Windows NT Just administrator can access TS

Rene B · Jul 23, 2007

Hello everybody,

I have problem accessing TS with RDC as any other user diferent than
administrator even if the user is part of the administrators group.

This is my configuration:
MDC Server1 (TS License Server)
member server Server2 TS Application mode
Licensing: Per User (5 cals installed)
Local Policy: Allow log on through Terminal Services = Administrators,
Remote Desktop Users

User1: member of Domain Users, Remote Desktop User, Administrators
User2: member of Domain Users, Remote Desktop User

non of the users can access TS remotely, users can login locally on TS

What else should I do?

Jeff Pitsch · Jul 24, 2007

This is a win2k3 server correct? is it a domain controller? What error
message are they receiving when they try to connect? What do the event
logs show when they connect?

Jeff Pitsch
Microsoft MVP - Terminal Server
Citrix Technology Professional
Provision Networks VIP

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com

Rene B wrote:
> Hello everybody,
>
> I have problem accessing TS with RDC as any other user diferent than
> administrator even if the user is part of the administrators group.
>
> This is my configuration:
> MDC Server1 (TS License Server)
> member server Server2 TS Application mode
> Licensing: Per User (5 cals installed)
> Local Policy: Allow log on through Terminal Services = Administrators,
> Remote Desktop Users
>
> User1: member of Domain Users, Remote Desktop User, Administrators
> User2: member of Domain Users, Remote Desktop User
>
> non of the users can access TS remotely, users can login locally on TS
>
> What else should I do?
>
>

Rene B · Jul 24, 2007

it is win2k3 server
It is not a DC
error: "To log on this remote computer, you must be granted the Allow Log on
through Terminal Services rigtht. By default , members of the Remote Desktop
Users group have ....."

Event Log after try to connect to TS:
just secuity shows events
Security:
--- LOG 1: ---
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 576
Date: 7/24/2007
Time: 10:43:06 AM
User: NT AUTHORITY\SYSTEM
Computer: TPISAPPSVR01
Description:
Special privileges assigned to new logon:
User Name: TPISAPPSVR01$
Domain: TPIS
Logon ID: (0x0,0x98CDE)
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege

--- LOG 2 --
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 7/24/2007
Time: 10:43:06 AM
User: NT AUTHORITY\SYSTEM
Computer: TPISAPPSVR01
Description:
Successful Network Logon:
User Name: TPISAPPSVR01$
Domain: TPIS
Logon ID: (0x0,0x98CDE)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {31757886-c57c-2b85-f649-1f4648bf9e0d}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -

-- LOG 3 --
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 7/24/2007
Time: 10:43:06 AM
User: NT AUTHORITY\SYSTEM
Computer: TPISAPPSVR01
Description:
User Logoff:
User Name: TPISAPPSVR01$
Domain: TPIS
Logon ID: (0x0,0x98CDE)
Logon Type: 3

Thanks Jeff

"Jeff Pitsch" <Jeff@Jeffpitschconsulting.com> wrote in message
news:e5jV6zfzHHA.464@TK2MSFTNGP02.phx.gbl...
> This is a win2k3 server correct? is it a domain controller? What error
> message are they receiving when they try to connect? What do the event
> logs show when they connect?
>
> Jeff Pitsch
> Microsoft MVP - Terminal Server
> Citrix Technology Professional
> Provision Networks VIP
>
> Forums not enough?
> Get support from the experts at your business
> http://jeffpitschconsulting.com
>
> Rene B wrote:
>> Hello everybody,
>>
>> I have problem accessing TS with RDC as any other user diferent than
>> administrator even if the user is part of the administrators group.
>>
>> This is my configuration:
>> MDC Server1 (TS License Server)
>> member server Server2 TS Application mode
>> Licensing: Per User (5 cals installed)
>> Local Policy: Allow log on through Terminal Services = Administrators,
>> Remote Desktop Users
>>
>> User1: member of Domain Users, Remote Desktop User, Administrators
>> User2: member of Domain Users, Remote Desktop User
>>
>> non of the users can access TS remotely, users can login locally on TS
>>
>> What else should I do?

