Discussion:
TS Set up on domain
(too old to reply)
RickN
2004-12-31 23:07:01 UTC
Permalink
I have an active directory network and want to set
up a second server, that will not be the domain controller,
but will allow multiple user access through terminal server.
I want the terminal server to allow access to any domain
user, but it rejects with the message 'The local policy of this system does
not permit you to logon interactively.'

The terminal server configuration does not appear on the 'active directory
users and computers' tab, so I'm not sure how to configure this through AD.
Any suggestions would be appreciated.
Thanks,
Rick
--
Rick
Vera Noest [MVP]
2005-01-01 12:57:20 UTC
Permalink
What OS are you running on the Terminal Server?
If you run W2K, you need to give your users the "Log On Locally" user
right on the Terminal Server.
If you run 2003, you have to make your users member of the local
group "Remote Desktop Users" on the TS.

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
Post by RickN
I have an active directory network and want to set
up a second server, that will not be the domain controller,
but will allow multiple user access through terminal server.
I want the terminal server to allow access to any domain
user, but it rejects with the message 'The local policy of this
system does not permit you to logon interactively.'
The terminal server configuration does not appear on the 'active
directory users and computers' tab, so I'm not sure how to
configure this through AD. Any suggestions would be appreciated.
Thanks,
Rick
RickN
2005-01-01 15:33:04 UTC
Permalink
I'm using 2003.
First time I've set up TS so maybe I misunderstand something. I am trying
to avoid having to add them as local users, because I want them to use their
Domain log in. Is there a way to add them to the local Remote desk top group
using their domain user configuration, or do I need to add them as a local
user on the TS. The problem as I understand it is that if they log on to the
TS as a local user then they won't be able to see the rest of the domain
network with their assigned priviliges. I want both the domain log in
priviliges and TS access. Surely this must be possible, but I'm not sure how
to achieve that. Maybe you can clarify this for me.
Thanks,
Rick
Post by Vera Noest [MVP]
What OS are you running on the Terminal Server?
If you run W2K, you need to give your users the "Log On Locally" user
right on the Terminal Server.
If you run 2003, you have to make your users member of the local
group "Remote Desktop Users" on the TS.
--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
Post by RickN
I have an active directory network and want to set
up a second server, that will not be the domain controller,
but will allow multiple user access through terminal server.
I want the terminal server to allow access to any domain
user, but it rejects with the message 'The local policy of this
system does not permit you to logon interactively.'
The terminal server configuration does not appear on the 'active
directory users and computers' tab, so I'm not sure how to
configure this through AD. Any suggestions would be appreciated.
Thanks,
Rick
Vera Noest [MVP]
2005-01-01 21:22:47 UTC
Permalink
No need to create local user accounts on the TS, just add the
domain accounts to the local Remote Desktop Users group on the TS.

