Active Directory, Terminal Services, and local profiles. [local security] [terminal services]
Q: I try to configure Terminal Services on Win2k Domain Controller. It is to install and operate, but only the administrator can log in with TS. Ive given “Users” “Logon Locally” and “Access this computer from the network” but the local security policy, but people in the group “users”, still a message “The local policy of this system is to get you not to logon interactively “Any idea what I am?
Thanks.
Edit: Changed title no hope for more help.
Local Business Directory Listing Service
Re:I'm trying to configure Terminal Services on a Win2k Domain Controller. It's install and working, but only administrator can login using TS. I've granted "Users" "Log on locally" and "Access to this computer from the network" though the local security policy, but people in the "Users" group, still get a message "The local policy of this system does not allow you to logon interactively" Any ideas what I'm missing?
Thanks.
You need to change TS to APPLICATION mode, currently you have it in REMOTE ADMINISTRATION mode, that's why only the Admin account can access it.
Local Client Cash Machine
Re:I found a TID about a TS issue being solved in SP3 so I tried installing it and now when users login through TS, profiles are created for them.
Thanks for all of your help.
The Local Marketing Secret
Re:Scaling scpipts and utils for TS management (http://www.microsoft.com/windows2000/techinfo/administration/terminal/loadscripts.asp)
At a command prompt, type tlntadmn.exe, and then press ENTER.
Choose option 3, Display / change registry settings.
Choose option 7, NTLM.
Change the default setting from 2 to 0 to disable the NTLM requirement.
I believe that this is the problem you are having. Also the license will expire after 30 days unless you have purchased it . You will need to buy enough for the amount of clients that you have or it will quit working after that time.
The utils above are just handy if you wish to manage TS in the future. I belive they come with read me files also. Let me know how it goes.
Business Submission
Re:That's what I'm trying to ask how to do.
Thanks.
GiftLands – Gifts & Flowers Locally.
Re:Create them. there are only 5 right? You can also disable roaming profiles. and make them local if you need to use the current ones, eg. older user accounts.
P.orn Terminator – Windows 7 & Vista Certified
Re:Originally posted by: guy
Go to run, MMC,Console, add activedirectory usera and computers,OK, user 1? properties. Terminal services tab type in the user profile in local path. or if you mapp the TS drive. you can give drive and exe on this page. does that help?
How do I know what to put in for the local profile? There isn't one currently there.
Local Search Booster Training Video
Re:Go to run, MMC,Console, add activedirectory usera and computers,OK, user 1? properties. Terminal services tab type in the user profile in local path. or if you mapp the TS drive. you can give drive and exe on this page. does that help?
Local Lead Plan
Re:I still can't figure this out.
Local Web Income – Helping Local Business
Re:Anybody know what I'm missing?
The Local Niche Secrets Course
Re:I'd rather not. They stay at there own PC all day and are only using Terminal Services to open up 1 app.
I just want them to be able to log into the server without any error messages.
Re:do you want to use roming profiles?
Re:Thanks for the help. It's just a small office with 5 users so to setup a separate server for TS is not an option.
I followed your directions and am still getting the same messages about not having a local profile. Do I need to create one manually?
Thanks.
Re:You need to open the Active Directory Users and Computers MMC in Administrative tools program group.
Right click on the Domain Controllers container and choose properties
Go to Group policy tab and click Edit on the Default Domain Controllers Policy.
Go to Computer Configuration -> Windows Settings -> Local Policies -> User Rights Assignment
Edit the "Log on Locally" setting
Add the Domain Users group so that a regular user can log onto the domain controller.
This is a very common problem when setting up a Terminal server.
Microsoft doesn't recommend that you use your Domain Controller as a terminal server but if you are working on a smaller site and the security of your Domain Controller isn't required to be very high you can do this. The trouble is that if someone logged in and hacked administrator privilages for themself they can download the security database (SAM) and run L0phtcrack on it to get everyones password.
So don't do this unless you trust your users.
Originally posted by: guy
I'm trying to configure Terminal Services on a Win2k Domain Controller. It's install and working, but only administrator can login using TS. I've granted "Users" "Log on locally" and "Access to this computer from the network" though the local security policy, but people in the "Users" group, still get a message "The local policy of this system does not allow you to logon interactively" Any ideas what I'm missing?
Thanks.
Re:Ok, I just found an article about a known TS issue and users can now log in, but now I'm getting the following 2 errors.
Error 1:
Windows cannot locate your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be propagated to the server.
Detail ? The network path was not found.
Error 2:
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to the profile will be lost when you log off.
I know very little about Active Directory, but I do see that there are no folders under documents and setting for these users. What do I need to do to get rid of that error message? I assume I need to create local profiles for the users that need to logon using TS, but how? I also don't want to affect their local workstations when they are logging in normally.
Thanks.
Related posts
Tags: local security, terminal services