I am not able to remote to any of my servers (Windows 2003) I get the following message:To log on to this remote computer, you must be granted the Allow log on through Terminal Services right.This was working last week the only change I made was to the GPO I defined the policy in the Default Domain Policy to Allow logon through Terminal Services. I added the Domain Admin group to this policy and since then I have not been able to remote to the servers. I have since went back and undefined this policy but I am still not able to remote in.The login ID I am using is a Domain and Enterprise Admin account it has full rights. On the servers that are not DCs I have tried adding my account to the Remote Users group but I still cannot remote in. Does anyone have an idea of what I may be missing here? Please help! ThanksBill

Hi!1. Administrators and Remote Desktop Users are the users that have rights to use remote desktop. (Dont know though if the same applies here) If i have understanded correctly, when Computer is added to the AD, Domain admins are added to the local administrators group. Maybe you should check that they do exist there?2. At User Properties you should check at the Terminal Services Profile that there are no mark on Deny logon to Terminal Server. Henry Eklf :: Just one random IT-guy more.

Hi, From the error message, it seems to be related to permission. To enable users to connect remotely to a terminal server, we must ensure that: Remote Desktop is enabled on the server. For instructions on how to enable Remote Desktop, see Enable or disable Remote Desktop. Right or permission to allow log on through Terminal Services. I list these permission as the following for your reference: 1)This right determines which users or groups have permission to log on as a Terminal Services client. To ensure you have corresponding permission, please run 'gpedit.msc' on terminal server and navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\. Basically, you should check the following items: "Allow log on locally" item to see whether this policy is defined "Allow log on through Terminal Services" item to see whether this policy is defined. "Deny log on locally" item to see whether this policy is defined. "Deny log on through Terminal Services" item to see whether this policy is defined. Are them properly configured? 2)User Access This permission type grants the following special permissions: Query Information, Logon, and Connect. These special permissions allow a user to: Log on to a session on the terminal server. Query information about a session. Send messages to other user sessions. Connect to another session. Configure by using Terminal Services Configuration. For configuration instructions, see the Change following article: The permissions a user or group has to a connection http://technet.microsoft.com/en-us/library/cc736401.aspx Let me know the result.

Thanks for the help, as I said before I was able to remote to all my servers before I defined the Allow log on through Terminal services policy on the default domain policy. I rolled that back to Not Defined and since doing that I am able to remotely log on to all my non-domain controllers remotely. But I am still getting the error message when I try to remote to my DCs.I checked the above perms and they all look good. The account I am using has full admin rights and is a member of the AD group Remote Desktop users.The following policies are all set to not defined (as they have been) at the default domain policy level, at the domain controller policy level, and the servers OU policy level.Allow log on locally Allow log on through Terminal ServicesDeny log on locallyDeny log on through Terminal ServicesAgain now I can logon to my non domain controllers but not my DCs. Weird!!!

Hi, From you description, I understand you can successfully logon to Terminal Server now, but not to DC. If in this case, please help me collect the following information, after obtaining these information, I will do further research and get back to you soon. 1)Please run gpresult /v >c:\gpresult.txt and send gpresult.txt to me via tfwst@microsoft.com 2)When logging onto DC and error message coming out, please make a snapshot and send to me via the email address above. 3)Please check if there is any error message in Event log.

Thanks for your help I sent you an email with the gpresult file and a screen shot of the terminal service error when trying to remote to the DCs. There is nothing in the event log of relivance.

Hi, I check the group policies applied on client PC and havent found any clue. Could you please also run gpresult /v >c:\gpresult.txt command on DC that occurs remote logon issue and send gpresult.txt to me again via tfwst@microsoft.com. In addition, I havent found snapshot in the attachment. Could you please resend to me? Also, please help me collect the following information: 1)If you logon the other DC in your network using this user account, dose it this symbol still exist? 2)If you explicitly grant this user the permissions by checking security settings on General tab of Terminal Services Configuration snap-in? What is the result? 3)In security level, dose it set 'negotiate'? In Encryption level, dose it set 'Client Compatible'? 4)If you use remote desktop connection on DC to remotely logon to itself, will you still receive this error message? Thanks.

Hi St.Clair, I have checked the GPresult.log and found that this user is the member of an administrators group, which has the rights to logon to DC using Remote Desktop Connection by default. In addition, I found that you leave "allow logon locally" and 'Allow logon through Terminal Server' as the default settings. This means that this user account has permissions to logon through TS. Therefore, lets focus on the connection permission. Open Terminal services Configuration console., Tto make troubleshooting process more clear, I'd like to suggest deleting the current RDP-Tcp connection settings and rebuilt it to test the result . Also, please check the following items one by one: Right-client RDP-Tcp and choose Properties. In general tab, leave security layer to 'negotiate' and encryption level to 'client compatible'. Uncheck "Allow connection only from computers" box. In Logon settings, do not choose 'always use the following logon information' In security tab, please explicitly add 'St. Clair\, William' and grant it 'full control' permission. Network adapter, choose 'All network adapter..' option. Run 'dsa.msc' to open Active directory users and computes, navigate to St. Clair account and check Terminal service profile tab in its properties. Please ensure 'Deny this user permission to Log on terminal server' box is unchecked. Let me know the result.

Looks like adding my user ID and giving it full control permissions in Terminal Services Configuration did the trick. But I am puzzled because my user ID is already a member of the Administrators Group and Remote group which have full rights. So why adding my user ID fixes it?But thanks for all your help on this!!!Bill