TS client NG on mach with only User rights assigned

[bill]

Im finding that the TS client will not run on a client
machine IF the logged in user has ONLY USER rights
(restricted)...
It seems that Power User right must be assigned..

IS there a way to make the TS client work with just USER
right's?????????

I dont like giving users too many rights or power

thx
bill

 

[Vera Noest [MVP]]

If you see event 1004 (cannot issue license) on the TS when a
restricted user tries to connect, then the solution is to give them
read + write permissions on the registry key that is used to store
the license: HKEY_LOCAL_MACHINE\Software\Microsoft\MSLicensing

 

[bill]

Nothing is in the event log's

it tells me
"Client could not establish a connection to the remote
computer"

bill

 

[Vera Noest [MVP]]

Mmm, strange.
Is the TS installed in Remote Administration or Application Server
mode?
Have you checked the security on the tcp-connection?
Is it listening on the standard port 3389 or a different port?
Is the user on the workstation using the same port in the rdp-
client as the TS?
I assume that the user is restricted both on the local workstation
and on the TS? Could you try to narrow the problem down by making
the user a member of the local workstations Administrators Group,
but leaving him restricted on the domain? And then the other way
around, if necessary?
What OS and SP do you run on the TS and the client?
Have you tried to upgrade the client to the latest version (5.2)?
That won't solve the problem, but might give a better error
message.

http://www.microsoft.com/downloads/details.aspx?FamilyID=a8255ffc-
4b4a-40e7-a706-cde7e9b57e79&DisplayLang=en

 

[bill]

the problem exist 100% on the client machine.

see when I deploy a machine to a user to use at
their "Home Office"
I create a "local login" (call it USERID: local1)on the
machine and set the user ID (local1) to restricted
rights... NG on TS client running and connecting

IF I change the user ID rights to power user the MSTSC
client works OK...but for a user with restricted rights NG

Client machine is: CPQ Ipaq PIII 500, W2k Pro Sp4+,
128MB,. 10GB HD
Yes running lastest client 5.1.2600.00

bill

 

[Vera Noest [MVP]]

Just to avoid any misunderstanding: NG=No Go or No Good or..???

I would enable auditing of all security events on the local
workstation and check the local Security EventLog.
Is this happening on a single client, or on all clients? Are these
clients part of a W2K AD domain? Are there any restrictive
policies in place in the domain?

By the way, the latest client is 5.2.3790
(downloadable from the link that I posted)

 

[bill]

NLB = Network Load Balancing
NG = No Good

OK more light on this subject....

Ive found the following...
1.) Happens to ANY new client machine (that has never
connect to a TS before)
2.) Still NT 4 domain (no mix)
3.) NO policies

4.) OK Here's some light....
the 2 TS servers (TS1 and TS2) the client is trying to
connect to are routed thru a Coyote Point E350.. NLB

SO for some reason it appears that the E350 is blocking
the communication nessecary for the MSTSC client to
obtain? it's license....

IF I have the said client machine connect to one of my
other TS's not routed by the E350 the client connects 100%
and everything is fine.... NOW if I then have the client
try to connect to the TS's-NLB (TS1 or TS2) it works OK..
I assume because the client was able to make a "proper"
connection to get it's "proper" licensing info

So can you tell me more details about the TS passing
licensing info to the client?
the E350 passes TCPIP, BUT I do not think it passes
netbios or it's blocking something...
As I am also having problems using TSadmin.exe to manage
all the TS's
i.e. TSadmin run on either TS1 or TS2 does NOT "see" any
other TS's only itself.
TSadmin.exe run on my workstatino does NOT "see" TS1 or
TS2 only my other TS's on my network

thanks
bill

 

[Vera Noest [MVP]]

Aaaah, now we're getting to the hearth of the matter!
On first connection, all clients get a temporary license. On
second connection, the permanent license is transferred from the
TS to the client. It seems that this process does not work in your
NLB setup. And you're right, once the client has received a valid
TS CAL (by connecting to a non-NLB TS, it will be able to connect
to a NLB-TS, since the TS then only checks for the presence of a
valid license. This is however not a good workaround, since you
probably get the same problem again when the license has to be
renewed after expiration.

Could it be that the Coyote Point E350 is in effect acting like a
"black hole router", which blocks packets above a certain size?
This prevents the transfer of the permanent TS CAL to the client.

If this is the problem, you have to change the MTU size. Check the
Terminal Services FAQ, there are 2 items about this under
"Connectivity"

http://www.microsoft.com/windowsserver2003/community/centers/termi
nal/terminal_faq.asp

 

[Guest]

ummmm..Ill have to check with Coyote Point

it shouldnt block packet size....but wierd things do happen

let me see what I can find out and maybe Ill mess with the
MTU size a bit too

bill