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
Post by RickN
I'm using 2003.
First time I've set up TS so maybe I misunderstand something. I
am trying to avoid having to add them as local users, because I
want them to use their Domain log in. Is there a way to add
them to the local Remote desk top group using their domain user
configuration, or do I need to add them as a local user on the
TS. The problem as I understand it is that if they log on to
the TS as a local user then they won't be able to see the rest
of the domain network with their assigned priviliges. I want
both the domain log in priviliges and TS access. Surely this
must be possible, but I'm not sure how to achieve that. Maybe
you can clarify this for me. Thanks,
Rick
Post by Vera Noest [MVP]
What OS are you running on the Terminal Server?
If you run W2K, you need to give your users the "Log On
Locally" user right on the Terminal Server.
If you run 2003, you have to make your users member of the
local group "Remote Desktop Users" on the TS.
--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
Post by RickN
I have an active directory network and want to set
up a second server, that will not be the domain controller,
but will allow multiple user access through terminal server.
I want the terminal server to allow access to any domain
user, but it rejects with the message 'The local policy of
this system does not permit you to logon interactively.'
The terminal server configuration does not appear on the
'active directory users and computers' tab, so I'm not sure
how to configure this through AD. Any suggestions would be
appreciated. Thanks,
Rick
RickN
2005-01-02 01:25:03 UTC
Permalink
Sounds like we've come full circle. What I've learned so far is that the
reason I can't add domain users to this new TS server is not because of TS
limitations. All along I've wanted to add domain accounts to the local
Remote Desktop Users group. However, even though this server is part of the
domain and allows domain user local logons, when I try to add a domain user
to the Remote Desktop Users group, it does not recognize the domain user in
any format, it only searches the local computer for the user name. Sounds
like the problem isn't TS but a domain problem. Any thoughts on why it would
not see the domain users from this new TS server?
Thanks,
Rick
Post by Vera Noest [MVP]
No need to create local user accounts on the TS, just add the
domain accounts to the local Remote Desktop Users group on the TS.
--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
Post by RickN
I'm using 2003.
First time I've set up TS so maybe I misunderstand something. I
am trying to avoid having to add them as local users, because I
want them to use their Domain log in. Is there a way to add
them to the local Remote desk top group using their domain user
configuration, or do I need to add them as a local user on the
TS. The problem as I understand it is that if they log on to
the TS as a local user then they won't be able to see the rest
of the domain network with their assigned priviliges. I want
both the domain log in priviliges and TS access. Surely this
must be possible, but I'm not sure how to achieve that. Maybe
you can clarify this for me. Thanks,
Rick
Post by Vera Noest [MVP]
What OS are you running on the Terminal Server?
If you run W2K, you need to give your users the "Log On
Locally" user right on the Terminal Server.
If you run 2003, you have to make your users member of the
local group "Remote Desktop Users" on the TS.
--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
Post by RickN
I have an active directory network and want to set
up a second server, that will not be the domain controller,
but will allow multiple user access through terminal server.
I want the terminal server to allow access to any domain
user, but it rejects with the message 'The local policy of
this system does not permit you to logon interactively.'
The terminal server configuration does not appear on the
'active directory users and computers' tab, so I'm not sure
how to configure this through AD. Any suggestions would be
appreciated. Thanks,
Rick
Vera Noest [MVP]
2005-01-02 14:28:07 UTC
Permalink
When you open the Remote Desktop Users group and click on the "Add
users" button, have you checked under the "Object types" button?
I've seen this happen when only "Users" and "Computer" objects are
selected, but not "Groups". Also check that the Location is set to
the domain.