Jeff · Jul 25, 2007

When you say "member server" are these two servers in NLB as a farm? If so,
I ran into an odd issue too that I found an answer for. If not, then I'm not
sure

"Rene B" wrote:

> Hello everybody,
>
> I have problem accessing TS with RDC as any other user diferent than
> administrator even if the user is part of the administrators group.
>
> This is my configuration:
> MDC Server1 (TS License Server)
> member server Server2 TS Application mode
> Licensing: Per User (5 cals installed)
> Local Policy: Allow log on through Terminal Services = Administrators,
> Remote Desktop Users
>
> User1: member of Domain Users, Remote Desktop User, Administrators
> User2: member of Domain Users, Remote Desktop User
>
> non of the users can access TS remotely, users can login locally on TS
>
> What else should I do?
>
>
>

Jeff · Jul 25, 2007

Verify that the local Remote Desktop Users group is authenticated in the TS
listener in your TS Configuration on both servers

"Rene B" wrote:

> Hello everybody,
>
> I have problem accessing TS with RDC as any other user diferent than
> administrator even if the user is part of the administrators group.
>
> This is my configuration:
> MDC Server1 (TS License Server)
> member server Server2 TS Application mode
> Licensing: Per User (5 cals installed)
> Local Policy: Allow log on through Terminal Services = Administrators,
> Remote Desktop Users
>
> User1: member of Domain Users, Remote Desktop User, Administrators
> User2: member of Domain Users, Remote Desktop User
>
> non of the users can access TS remotely, users can login locally on TS
>
> What else should I do?
>
>
>

Rene B · Jul 25, 2007

I'm not sure what NLB means, but I setup the first server as a Domain
Controller, DNS Server, TS License Server, file Server and Application
server. After that I create under computers the new server, then I install
the new server as a member of a domain where I enter the domain name of the
fist server.

Did I did something wrong?

"Jeff" <Jeff@discussions.microsoft.com> wrote in message
news:C68F1DAA-4D47-4B2E-BC05-19733C5B396F@microsoft.com...
> When you say "member server" are these two servers in NLB as a farm? If
> so,
> I ran into an odd issue too that I found an answer for. If not, then I'm
> not
> sure
>
> "Rene B" wrote:
>
>> Hello everybody,
>>
>> I have problem accessing TS with RDC as any other user diferent than
>> administrator even if the user is part of the administrators group.
>>
>> This is my configuration:
>> MDC Server1 (TS License Server)
>> member server Server2 TS Application mode
>> Licensing: Per User (5 cals installed)
>> Local Policy: Allow log on through Terminal Services = Administrators,
>> Remote Desktop Users
>>
>> User1: member of Domain Users, Remote Desktop User, Administrators
>> User2: member of Domain Users, Remote Desktop User
>>
>> non of the users can access TS remotely, users can login locally on TS
>>
>> What else should I do?
>>
>>
>>

Jeff Pitsch · Jul 25, 2007

Check RDP-TCP in the TS Config snap-in and confirm that Remote Desktop
Users is there and has appropriate rights.

Jeff Pitsch
Microsoft MVP - Terminal Server
Citrix Technology Professional
Provision Networks VIP

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com

Rene B wrote:
> it is win2k3 server
> It is not a DC
> error: "To log on this remote computer, you must be granted the Allow Log on
> through Terminal Services rigtht. By default , members of the Remote Desktop
> Users group have ....."
>
> Event Log after try to connect to TS:
> just secuity shows events
> Security:
> --- LOG 1: ---
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 576
> Date: 7/24/2007
> Time: 10:43:06 AM
> User: NT AUTHORITY\SYSTEM
> Computer: TPISAPPSVR01
> Description:
> Special privileges assigned to new logon:
> User Name: TPISAPPSVR01$
> Domain: TPIS
> Logon ID: (0x0,0x98CDE)
> Privileges: SeSecurityPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeTakeOwnershipPrivilege
> SeDebugPrivilege
> SeSystemEnvironmentPrivilege
> SeLoadDriverPrivilege
> SeImpersonatePrivilege
>
> --- LOG 2 --
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 540
> Date: 7/24/2007
> Time: 10:43:06 AM
> User: NT AUTHORITY\SYSTEM
> Computer: TPISAPPSVR01
> Description:
> Successful Network Logon:
> User Name: TPISAPPSVR01$
> Domain: TPIS
> Logon ID: (0x0,0x98CDE)
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name:
> Logon GUID: {31757886-c57c-2b85-f649-1f4648bf9e0d}
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> -- LOG 3 --
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 538
> Date: 7/24/2007
> Time: 10:43:06 AM
> User: NT AUTHORITY\SYSTEM
> Computer: TPISAPPSVR01
> Description:
> User Logoff:
> User Name: TPISAPPSVR01$
> Domain: TPIS
> Logon ID: (0x0,0x98CDE)
> Logon Type: 3
>
> Thanks Jeff
>
>
> "Jeff Pitsch" <Jeff@Jeffpitschconsulting.com> wrote in message
> news:e5jV6zfzHHA.464@TK2MSFTNGP02.phx.gbl...
>> This is a win2k3 server correct? is it a domain controller? What error
>> message are they receiving when they try to connect? What do the event
>> logs show when they connect?
>>
>> Jeff Pitsch
>> Microsoft MVP - Terminal Server
>> Citrix Technology Professional
>> Provision Networks VIP
>>
>> Forums not enough?
>> Get support from the experts at your business
>> http://jeffpitschconsulting.com
>>
>> Rene B wrote:
>>> Hello everybody,
>>>
>>> I have problem accessing TS with RDC as any other user diferent than
>>> administrator even if the user is part of the administrators group.
>>>
>>> This is my configuration:
>>> MDC Server1 (TS License Server)
>>> member server Server2 TS Application mode
>>> Licensing: Per User (5 cals installed)
>>> Local Policy: Allow log on through Terminal Services = Administrators,
>>> Remote Desktop Users
>>>
>>> User1: member of Domain Users, Remote Desktop User, Administrators
>>> User2: member of Domain Users, Remote Desktop User
>>>
>>> non of the users can access TS remotely, users can login locally on TS
>>>
>>> What else should I do?
>
>

