Click here to get back home

Deny Logon through Terminal Services Issue
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Deny Logon through Terminal Services Issue Scottie D 08-22-2006
Posted by Scottie D on August 22, 2006, 12:49 pm
Please log in for more thread options
 Network Background:
Windows 2003 SP1 Server Environment

Issue:
I set the "Deny log on through Terminal Services" from 'Not Defined'
to 'Guests'. After I made this change a user was unable to logon
locally to a Windows 2000 SP4 machine, the error message read 'Local
policy of this system does not permit you to login interactively'.

I logged on locally as administrator - successful
I logged onto another machine as user with issue - successful
Determines its a machine security issue.

After playing with settings I reviewed my security changes and changed
the "Deny log on through Terminal Services" back to 'Not Defined'.
User with issue can now logon.

User should be logging on locally not with Terminal Services, is this
a known issue with Windows 2000?

I know the issue is solved but i would like to deny 'guests' log on
through terminal services, but I am unable to add that setting without
taking away that users access locally.


Posted by Special Access on August 22, 2006, 7:53 pm
Please log in for more thread options
 wrote:

>Network Background:
> Windows 2003 SP1 Server Environment
>
>Issue:
> I set the "Deny log on through Terminal Services" from 'Not Defined'
>to 'Guests'. After I made this change a user was unable to logon
>locally to a Windows 2000 SP4 machine, the error message read 'Local
>policy of this system does not permit you to login interactively'.
>
> I logged on locally as administrator - successful
> I logged onto another machine as user with issue - successful
> Determines its a machine security issue.
>
>After playing with settings I reviewed my security changes and changed
>the "Deny log on through Terminal Services" back to 'Not Defined'.
>User with issue can now logon.
>
> User should be logging on locally not with Terminal Services, is this
>a known issue with Windows 2000?
>
> I know the issue is solved but i would like to deny 'guests' log on
>through terminal services, but I am unable to add that setting without
>taking away that users access locally.

If the user is a member of the administrators group, they should be
able to logon through TS. As far as logging on locally, there is a
specific right to allow that for non-administrative users (2003
restricts local logons to admin-capable accounts IIRC)

Is it TS that is denying the logon or are they trying to logon the
console? If it's TS, they you might try adding them to the remote
desktop group by name. We have had to do this for some users, no
reason or pattern behind it, just because it decided not to allow them
in any other way.

Obviously, you checked the GUESTS group to make sure they weren't in
there <smile>

Mike

Posted by Roger Abell [MVP] on August 23, 2006, 1:50 am
Please log in for more thread options
If I recall correctly the user rights to log on via TS or to deny the same
did not exist in W2k. In W2k one needed local logon user right to log
on via TS. Evidently the W2k you have is attempting to implement this
XP and later policy as best it can using the user right that it does have.
If you want to exert that control over W2k, instead of using the user
rights you are attempting to utilize, use the Permissions tab in the
properties
of the RDP connectoid shown in the right panel when you are in the Terminal
Services Configuration MMC tool. There you can state what groups are
allowed, and at what level of access, the use of a TS login.


> Network Background:
> Windows 2003 SP1 Server Environment
>
> Issue:
> I set the "Deny log on through Terminal Services" from 'Not Defined'
> to 'Guests'. After I made this change a user was unable to logon
> locally to a Windows 2000 SP4 machine, the error message read 'Local
> policy of this system does not permit you to login interactively'.
>
> I logged on locally as administrator - successful
> I logged onto another machine as user with issue - successful
> Determines its a machine security issue.
>
> After playing with settings I reviewed my security changes and changed
> the "Deny log on through Terminal Services" back to 'Not Defined'.
> User with issue can now logon.
>
> User should be logging on locally not with Terminal Services, is this
> a known issue with Windows 2000?
>
> I know the issue is solved but i would like to deny 'guests' log on
> through terminal services, but I am unable to add that setting without
> taking away that users access locally.
>



Similar ThreadsPosted
Deny Right to Local Admin Group to Log On Via Terminal Services? May 24, 2007, 12:28 pm
Logon Using Terminal Services GPO August 16, 2007, 2:57 am
Terminal Services Security Issue with Cached Credentials October 29, 2007, 12:53 pm
Security bug in terminal services? May 4, 2006, 4:02 am
Terminal Services Profiles problems August 15, 2005, 5:08 pm
How do I configure Terminal Services for 443 access only February 12, 2006, 10:37 am
Digital signature, USB tokens and terminal services September 25, 2006, 9:16 am
Terminal services-give a program admin rights January 10, 2006, 4:14 pm
Prevent browsing with UNC paths for Terminal Services users April 5, 2006, 2:05 pm
Domain Controller Policy setting "Allow log on through Terminal Services" April 1, 2008, 12:01 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap