Discussion:
Windows 2003 Remote Desktop Issue.
(too old to reply)
KA Spencer
2005-05-18 22:11:02 UTC
Permalink
There is NO dedicated Windows 2003 group so I am asking for help from this
group:-

I cannot see anyway of getting around the error
"The local policy of the system does not permit you to logon interactively."
when non-administrator users attempt to connect to our Windows 2003 domain
controller via terminal server.
We do not want the users to be given Adminstrator rights.
We have tried setting the "Domain Controller Group Policy > Local Policy >
User Rights Assignment > Allow Logon Locally" to include the "Remote Desktop
Users" and put the users concerned into that Group. We have also tried adding
them individually to the policy.
We have also tried adding the Remote Desktop Users to the permissions in the
"Terminal Server Configuration > Connnections" all to no avail.

Advice will be appreciated.

Kenneth Spencer
TP
2005-05-19 10:27:23 UTC
Permalink
Did you refresh the policy after making the change?

gpupdate.exe

Thanks.

-TP
Post by KA Spencer
There is NO dedicated Windows 2003 group so I am asking for help from
this group:-
I cannot see anyway of getting around the error
"The local policy of the system does not permit you to logon
interactively." when non-administrator users attempt to connect to
our Windows 2003 domain controller via terminal server.
We do not want the users to be given Adminstrator rights.
We have tried setting the "Domain Controller Group Policy > Local
Policy > User Rights Assignment > Allow Logon Locally" to include the
"Remote Desktop Users" and put the users concerned into that Group.
We have also tried adding them individually to the policy.
We have also tried adding the Remote Desktop Users to the permissions
in the "Terminal Server Configuration > Connnections" all to no avail.
Advice will be appreciated.
Kenneth Spencer
KA Spencer
2005-05-24 17:10:11 UTC
Permalink
Yes we refreshed the policy (the command line given in the KB article didnt
work in Win2k3) by rebooting the server. We have tried al combinations but to
no apparent effect. Any more ideas ?

Thankyou

Ken.
KA Spencer
2005-05-24 17:39:30 UTC
Permalink
Sorry: my last reply was a little brief and I am sure a little more
information may help you to give me further advice. Yes we have refreshed the
policy. The issue is a little more involved now we have researched it a
little more.

1. If we add a non-administrator user to the policy "Domain Controller
Security Policy > Local Policy > User Rights Assignment > Allow Logon
Locally" then it has no effect - the user still gets the error "The local
policy of the system does not permit you to logon interactively." This is
after a policy refresh or a reboot.

2. If we add a non-adminstrator user to the policy "Domain Controller
Security Policy > Local Policy > User Rights Assignment > Allow Logon Through
Terminal Services" then the user can logon, but no administrator user can
then logon. In that case, the administratot user gets the error "The local
policy of the system does not permit you to logon interactively."

So how do we do it ?

Thanks again,

Ken.
TP
2005-05-24 18:40:37 UTC
Permalink
Are you sure admins are getting the error message you listed and
not the you must have the "Allow log on through Terminal Services
right" error message?

Was the Allow logon through Terminal Services undefined prior
to you adding the non-admin user? If this is true and you only
added the non-admin user, you effectively removed the right from
admins if you didn't list them as well. The confusing thing about
"undefined" is that there are actually default rights that will be
applied that you don't see because the list is blank.

My suggestion is to set things similar to the following (adjust for your
environment):

All log on locally:

Account Operators
Administrators
Backup Operators
Print Operators
Remote Desktop Users
Server Operators

Allow log on through Terminal Services:

Administrators
Remote Desktop Users

Thanks.

-TP
Post by KA Spencer
Sorry: my last reply was a little brief and I am sure a little more
information may help you to give me further advice. Yes we have
refreshed the policy. The issue is a little more involved now we have
researched it a little more.
1. If we add a non-administrator user to the policy "Domain Controller
Security Policy > Local Policy > User Rights Assignment > Allow Logon
Locally" then it has no effect - the user still gets the error "The
local policy of the system does not permit you to logon
interactively." This is after a policy refresh or a reboot.
2. If we add a non-adminstrator user to the policy "Domain Controller
Security Policy > Local Policy > User Rights Assignment > Allow Logon
Through Terminal Services" then the user can logon, but no
administrator user can then logon. In that case, the administratot
user gets the error "The local policy of the system does not permit
you to logon interactively."
So how do we do it ?
Thanks again,
Ken.
KA Spencer
2005-05-24 19:42:02 UTC
Permalink
Thanks TP.

When I set the security policies to those suggested, it cured the problem.
I am very grateful to you for your help.

Regards

Ken.

Loading...