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
Post by RickN
Sounds like we've come full circle. What I've learned so far is
that the reason I can't add domain users to this new TS server
is not because of TS limitations. All along I've wanted to add
domain accounts to the local Remote Desktop Users group.
However, even though this server is part of the domain and
allows domain user local logons, when I try to add a domain user
to the Remote Desktop Users group, it does not recognize the
domain user in any format, it only searches the local computer
for the user name. Sounds like the problem isn't TS but a
domain problem. Any thoughts on why it would not see the domain
users from this new TS server? Thanks,
Rick
Post by Vera Noest [MVP]
No need to create local user accounts on the TS, just add the
domain accounts to the local Remote Desktop Users group on the TS.
--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
Post by RickN
I'm using 2003.
First time I've set up TS so maybe I misunderstand something.
I am trying to avoid having to add them as local users,
because I want them to use their Domain log in. Is there a
way to add them to the local Remote desk top group using
their domain user configuration, or do I need to add them as
a local user on the TS. The problem as I understand it is
that if they log on to the TS as a local user then they won't
be able to see the rest of the domain network with their
assigned priviliges. I want both the domain log in
priviliges and TS access. Surely this must be possible, but
I'm not sure how to achieve that. Maybe you can clarify this
for me. Thanks, Rick
Post by Vera Noest [MVP]
What OS are you running on the Terminal Server?
If you run W2K, you need to give your users the "Log On
Locally" user right on the Terminal Server.
If you run 2003, you have to make your users member of the
local group "Remote Desktop Users" on the TS.
--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
wrote on 01 jan 2005 in
Post by RickN
I have an active directory network and want to set
up a second server, that will not be the domain
controller, but will allow multiple user access through
terminal server. I want the terminal server to allow
access to any domain user, but it rejects with the message
'The local policy of this system does not permit you to
logon interactively.'
The terminal server configuration does not appear on the
'active directory users and computers' tab, so I'm not
sure how to configure this through AD. Any suggestions
would be appreciated. Thanks,
Rick
RickN
2005-01-02 16:01:01 UTC
Permalink
When I go to the Remote Desktop Users group and click on the "Add users"
button, under "Object Types" it only offers "Built in Security Principals"
and "users". Under the "Location" button it only shows this computer, it
does not offer the domain as an option.
Thanks,
Rick
Post by Vera Noest [MVP]
When you open the Remote Desktop Users group and click on the "Add
users" button, have you checked under the "Object types" button?
I've seen this happen when only "Users" and "Computer" objects are
selected, but not "Groups". Also check that the Location is set to
the domain.
--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
Post by RickN
Sounds like we've come full circle. What I've learned so far is
that the reason I can't add domain users to this new TS server
is not because of TS limitations. All along I've wanted to add
domain accounts to the local Remote Desktop Users group.
However, even though this server is part of the domain and
allows domain user local logons, when I try to add a domain user
to the Remote Desktop Users group, it does not recognize the
domain user in any format, it only searches the local computer
for the user name. Sounds like the problem isn't TS but a
domain problem. Any thoughts on why it would not see the domain
users from this new TS server? Thanks,
Rick
Post by Vera Noest [MVP]
No need to create local user accounts on the TS, just add the
domain accounts to the local Remote Desktop Users group on the TS.
--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
Post by RickN
I'm using 2003.
First time I've set up TS so maybe I misunderstand something.
I am trying to avoid having to add them as local users,
because I want them to use their Domain log in. Is there a
way to add them to the local Remote desk top group using
their domain user configuration, or do I need to add them as
a local user on the TS. The problem as I understand it is
that if they log on to the TS as a local user then they won't
be able to see the rest of the domain network with their
assigned priviliges. I want both the domain log in
priviliges and TS access. Surely this must be possible, but
I'm not sure how to achieve that. Maybe you can clarify this
for me. Thanks, Rick
Post by Vera Noest [MVP]
What OS are you running on the Terminal Server?
If you run W2K, you need to give your users the "Log On
Locally" user right on the Terminal Server.
If you run 2003, you have to make your users member of the
local group "Remote Desktop Users" on the TS.
--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
wrote on 01 jan 2005 in
Post by RickN
I have an active directory network and want to set
up a second server, that will not be the domain
controller, but will allow multiple user access through
terminal server. I want the terminal server to allow
access to any domain user, but it rejects with the message
'The local policy of this system does not permit you to
logon interactively.'
The terminal server configuration does not appear on the
'active directory users and computers' tab, so I'm not
sure how to configure this through AD. Any suggestions
would be appreciated. Thanks,
Rick
Steve JHU
2005-01-02 19:35:02 UTC
Permalink
Hey Rick...is your server joined to the domain? Doesn't sound like it is.

Also, don't forget to lock down your terminal server before you put it into
production. Use Group Policy for that. If you have a 2000 Active Directory,
the Terminal Server should update it with the new TS2003 Group Policy
Objects. Can't remember if that's updated when you join the server to the
domain or if you need to bring up the Group Policy Snap-In in an MMC on the
server first. Good luck...

