it's not an eyes problem...
> > Been around this for hours, seen houndreds of web pages, no luck. Can some
> > one help... Please... An aspirin would also be welcome...
> >
> > -ajoaosilva

>
>
>

Reply With Quote
  #5  
Old 21-10-2006
ajoaosilva
 
Posts: n/a
Re: "Allow logon through Terminal Services" user right missing

Already mentioned that in the initial post. No work either.

"Jorge Silva" wrote:

> I forgot you need to make these users members of security group "Remote
> Desktop Users", and this group already has the permission tologon through
> TS.
>
> --
> I hope that the information above helps you
>
> Good Luck
> Jorge Silva
> MCSA
> Systems Administrator
> "ajoaosilva" <ajoaosilva@discussions.microsoft.com> wrote in message
> news:755F60EA-2846-43AF-87EB-D254DCE9555E@microsoft.com...
> > Symptoms:
> > - any administrator can logon to TS;
> > - non-administrator users get "To log on to this computer, you must be
> > granted the allow log on the through Terminal Services right. By default,
> > member of the Remote Desktop User Group have this right. If you are not a
> > member of the Remote Desktop User Group or other group that has this
> > right,
> > you must be granted this right manually"
> >
> > Environment:
> > - W2K3 R2 (portuguese);
> > - DC;
> > - TerminalServer in AppMode w/5 device CAL;
> > - SystemProperties -> "Enable Remote Desktop on this computer" is ON;
> > - users belong to the "Remote Desktop Users" group;
> > - users "Deny this user permisssions to log on to any Terminal Server" is
> > OFF;
> > - "Local Security Settings" -> "User Rights Assignment -> "Allow logon
> > through Terminal Services" is ... missing!!!! This entry just isn't
> > there!!!
> >
> > It's of no use to tell me to check the "Allow logon through Terminal
> > Services" user right: it just isnt' there!
> > I've installed and configured several w2k and w2k3 and this was the first
> > time i saw this. Better, i didn't saw it...
> >
> > Several persons saw this, so, although i spend a lot of time with the
> > computers, it's not an eyes problem...
> > Been around this for hours, seen houndreds of web pages, no luck. Can some
> > one help... Please... An aspirin would also be welcome...
> >
> > -ajoaosilva

>
>
>

Reply With Quote
  #6  
Old 21-10-2006
Jorge Silva
 
Posts: n/a
Re: "Allow logon through Terminal Services" user right missing

sounds that you're a little confused or maybe I am!!!
Let me explain...

"Allow logon locally" = (Permitir iniciar sess?o localmente).
But
"allow log on the through Terminal Services right" is not the same as
(Permitir iniciar sess?o localmente).

You see in Windows 2000 you need (only in DCs) to grant this right to allow
the users to logon through TS, but that changed in Windows 2003. In Windows
2003 you no longer need to allow "logon locally" right, instead you need to
allow log on the through Terminal Services right and the Remote Desktop
Users security group already have this right granted in DCs and member
servers...
Reply With Quote
  #7  
Old 21-10-2006
Jorge Silva
 
Posts: n/a
Re: "Allow logon through Terminal Services" user right missing

a little correction only on member servers the "Remote Desktop Users"
security group have the right to log on the through Terminal Services.
Reply With Quote
  #8  
Old 21-10-2006
ajoaosilva
 
Posts: n/a
Re: "Allow logon through Terminal Services" user right missing

That may explain why, although the users are in that group, they still can't
logon.
Therefore i would have to activate the "Allow logon through Terminal
Services" for that group. The problem is that the user right is not on the
list! The list is an item short! That is my problem.
Reply With Quote
  #9  
Old 21-10-2006
Jorge Silva
 
Posts: n/a
Ok

Sounds like a corrupt DB in Security Folder.

What happens when you run the security analyses against your local DB?
Reply With Quote
  #10  
Old 21-10-2006
Jorge Silva
 
Posts: n/a
Re: "Allow logon through Terminal Services" user right missing

sure...
take a look at
Security Configuration and Analysis How To...
http://technet2.microsoft.com/Window....mspx?mfr=true

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator
Reply With Quote
  #11  
Old 23-10-2006
ajoaosilva
 
Posts: n/a
Re: "Allow logon through Terminal Services" user right missing

I'm sorry, but something here is not right:
- i loged in as Administrator;
- opening dcpol.msc or dompol.msc yelds "Failed to open the group policy
object. You may not enough rights." (Falha ao abrir o objecto de pol?*tica de
grupo. Poderá não ter os direitos apropriados.) Details: The specified domain
doesn't exist or could not be reached (O dom?*nio especificado ou não existe
ou não pôde ser contactado.);
- created a new console, added the snap-in, picked the database
c:\windows\security\database\secedit.sdb (the only one i could find!) and got
"The access to the database was denied";
- opened the "Security templates" snap-in and couldn't find the missing
right anywhere. Is this some new R2 feature?

