Interactive Logon Problem

[Guest]

Have spent substantial time on this. Days, not hours. Read dozens of posts here and elsewhere and have done as advised by Q289289, Q303846 and the often referenced post from the Google group. None of these changes the fact that I cannot logon to the machine with a USER (as opposed to Administrator) account. The target WinXP Pro machine has Novell client. I removed it to take that out of the picture. No change. I have tried connecting to the machine over the LAN as well as from the Internet. No change. The target machine is in a Domain. Nothing in earlier posts mentions Domain group policy settings to look at although about the only change to that policy we have made is to make the logon name not remembered from the previous logon and applied that policy at the domain level. No other changes there. I get the sense from many of the earlier posts that for this exact problem we have not yet reached a final answer. Am I wrong in this interpretation? What am I missing? Is this problem resolvable without making these users into machine administrators (which is not an acceptable choice even though it does solve the problem)?

Thanks in advance

 

[Huei Wang [MSFT]]

If there is a Failure Audit (event ID 534, category logon/logoff) in
security event log, check

1) The account you try to logon into XP should be in Remote Desktop Users
group of the target machine? run dos command "net localgroup "Remote
Desktop Users"" will tell you if account is in this group.

2) On the XP machine, check if "Remote Desktop Users" has "Allow log on
through Terminal Services" right and make sure there is no "Deny" on either
the account or remote desktop users group, also, you might want to check GP.

let me know if this help.

--


This posting is provided "AS IS" with no warranties, and confers no rights.

Have spent substantial time on this. Days, not hours. Read dozens of

posts here and elsewhere and have done as advised by Q289289, Q303846 and
the often referenced post from the Google group. None of these changes the
fact that I cannot logon to the machine with a USER (as opposed to
Administrator) account. The target WinXP Pro machine has Novell client. I
removed it to take that out of the picture. No change. I have tried
connecting to the machine over the LAN as well as from the Internet. No
change. The target machine is in a Domain. Nothing in earlier posts
mentions Domain group policy settings to look at although about the only
change to that policy we have made is to make the logon name not remembered
from the previous logon and applied that policy at the domain level. No
other changes there. I get the sense from many of the earlier posts that
for this exact problem we have not yet reached a final answer. Am I wrong
in this interpretation? What am I missing? Is this problem resolvable
without making these users into machine administrators (which is not an
acceptable choice even though it does solve the problem)?

 

[Guest]

There are no Event ID 534 entries in the log
The account used to log on remotely is a domain user account that does appear in the "net localgroup" command
The group "Remote Desktop Users" has been granted the "Allow logon through terminal services" right in the local machine policy. There are no "Deny" entries on the local machine. There is nothing in the AD GP dealing with this issue

What other suggestions are there?

 

[Huei Wang [MSFT]]

Interesting, adding domain account to Remote desktop users group should
work, any other security audit event like logon successful/failure? What's
the exact error message you see? if you create a normal user account (add
to remote destop users group) on that machine, can you remote desktop using
that account?

--


This posting is provided "AS IS" with no warranties, and confers no rights.

There are no Event ID 534 entries in the log.
The account used to log on remotely is a domain user account that does

appear in the "net localgroup" command.

The group "Remote Desktop Users" has been granted the "Allow logon through

terminal services" right in the local machine policy. There are no "Deny"
entries on the local machine. There is nothing in the AD GP dealing with
this issue.

 

[Guest]

Thank you for continuing this dialog. I appreciate the help

The exact error message is: Your interactive logon privilege has been disabled. Please contact your system administrator

Interestingly, the event log shows a logon success with Event 528, success, type 2 logon. I can give you the complete logon event log entry if it would be helpful. I created the local user and put the user into the Remote Users group and it did not work unless I made the user also a local machine administrator. Then it worked. The problem is that being a local machine administrator allows the user to also install any software they want, and administratively, that is unacceptable

<Gary>

 

[Guest]

Again, thank you for the help. I have the solution. The target PC is in a Domain. In ADUC, the user needed to have been granted Allow Logon to Terminal Server permissions on the Terminal Services Profile tab of their user properties. The only other change I had to make to finish this out was on the ADUC user Account tab to restrict the user to logon ONLY to the target PC - otherwise they could theoretically Remote Desktop connect to the SERVER and do nasty stuff there. We had set up several machines inside the Domain with non-standard (not 3389) ports to listen for Remote Desktop Connections and the users need to come in through the firewall, into the network, then to their assigned desktop PC in order to do work on their desktop PC from home or elsewhere

For anyone following this thread, ALL of the things mentioned above have to be in place PLUS this last item for this to work. Again, thanks!