Jeff · Jul 26, 2007

NLB means Network Load Balanced, which from what you replied isn't the case.
If you go into Administrative Tools on your Terminal server and to to
Terminal Configuration, click in the left pane Connections. On the Right you
will see the RDP-Tcp Listener. Right-click on it and go to Properties. Go
to the Permissions tab and make sure that the Remote Desktop Users group is
listed with the appropriate permissions. If it is listed and your users or
usergroup with Remote permissions is in the Local Remote Desktop Users group,
then they should be able to connect.

You can find the Local Remote Desktop Users group by right-clicking on My
Computer and going to Manage and finding the Groups folder on the terminal
server

"Rene B" wrote:

> I'm not sure what NLB means, but I setup the first server as a Domain
> Controller, DNS Server, TS License Server, file Server and Application
> server. After that I create under computers the new server, then I install
> the new server as a member of a domain where I enter the domain name of the
> fist server.
>
> Did I did something wrong?
>
> "Jeff" <Jeff@discussions.microsoft.com> wrote in message
> news:C68F1DAA-4D47-4B2E-BC05-19733C5B396F@microsoft.com...
> > When you say "member server" are these two servers in NLB as a farm? If
> > so,
> > I ran into an odd issue too that I found an answer for. If not, then I'm
> > not
> > sure
> >
> > "Rene B" wrote:
> >
> >> Hello everybody,
> >>
> >> I have problem accessing TS with RDC as any other user diferent than
> >> administrator even if the user is part of the administrators group.
> >>
> >> This is my configuration:
> >> MDC Server1 (TS License Server)
> >> member server Server2 TS Application mode
> >> Licensing: Per User (5 cals installed)
> >> Local Policy: Allow log on through Terminal Services = Administrators,
> >> Remote Desktop Users
> >>
> >> User1: member of Domain Users, Remote Desktop User, Administrators
> >> User2: member of Domain Users, Remote Desktop User
> >>
> >> non of the users can access TS remotely, users can login locally on TS
> >>
> >> What else should I do?
> >>
> >>
> >>
>
>
>

Rene B · Jul 26, 2007

should I install TS on both servers? for now I have just installed on
server2, while server1 still configured as Remote Desktop for Administration

everything was in the way that you told me to.

"Jeff" <Jeff@discussions.microsoft.com> wrote in message
news:94160F70-0A87-4724-BD6D-B219318CE7C7@microsoft.com...
> Verify that the local Remote Desktop Users group is authenticated in the
> TS
> listener in your TS Configuration on both servers
>
> "Rene B" wrote:
>
>> Hello everybody,
>>
>> I have problem accessing TS with RDC as any other user diferent than
>> administrator even if the user is part of the administrators group.
>>
>> This is my configuration:
>> MDC Server1 (TS License Server)
>> member server Server2 TS Application mode
>> Licensing: Per User (5 cals installed)
>> Local Policy: Allow log on through Terminal Services = Administrators,
>> Remote Desktop Users
>>
>> User1: member of Domain Users, Remote Desktop User, Administrators
>> User2: member of Domain Users, Remote Desktop User
>>
>> non of the users can access TS remotely, users can login locally on TS
>>
>> What else should I do?
>>
>>
>>

