Page 1 of 2 12 LastLast
Results 1 to 15 of 20

Thread: "Allow logon through Terminal Services" user right missing

  1. #1
    ajoaosilva Guest

    "Allow logon through Terminal Services" user right missing

    Symptoms:
    - any administrator can logon to TS;
    - non-administrator users get “To log on to this computer, you must be
    granted the allow log on the through Terminal Services right. By default,
    member of the Remote Desktop User Group have this right. If you are not a
    member of the Remote Desktop User Group or other group that has this right,
    you must be granted this right manually”

    Environment:
    - W2K3 R2 (portuguese);
    - DC;
    - TerminalServer in AppMode w/5 device CAL;
    - SystemProperties -> "Enable Remote Desktop on this computer" is ON;
    - users belong to the "Remote Desktop Users" group;
    - users "Deny this user permisssions to log on to any Terminal Server" is OFF;
    - "Local Security Settings" -> "User Rights Assignment -> "Allow logon
    through Terminal Services" is ... missing!!!! This entry just isn't there!!!

    It's of no use to tell me to check the "Allow logon through Terminal
    Services" user right: it just isnt' there!
    I've installed and configured several w2k and w2k3 and this was the first
    time i saw this. Better, i didn't saw it...

    Several persons saw this, so, although i spend a lot of time with the
    computers, it's not an eyes problem...
    Been around this for hours, seen houndreds of web pages, no luck. Can some
    one help... Please... An aspirin would also be welcome...

    -ajoaosilva

  2. #2
    Jorge Silva Guest

    Re: "Allow logon through Terminal Services" user right missing

    Hi
    Is that software in Portuguese?

    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator

  3. #3
    Jorge Silva Guest

    Re: "Allow logon through Terminal Services" user right missing

    I forgot you need to make these users members of security group "Remote
    Desktop Users", and this group already has the permission tologon through
    TS.

    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
    "ajoaosilva" <ajoaosilva@discussions.microsoft.com> wrote in message
    news:755F60EA-2846-43AF-87EB-D254DCE9555E@microsoft.com...
    > Symptoms:
    > - any administrator can logon to TS;
    > - non-administrator users get "To log on to this computer, you must be
    > granted the allow log on the through Terminal Services right. By default,
    > member of the Remote Desktop User Group have this right. If you are not a
    > member of the Remote Desktop User Group or other group that has this
    > right,
    > you must be granted this right manually"
    >
    > Environment:
    > - W2K3 R2 (portuguese);
    > - DC;
    > - TerminalServer in AppMode w/5 device CAL;
    > - SystemProperties -> "Enable Remote Desktop on this computer" is ON;
    > - users belong to the "Remote Desktop Users" group;
    > - users "Deny this user permisssions to log on to any Terminal Server" is
    > OFF;
    > - "Local Security Settings" -> "User Rights Assignment -> "Allow logon
    > through Terminal Services" is ... missing!!!! This entry just isn't
    > there!!!
    >
    > It's of no use to tell me to check the "Allow logon through Terminal
    > Services" user right: it just isnt' there!
    > I've installed and configured several w2k and w2k3 and this was the first
    > time i saw this. Better, i didn't saw it...
    >
    > Several persons saw this, so, although i spend a lot of time with the
    > computers, it's not an eyes problem...
    > Been around this for hours, seen houndreds of web pages, no luck. Can some
    > one help... Please... An aspirin would also be welcome...
    >
    > -ajoaosilva




  4. #4
    ajoaosilva Guest

    Re: "Allow logon through Terminal Services" user right missing

    Yes. It's a portuguese version of w2k3. I translated all the messages.
    The only "allow" user right is the "Allow logon locally" (Permitir iniciar
    sessão localmente).

    "Jorge Silva" wrote:

    > Hi
    > Is that software in Portuguese?
    >
    > --
    > I hope that the information above helps you
    >
    > Good Luck
    > Jorge Silva
    > MCSA
    > Systems Administrator
    > "ajoaosilva" <ajoaosilva@discussions.microsoft.com> wrote in message
    > news:755F60EA-2846-43AF-87EB-D254DCE9555E@microsoft.com...
    > > Symptoms:
    > > - any administrator can logon to TS;
    > > - non-administrator users get "To log on to this computer, you must be
    > > granted the allow log on the through Terminal Services right. By default,
    > > member of the Remote Desktop User Group have this right. If you are not a
    > > member of the Remote Desktop User Group or other group that has this
    > > right,
    > > you must be granted this right manually"
    > >
    > > Environment:
    > > - W2K3 R2 (portuguese);
    > > - DC;
    > > - TerminalServer in AppMode w/5 device CAL;
    > > - SystemProperties -> "Enable Remote Desktop on this computer" is ON;
    > > - users belong to the "Remote Desktop Users" group;
    > > - users "Deny this user permisssions to log on to any Terminal Server" is
    > > OFF;
    > > - "Local Security Settings" -> "User Rights Assignment -> "Allow logon
    > > through Terminal Services" is ... missing!!!! This entry just isn't
    > > there!!!
    > >
    > > It's of no use to tell me to check the "Allow logon through Terminal
    > > Services" user right: it just isnt' there!
    > > I've installed and configured several w2k and w2k3 and this was the first
    > > time i saw this. Better, i didn't saw it...
    > >
    > > Several persons saw this, so, although i spend a lot of time with the
    > > computers, it's not an eyes problem...
    > > Been around this for hours, seen houndreds of web pages, no luck. Can some
    > > one help... Please... An aspirin would also be welcome...
    > >
    > > -ajoaosilva

