Bug in Win XP Remote Desktop on upgraded systems?

  • Thread starter Thread starter Michael T. Davis
  • Start date Start date
M

Michael T. Davis

I believe I have come across a bug in Windows XP. In this particular
case, the system was upgraded from Windows 2000 Pro to Windows XP Pro. The
problem might be more widespread, though. The one note of commonality I have
noted while researching this problem is that it is only manifested on upgraded
systems. Under clean installations of Windows XP, the problem does not show
up.

As you know, any admin. user with a password (who isn't specifically
denied Remote Desktop [RD] access) may connect to an XP system, provided
RD access is enabled. This is controlled via the "Allow logon through
Terminal Services" user right (accessed via "Local Security Settings,"
gpedit.msc, etc.). On a clean XP install, this right lists Administrators
and "Remote Desktop Users." On an upgraded system (at least as described
above), this user right is _blank_. What's more, if you attempt to add either
of the groups that should be there by default, you get a dialog indicating the
group isn't valid, even though it's clear the groups exist from checking other
aspects of the system. It is possible to add individual users, including those
who should have this right by default, but the functionality to add the
_groups_ that should have this right _by default_ appears to be broken. The
behavior exhibited when someone who is supposed to be able to connect to the
system via RD attempts to do so is a dialog with the infamous "The local
policy of this system does not permit you to logon interactively."

If there's an easy fix for this problem, I haven't been able to find
it. (Adding the individual users is NOT a fix, it's a work-around.) If
anyone has a fix so that the proper groups can be added to the user right,
I'd love to see it (apart from a clean install). FWIW, the (now) Win XP Pro
system has all "Critical Updates" (including SP1) and most "Recommended
Updates" which purport to fix things applied.

Regards,
Mike
 
Actually, I would term that as a security feature (i.e., don't
increase permissions when doing an upgrade).

One workaround if you are in a domain environment is to specify these
permissions as a part of the domain group policy (or one of the more
specific GP's you can tailor toward individual machines, as needed).

Jeffrey Randow (Windows MVP - Networking & Smart Display)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Wiki -
http://www.remotenetworktechnology.com
Smart Display Support - http://www.smartdisplays.net
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone


I believe I have come across a bug in Windows XP. In this particular
case, the system was upgraded from Windows 2000 Pro to Windows XP Pro. The
problem might be more widespread, though. The one note of commonality I have
noted while researching this problem is that it is only manifested on upgraded
systems. Under clean installations of Windows XP, the problem does not show
up.

As you know, any admin. user with a password (who isn't specifically
denied Remote Desktop [RD] access) may connect to an XP system, provided
RD access is enabled. This is controlled via the "Allow logon through
Terminal Services" user right (accessed via "Local Security Settings,"
gpedit.msc, etc.). On a clean XP install, this right lists Administrators
and "Remote Desktop Users." On an upgraded system (at least as described
above), this user right is _blank_. What's more, if you attempt to add either
of the groups that should be there by default, you get a dialog indicating the
group isn't valid, even though it's clear the groups exist from checking other
aspects of the system. It is possible to add individual users, including those
who should have this right by default, but the functionality to add the
_groups_ that should have this right _by default_ appears to be broken. The
behavior exhibited when someone who is supposed to be able to connect to the
system via RD attempts to do so is a dialog with the infamous "The local
policy of this system does not permit you to logon interactively."

If there's an easy fix for this problem, I haven't been able to find
it. (Adding the individual users is NOT a fix, it's a work-around.) If
anyone has a fix so that the proper groups can be added to the user right,
I'd love to see it (apart from a clean install). FWIW, the (now) Win XP Pro
system has all "Critical Updates" (including SP1) and most "Recommended
Updates" which purport to fix things applied.

Regards,
Mike
Click to expand...
 
"Jeffrey Randow (MVP) said:
Actually, I would term that as a security feature (i.e., don't
increase permissions when doing an upgrade).

One workaround if you are in a domain environment is to specify these
permissions as a part of the domain group policy (or one of the more
specific GP's you can tailor toward individual machines, as needed).
Click to expand...

Actually, allowing additional access would be a decrease in
permissions, wouldn't it? At any rate, my concern is not the lack
of permissions, but the fact that I can't add Administrators and/or
"Remote Desktop Users" as groups to the "rights list" which specifies
who can logon via Remote Desktop. The system in question is not a
domain member, so your workaround doesn't help, unfortunately.
Jeffrey Randow (Windows MVP - Networking & Smart Display)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Wiki -
http://www.remotenetworktechnology.com
Smart Display Support - http://www.smartdisplays.net
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone


I believe I have come across a bug in Windows XP. In this particular
case, the system was upgraded from Windows 2000 Pro to Windows XP Pro. The
problem might be more widespread, though. The one note of commonality I have
noted while researching this problem is that it is only manifested on upgraded
systems. Under clean installations of Windows XP, the problem does not show
up.

As you know, any admin. user with a password (who isn't specifically
denied Remote Desktop [RD] access) may connect to an XP system, provided
RD access is enabled. This is controlled via the "Allow logon through
Terminal Services" user right (accessed via "Local Security Settings,"
gpedit.msc, etc.). On a clean XP install, this right lists Administrators
and "Remote Desktop Users." On an upgraded system (at least as described
above), this user right is _blank_. What's more, if you attempt to add either
of the groups that should be there by default, you get a dialog indicating the
group isn't valid, even though it's clear the groups exist from checking other
aspects of the system. It is possible to add individual users, including those
who should have this right by default, but the functionality to add the
_groups_ that should have this right _by default_ appears to be broken. The
behavior exhibited when someone who is supposed to be able to connect to the
system via RD attempts to do so is a dialog with the infamous "The local
policy of this system does not permit you to logon interactively."

If there's an easy fix for this problem, I haven't been able to find
it. (Adding the individual users is NOT a fix, it's a work-around.) If
anyone has a fix so that the proper groups can be added to the user right,
I'd love to see it (apart from a clean install). FWIW, the (now) Win XP Pro
system has all "Critical Updates" (including SP1) and most "Recommended
Updates" which purport to fix things applied.

Regards,
Mike
Click to expand...
Click to expand...

Regards,
Mike
 
Back
Top