Rene B · Jul 26, 2007

Got it, now is working, this was the problem:

> You can find the Local Remote Desktop Users group by right-clicking on My
> Computer and going to Manage and finding the Groups folder on the terminal
> server

Thanks Jeff for all the time spent on this issue

"Jeff" <Jeff@discussions.microsoft.com> wrote in message
news:4CAA8B1D-6E71-4801-89A3-1A56FEABAE50@microsoft.com...
> NLB means Network Load Balanced, which from what you replied isn't the
> case.
> If you go into Administrative Tools on your Terminal server and to to
> Terminal Configuration, click in the left pane Connections. On the Right
> you
> will see the RDP-Tcp Listener. Right-click on it and go to Properties.
> Go
> to the Permissions tab and make sure that the Remote Desktop Users group
> is
> listed with the appropriate permissions. If it is listed and your users
> or
> usergroup with Remote permissions is in the Local Remote Desktop Users
> group,
> then they should be able to connect.
>
> You can find the Local Remote Desktop Users group by right-clicking on My
> Computer and going to Manage and finding the Groups folder on the terminal
> server
>
> "Rene B" wrote:
>
>> I'm not sure what NLB means, but I setup the first server as a Domain
>> Controller, DNS Server, TS License Server, file Server and Application
>> server. After that I create under computers the new server, then I
>> install
>> the new server as a member of a domain where I enter the domain name of
>> the
>> fist server.
>>
>> Did I did something wrong?
>>
>> "Jeff" <Jeff@discussions.microsoft.com> wrote in message
>> news:C68F1DAA-4D47-4B2E-BC05-19733C5B396F@microsoft.com...
>> > When you say "member server" are these two servers in NLB as a farm?
>> > If
>> > so,
>> > I ran into an odd issue too that I found an answer for. If not, then
>> > I'm
>> > not
>> > sure
>> >
>> > "Rene B" wrote:
>> >
>> >> Hello everybody,
>> >>
>> >> I have problem accessing TS with RDC as any other user diferent than
>> >> administrator even if the user is part of the administrators group.
>> >>
>> >> This is my configuration:
>> >> MDC Server1 (TS License Server)
>> >> member server Server2 TS Application mode
>> >> Licensing: Per User (5 cals installed)
>> >> Local Policy: Allow log on through Terminal Services = Administrators,
>> >> Remote Desktop Users
>> >>
>> >> User1: member of Domain Users, Remote Desktop User, Administrators
>> >> User2: member of Domain Users, Remote Desktop User
>> >>
>> >> non of the users can access TS remotely, users can login locally on TS
>> >>
>> >> What else should I do?
>> >>
>> >>
>> >>
>>
>>
>>

Rene B · Jul 26, 2007

Got it, now is working, this was the problem:

> You can find the Local Remote Desktop Users group by right-clicking on My
> Computer and going to Manage and finding the Groups folder on the terminal
> server

Thanks Jeff for all the time spent on this issue

"Rene B" <R-E-N-E-B-esto-no-va@beckerstaxservice.com> wrote in message
news:OFnrv36zHHA.1204@TK2MSFTNGP03.phx.gbl...
> should I install TS on both servers? for now I have just installed on
> server2, while server1 still configured as Remote Desktop for
> Administration
>
> everything was in the way that you told me to.
>
>
>
> "Jeff" <Jeff@discussions.microsoft.com> wrote in message
> news:94160F70-0A87-4724-BD6D-B219318CE7C7@microsoft.com...
>> Verify that the local Remote Desktop Users group is authenticated in the
>> TS
>> listener in your TS Configuration on both servers
>>
>> "Rene B" wrote:
>>
>>> Hello everybody,
>>>
>>> I have problem accessing TS with RDC as any other user diferent than
>>> administrator even if the user is part of the administrators group.
>>>
>>> This is my configuration:
>>> MDC Server1 (TS License Server)
>>> member server Server2 TS Application mode
>>> Licensing: Per User (5 cals installed)
>>> Local Policy: Allow log on through Terminal Services = Administrators,
>>> Remote Desktop Users
>>>
>>> User1: member of Domain Users, Remote Desktop User, Administrators
>>> User2: member of Domain Users, Remote Desktop User
>>>
>>> non of the users can access TS remotely, users can login locally on TS
>>>
>>> What else should I do?
>>>
>>>
>>>
>
>