    >
    >
    >


  5. #5
    ajoaosilva Guest

    Re: "Allow logon through Terminal Services" user right missing

    Already mentioned that in the initial post. No work either.

    "Jorge Silva" wrote:

    > I forgot you need to make these users members of security group "Remote
    > Desktop Users", and this group already has the permission tologon through
    > TS.
    >
    > --
    > I hope that the information above helps you
    >
    > Good Luck
    > Jorge Silva
    > MCSA
    > Systems Administrator
    > "ajoaosilva" <ajoaosilva@discussions.microsoft.com> wrote in message
    > news:755F60EA-2846-43AF-87EB-D254DCE9555E@microsoft.com...
    > > Symptoms:
    > > - any administrator can logon to TS;
    > > - non-administrator users get "To log on to this computer, you must be
    > > granted the allow log on the through Terminal Services right. By default,
    > > member of the Remote Desktop User Group have this right. If you are not a
    > > member of the Remote Desktop User Group or other group that has this
    > > right,
    > > you must be granted this right manually"
    > >
    > > Environment:
    > > - W2K3 R2 (portuguese);
    > > - DC;
    > > - TerminalServer in AppMode w/5 device CAL;
    > > - SystemProperties -> "Enable Remote Desktop on this computer" is ON;
    > > - users belong to the "Remote Desktop Users" group;
    > > - users "Deny this user permisssions to log on to any Terminal Server" is
    > > OFF;
    > > - "Local Security Settings" -> "User Rights Assignment -> "Allow logon
    > > through Terminal Services" is ... missing!!!! This entry just isn't
    > > there!!!
    > >
    > > It's of no use to tell me to check the "Allow logon through Terminal
    > > Services" user right: it just isnt' there!
    > > I've installed and configured several w2k and w2k3 and this was the first
    > > time i saw this. Better, i didn't saw it...
    > >
    > > Several persons saw this, so, although i spend a lot of time with the
    > > computers, it's not an eyes problem...
    > > Been around this for hours, seen houndreds of web pages, no luck. Can some
    > > one help... Please... An aspirin would also be welcome...
    > >
    > > -ajoaosilva

    >
    >
    >


  6. #6
    Jorge Silva Guest

    Re: "Allow logon through Terminal Services" user right missing

    sounds that you're a little confused or maybe I am!!!
    Let me explain...

    "Allow logon locally" = (Permitir iniciar sessão localmente).
    But
    "allow log on the through Terminal Services right" is not the same as
    (Permitir iniciar sessão localmente).

    You see in Windows 2000 you need (only in DCs) to grant this right to allow
    the users to logon through TS, but that changed in Windows 2003. In Windows
    2003 you no longer need to allow "logon locally" right, instead you need to
    allow log on the through Terminal Services right and the Remote Desktop
    Users security group already have this right granted in DCs and member
    servers...

  7. #7
    Jorge Silva Guest

    Re: "Allow logon through Terminal Services" user right missing

    a little correction only on member servers the "Remote Desktop Users"
    security group have the right to log on the through Terminal Services.

  8. #8
    ajoaosilva Guest

    Re: "Allow logon through Terminal Services" user right missing

    That may explain why, although the users are in that group, they still can't
    logon.
    Therefore i would have to activate the "Allow logon through Terminal
    Services" for that group. The problem is that the user right is not on the
    list! The list is an item short! That is my problem.

  9. #9
    Jorge Silva Guest
    Ok

    Sounds like a corrupt DB in Security Folder.

    What happens when you run the security analyses against your local DB?

  10. #10
    Jorge Silva Guest

    Re: "Allow logon through Terminal Services" user right missing

    sure...
    take a look at
    Security Configuration and Analysis How To...
    http://technet2.microsoft.com/Window....mspx?mfr=true

    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator

  11. #11
    ajoaosilva Guest

    Re: "Allow logon through Terminal Services" user right missing

    I'm sorry, but something here is not right:
    - i loged in as Administrator;
    - opening dcpol.msc or dompol.msc yelds "Failed to open the group policy
    object. You may not enough rights." (Falha ao abrir o objecto de polÃ*tica de
    grupo. Poderá não ter os direitos apropriados.) Details: The specified domain
    doesn't exist or could not be reached (O domÃ*nio especificado ou não existe
    ou não pôde ser contactado.);
    - created a new console, added the snap-in, picked the database
    c:\windows\security\database\secedit.sdb (the only one i could find!) and got
    "The access to the database was denied";
    - opened the "Security templates" snap-in and couldn't find the missing
    right anywhere. Is this some new R2 feature?