During a log inspection i found a c:\windows\security\logs\scedcpro.log file
that started with the followig lines:

----- begin trascript ----- begin trascript -----
-------------------------------------------
09/28/2006 15:02:09
Utilizador com privilégios administrativos com sessão iniciada.
** SeManageVolumePrivilege é ignorado para ser definido na pol?*tica
predefinida porque pode quebrar clientes W2K.
** SeRemoteInteractiveLogonRight é ignorado para ser definido na pol?*tica
predefinida porque pode quebrar clientes W2K.
** SeDenyRemoteInteractiveLogonRight é ignorado para ser definido na
pol?*tica predefinida porque pode quebrar clientes W2K.
Direitos de utilizador de cópia no GPO OU: instalação limpa.


----Anular inicialização do motor de configuração...

Objecto de pol?*ticas de grupo pré-definido in sysvol criado com êxito.
-------------------------------------------
09/28/2006 15:02:12
Utilizador com privilégios administrativos com sessão iniciada.
A analisar modelo C:\WINDOWS\inf\defltdc.inf.
----O motor de configuração foi inicializado com êxito.----

----A ler informações de configuração do modelo...


----Configurar direitos do utilizador...
Configurar S-1-5-32-545.
remover SeNetworkLogonRight.
remover SeChangeNotifyPrivilege.
Configurar S-1-5-32-555.
*** remover SeRemoteInteractiveLogonRight.
----- end trascript ----- end trascript -----

The lines starting with ** say that SeManageVolumePrivilege,
SeRemoteInteractiveLogonRight and SeDenyRemoteInteractiveLogonRight are
ignored to be defined in the default policy because it can break W2K
clientes. The SeRemoteInteractiveLogonRight is exactly the user right that is
missing.

The line strating with *** removes the SeRemoteInteractiveLogonRight (Allow
logon through Terminal Services) right from the "Remote Desktop Users" group.
This is why my users can't login to the server.

The full 664k log file (in portuguese) is available by email on request .

Maybe i've been too long around this problem, but can't i create an .inf
file like the one processed in this log, only adding that permission to the
"Remote Desktop Users" group? I don't belive it would bring the missing right
to the list, but the group users would logon. Hopefully...
Reply With Quote
  #12  
Old 23-10-2006
Vera Noest [MVP]
 
Posts: n/a
Re: "Allow logon through Terminal Services" user right missing

Sounds to me like you are logging in as local administrator, not as
Domain Administrator, is that correct?

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting:
Reply With Quote
  #13  
Old 23-10-2006
ajoaosilva
 
Posts: n/a
Re: "Allow logon through Terminal Services" user right missing

I'm login in with the only administrator profile i have, that belongs to the
domain admins group.
I'm login through remote desktop, but i belive that makes no diference. Does
it?
Reply With Quote
  #14  
Old 23-10-2006
Dave
 
Posts: n/a
Re: "Allow logon through Terminal Services" user right missing

From your description I had the same problem as you are now. Make the
Terminal Services Group a member of the Remote Desktop Group.

That fixed the problem for me.

Hope this helps.
Dave
Reply With Quote
  #15  
Old 24-10-2006
Vera Noest [MVP]
 
Posts: n/a
Re: "Allow logon through Terminal Services" user right missing

Just to rule it out, I would log on to the physical console of the
server and try to open the same policy. If you still get the "access
denied" error, then something seems really wrong, and I would phone
Microsoft Support.
Is there anything in the EventLog which shouldn't be there? Warnings
or errors about the network, policies not being applied, something
like that?
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?YWpvYW9zaWx2YQ==?=
<ajoaosilva@discussions.microsoft.com> wrote on 23 okt 2006 in
microsoft.public.windows.terminal_services:

> I'm login in with the only administrator profile i have, that
> belongs to the domain admins group.
> I'm login through remote desktop, but i belive that makes no
> diference. Does it?

Reply With Quote
Reply

  TechArena Community > Technical Support > Computer Help > Windows Server > Windows Server Help
Tags: , , , ,



Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads for: ""Allow logon through Terminal Services" user right missing"
Thread Thread Starter Forum Replies Last Post
Domain Controller Policy setting "Allow log on through Terminal Services" TheTurner Windows Security 1 01-11-2012 01:34 PM
Unable to delegate "Reset user passwords and force password change atnext logon" Billie Windows Security 3 29-05-2011 01:45 AM
"The Logon User Interface DLL msgina.dll failed to load" error NIcaBoy Windows XP Support 5 13-09-2010 06:06 PM
SOLVED error 1385 "Logon failure: the user has not been granted the requested logon type at this computer Kaalan Windows XP Support 5 26-10-2009 07:20 PM
DCOM got error "Logon failure: unknown user name or bad password." Chitesh Small Business Server 2 03-10-2006 06:04 AM


All times are GMT +5.5. The time now is 07:30 AM.