Steve
Post by RickN
When I go to the Remote Desktop Users group and click on the "Add users"
button, under "Object Types" it only offers "Built in Security Principals"
and "users". Under the "Location" button it only shows this computer, it
does not offer the domain as an option.
Thanks,
Rick
Post by Vera Noest [MVP]
When you open the Remote Desktop Users group and click on the "Add
users" button, have you checked under the "Object types" button?
I've seen this happen when only "Users" and "Computer" objects are
selected, but not "Groups". Also check that the Location is set to
the domain.
--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
Post by RickN
Sounds like we've come full circle. What I've learned so far is
that the reason I can't add domain users to this new TS server
is not because of TS limitations. All along I've wanted to add
domain accounts to the local Remote Desktop Users group.
However, even though this server is part of the domain and
allows domain user local logons, when I try to add a domain user
to the Remote Desktop Users group, it does not recognize the
domain user in any format, it only searches the local computer
for the user name. Sounds like the problem isn't TS but a
domain problem. Any thoughts on why it would not see the domain
users from this new TS server? Thanks,
Rick
Post by Vera Noest [MVP]
No need to create local user accounts on the TS, just add the
domain accounts to the local Remote Desktop Users group on the TS.
--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
Post by RickN
I'm using 2003.
First time I've set up TS so maybe I misunderstand something.
I am trying to avoid having to add them as local users,
because I want them to use their Domain log in. Is there a
way to add them to the local Remote desk top group using
their domain user configuration, or do I need to add them as
a local user on the TS. The problem as I understand it is
that if they log on to the TS as a local user then they won't
be able to see the rest of the domain network with their
assigned priviliges. I want both the domain log in
priviliges and TS access. Surely this must be possible, but
I'm not sure how to achieve that. Maybe you can clarify this
for me. Thanks, Rick
Post by Vera Noest [MVP]
What OS are you running on the Terminal Server?
If you run W2K, you need to give your users the "Log On
Locally" user right on the Terminal Server.
If you run 2003, you have to make your users member of the
local group "Remote Desktop Users" on the TS.
--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
wrote on 01 jan 2005 in
Post by RickN
I have an active directory network and want to set
up a second server, that will not be the domain
controller, but will allow multiple user access through
terminal server. I want the terminal server to allow
access to any domain user, but it rejects with the message
'The local policy of this system does not permit you to
logon interactively.'
The terminal server configuration does not appear on the
'active directory users and computers' tab, so I'm not
sure how to configure this through AD. Any suggestions
would be appreciated. Thanks,
Rick
Vera Noest [MVP]
2005-01-03 19:48:19 UTC
Permalink
Are you sure that the TS is a member of the domain?
Are you using a Domain Administrator account (not the local
Administrator account on the TS)?

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
Post by RickN
When I go to the Remote Desktop Users group and click on the
"Add users" button, under "Object Types" it only offers "Built
in Security Principals" and "users". Under the "Location"
button it only shows this computer, it does not offer the domain
as an option. Thanks,
Rick
Post by Vera Noest [MVP]
When you open the Remote Desktop Users group and click on the
"Add users" button, have you checked under the "Object types"
button? I've seen this happen when only "Users" and "Computer"
objects are selected, but not "Groups". Also check that the
Location is set to the domain.
--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
Post by RickN
Sounds like we've come full circle. What I've learned so far
is that the reason I can't add domain users to this new TS
server is not because of TS limitations. All along I've
wanted to add domain accounts to the local Remote Desktop
Users group. However, even though this server is part of the
domain and allows domain user local logons, when I try to add
a domain user to the Remote Desktop Users group, it does not
recognize the domain user in any format, it only searches the
local computer for the user name. Sounds like the problem
isn't TS but a domain problem. Any thoughts on why it would
not see the domain users from this new TS server? Thanks,
Rick
Post by Vera Noest [MVP]
No need to create local user accounts on the TS, just add
the domain accounts to the local Remote Desktop Users group
on the TS.
--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
wrote on 01 jan 2005 in
Post by RickN
I'm using 2003.
First time I've set up TS so maybe I misunderstand
something.
I am trying to avoid having to add them as local users,
because I want them to use their Domain log in. Is there
a way to add them to the local Remote desk top group using
their domain user configuration, or do I need to add them
as a local user on the TS. The problem as I understand it
is that if they log on to the TS as a local user then they
won't be able to see the rest of the domain network with
their assigned priviliges. I want both the domain log in
priviliges and TS access. Surely this must be possible,
but I'm not sure how to achieve that. Maybe you can
clarify this for me. Thanks, Rick
Post by Vera Noest [MVP]
What OS are you running on the Terminal Server?
If you run W2K, you need to give your users the "Log On
Locally" user right on the Terminal Server.
If you run 2003, you have to make your users member of
the local group "Remote Desktop Users" on the TS.
--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email
---
wrote on 01 jan 2005 in
Post by RickN
I have an active directory network and want to set
up a second server, that will not be the domain
controller, but will allow multiple user access through
terminal server. I want the terminal server to allow
access to any domain user, but it rejects with the
message 'The local policy of this system does not
permit you to logon interactively.'
The terminal server configuration does not appear on
the 'active directory users and computers' tab, so I'm
not sure how to configure this through AD. Any
suggestions would be appreciated. Thanks,
Rick
Loading...