Windows 2003 Remote Desktop Issue.

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

There is NO dedicated Windows 2003 group so I am asking for help from this
group:-

I cannot see anyway of getting around the error
"The local policy of the system does not permit you to logon interactively."
when non-administrator users attempt to connect to our Windows 2003 domain
controller via terminal server.
We do not want the users to be given Adminstrator rights.
We have tried setting the "Domain Controller Group Policy > Local Policy >
User Rights Assignment > Allow Logon Locally" to include the "Remote Desktop
Users" and put the users concerned into that Group. We have also tried adding
them individually to the policy.
We have also tried adding the Remote Desktop Users to the permissions in the
"Terminal Server Configuration > Connnections" all to no avail.

Advice will be appreciated.

Kenneth Spencer
 
Yes we refreshed the policy (the command line given in the KB article didnt
work in Win2k3) by rebooting the server. We have tried al combinations but to
no apparent effect. Any more ideas ?

Thankyou

Ken.
 
Sorry: my last reply was a little brief and I am sure a little more
information may help you to give me further advice. Yes we have refreshed the
policy. The issue is a little more involved now we have researched it a
little more.

1. If we add a non-administrator user to the policy "Domain Controller
Security Policy > Local Policy > User Rights Assignment > Allow Logon
Locally" then it has no effect - the user still gets the error "The local
policy of the system does not permit you to logon interactively." This is
after a policy refresh or a reboot.

2. If we add a non-adminstrator user to the policy "Domain Controller
Security Policy > Local Policy > User Rights Assignment > Allow Logon Through
Terminal Services" then the user can logon, but no administrator user can
then logon. In that case, the administratot user gets the error "The local
policy of the system does not permit you to logon interactively."

So how do we do it ?

Thanks again,

Ken.
 
Are you sure admins are getting the error message you listed and
not the you must have the "Allow log on through Terminal Services
right" error message?

Was the Allow logon through Terminal Services undefined prior
to you adding the non-admin user? If this is true and you only
added the non-admin user, you effectively removed the right from
admins if you didn't list them as well. The confusing thing about
"undefined" is that there are actually default rights that will be
applied that you don't see because the list is blank.

My suggestion is to set things similar to the following (adjust for your
environment):

All log on locally:

Account Operators
Administrators
Backup Operators
Print Operators
Remote Desktop Users
Server Operators

Allow log on through Terminal Services:

Administrators
Remote Desktop Users

Thanks.

-TP
 
Thanks TP.

When I set the security policies to those suggested, it cured the problem.
I am very grateful to you for your help.

Regards

Ken.
 
Back
Top