    During a log inspection i found a c:\windows\security\logs\scedcpro.log file
    that started with the followig lines:

    ----- begin trascript ----- begin trascript -----
    -------------------------------------------
    09/28/2006 15:02:09
    Utilizador com privilégios administrativos com sessão iniciada.
    ** SeManageVolumePrivilege é ignorado para ser definido na polÃ*tica
    predefinida porque pode quebrar clientes W2K.
    ** SeRemoteInteractiveLogonRight é ignorado para ser definido na polÃ*tica
    predefinida porque pode quebrar clientes W2K.
    ** SeDenyRemoteInteractiveLogonRight é ignorado para ser definido na
    polÃ*tica predefinida porque pode quebrar clientes W2K.
    Direitos de utilizador de cópia no GPO OU: instalação limpa.


    ----Anular inicialização do motor de configuração...

    Objecto de polÃ*ticas de grupo pré-definido in sysvol criado com êxito.
    -------------------------------------------
    09/28/2006 15:02:12
    Utilizador com privilégios administrativos com sessão iniciada.
    A analisar modelo C:\WINDOWS\inf\defltdc.inf.
    ----O motor de configuração foi inicializado com êxito.----

    ----A ler informações de configuração do modelo...


    ----Configurar direitos do utilizador...
    Configurar S-1-5-32-545.
    remover SeNetworkLogonRight.
    remover SeChangeNotifyPrivilege.
    Configurar S-1-5-32-555.
    *** remover SeRemoteInteractiveLogonRight.
    ----- end trascript ----- end trascript -----

    The lines starting with ** say that SeManageVolumePrivilege,
    SeRemoteInteractiveLogonRight and SeDenyRemoteInteractiveLogonRight are
    ignored to be defined in the default policy because it can break W2K
    clientes. The SeRemoteInteractiveLogonRight is exactly the user right that is
    missing.

    The line strating with *** removes the SeRemoteInteractiveLogonRight (Allow
    logon through Terminal Services) right from the "Remote Desktop Users" group.
    This is why my users can't login to the server.

    The full 664k log file (in portuguese) is available by email on request .

    Maybe i've been too long around this problem, but can't i create an .inf
    file like the one processed in this log, only adding that permission to the
    "Remote Desktop Users" group? I don't belive it would bring the missing right
    to the list, but the group users would logon. Hopefully...

  12. #12
    Vera Noest [MVP] Guest

    Re: "Allow logon through Terminal Services" user right missing

    Sounds to me like you are logging in as local administrator, not as
    Domain Administrator, is that correct?

    _________________________________________________________
    Vera Noest
    MCSE, CCEA, Microsoft MVP - Terminal Server
    TS troubleshooting:

  13. #13
    ajoaosilva Guest

    Re: "Allow logon through Terminal Services" user right missing

    I'm login in with the only administrator profile i have, that belongs to the
    domain admins group.
    I'm login through remote desktop, but i belive that makes no diference. Does
    it?

  14. #14
    Dave Guest

    Re: "Allow logon through Terminal Services" user right missing

    From your description I had the same problem as you are now. Make the
    Terminal Services Group a member of the Remote Desktop Group.

    That fixed the problem for me.

    Hope this helps.
    Dave

  15. #15
    Vera Noest [MVP] Guest

    Re: "Allow logon through Terminal Services" user right missing

    Just to rule it out, I would log on to the physical console of the
    server and try to open the same policy. If you still get the "access
    denied" error, then something seems really wrong, and I would phone
    Microsoft Support.
    Is there anything in the EventLog which shouldn't be there? Warnings
    or errors about the network, policies not being applied, something
    like that?
    _________________________________________________________
    Vera Noest
    MCSE, CCEA, Microsoft MVP - Terminal Server
    TS troubleshooting: http://ts.veranoest.net
    ___ please respond in newsgroup, NOT by private email ___

    =?Utf-8?B?YWpvYW9zaWx2YQ==?=
    <ajoaosilva@discussions.microsoft.com> wrote on 23 okt 2006 in
    microsoft.public.windows.terminal_services:

    > I'm login in with the only administrator profile i have, that
    > belongs to the domain admins group.
    > I'm login through remote desktop, but i belive that makes no
    > diference. Does it?


Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 1
    Last Post: 01-11-2012, 01:34 PM
  2. Replies: 3
    Last Post: 29-05-2011, 01:45 AM
  3. Replies: 5
    Last Post: 13-09-2010, 06:06 PM
  4. Replies: 5
    Last Post: 26-10-2009, 07:20 PM
  5. DCOM got error "Logon failure: unknown user name or bad password."
    By Chitesh in forum Small Business Server
    Replies: 2
    Last Post: 03-10-2006, 06:04 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,613,445.59711 seconds with 17 queries