Users are not authorized for remote login

Discussion in 'Windows Home Server' started by Eli, Jul 30, 2008.

  1. Eli

    Eli Guest

    Windows 2008 sp1
    AD is on a separate 2008 server
    Installed terminal services, everything looks fine
    Added group to TS gateway policies “domain”\TS
    TS is a group I created in AD where to put users who can login to terminal
    services.
    First I added users to TS, tried to log in – connection refused.
    Added the user to TS and Remote Desktop group same thing.
    The error is
    The connection was denied because the user account is not authorized for
    remote login
    What am I missing?
     
  2. Morgan che

    Morgan che Guest

    Hi,

    From your description, I suspect this issue appears to Terminal Services
    access permission. Typically, there are two settings that must be
    configured before establishing Remote Desktop sessions. The first one is
    that remote connections must be enabled ; the other one is users must be
    granted permission to connect to the server. I think you have already done
    the first one. So, let's focus on the second.

    By default, the administrators group and Remote Desktop Users group have
    permissions to logon to TS. So, generally speaking, we can simply add your
    created groups into one of these groups to let them logon to TS. Because
    you have added it to Remote Desktop Users group, please check the
    following.I list the rights that a user needs to have to establish a remote
    desktop connection to a terminal server:

    1. Allow log on through Terminal Services
    2. Rdp-Tcp connection "User Access" and "Guest Access" permissions
    3. "Allow logon to Terminal Server" in the user property

    Please perform the following steps to check them one by one to check
    permissions:

    Step 1: Allow logon through Terminal Services
    -------------------------------------------
    To connect to terminal server properly, users need to be granted the "Allow
    logon through Terminal Services" right. If the server is a domain
    controller, users also need to have "Allow logon locally" right. I
    understand that you have checked the local access policy rights. Please
    also check the group policies that are applied to the domain or OU as they
    have higher priority and will override the configuration of local policy.

    1. Logon as administrator, click Start -> Run, type "rsop.msc" in the text
    box, and click OK.
    2. Locate the [Computer Configuration\Windows Settings\Security
    Settings\Local Policies\User Rights Assignment] item.
    3. Check the "Allow log on locally" item to see whether this policy is
    defined. If so, the "Source GPO" column displays the policy that defines
    this policy. Please ensure "Administrators", "Remote Desktop Users",
    "Backup Operators", "Account Operators", "Print Operators", "Server
    Operators" are granted this right. If it is different, please configure the
    corresponding policy to grant the permission.
    4. Check the "Allow log on through Terminal Services" item to see whether
    this policy is defined. If so, the "Source GPO" column displays the policy
    that defines this policy. Please ensure "Administrators", "Remote Desktop
    Users", and any other desired users are granted this right. If it is
    different, please configure the corresponding policy to grant the
    permission.
    5. Check the "Deny log on locally" item to see whether this policy is
    defined. If so, the "Source GPO" column displays the policy that defines
    this policy. Please ensure that the user or any user groups that remote
    user belongs to is not included in this right. If so, please modify the
    corresponding policy to remove them.
    6. Check the "Deny log on through Terminal Services" item to see whether
    this policy is defined. If so, the "Source GPO" column displays the policy
    that defines this policy. Please ensure that the user or any user groups
    that remote user belongs to is not included in this right. If so, please
    modify the corresponding policy to remove them.
    7. Click Start -> Run, type "cmd" in the text box, and click OK.
    8. Run the following command to refresh policy on both the domain
    controller and the terminal server:

    Gpupdate /force

    9. Wait for a while so that the group policy is replicated and then try to
    connect to the server again.

    Step 2: Allow logon to Terminal Server
    ------------------------------------
    To grant a user these permissions, start either the Active Directory Users
    and Computers snap-in or the Local Users And Groups snap-in, open the
    user's properties, click the Terminal Services Profile tab, and then click
    to select the Allow logon to Terminal Server check box.

    Step 3: Check TS permission
    ----------------------------
    1. Open the Terminal Services Configuration snap-in.
    2. Right click the Rdp-Tcp item, and click Properties.
    3. In the Permissions tab, click "Advanced".
    4. By default, administrators group and Remote Desktop Users group have
    been granted the permissions. You can also add other users and groups and
    grant them the corresponding permissions.

    After checking the steps above and this issue still persist, please check
    security settings on General tab of Terminal Services Configuration
    snap-in. In security level, dose it set 'negotiate'? In Encryption level,
    dose it set 'Client Compatible'?

    As for 'Added group to TS gateway policies ?€?domain?€\TS>', could you
    please explain it more? How do you configure it? Also, please test to logon
    to TS on other computer to see the symbols?


    Hope this helps.


    Sincerely
    Morgan Che
    Microsoft Online Support
    Microsoft Global Technical Support Center

    Get Secure! -
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.


    --------------------
    --->Thread-Topic: Users are not authorized for remote login
    --->thread-index: AcjygM4c4sGvIM5PStKCCUSqoZwyuA==
    --->X-WBNR-Posting-Host: 207.46.193.207
    --->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam>
    --->Subject: Users are not authorized for remote login
    --->Date: Wed, 30 Jul 2008 13:14:00 -0700
    --->Lines: 13
    --->Message-ID: <17AED4C5-BF7C-4F1C-BC1E-08DC98ED56B9@microsoft.com>
    --->MIME-Version: 1.0
    --->Content-Type: text/plain;
    ---> charset="Utf-8"
    --->Content-Transfer-Encoding: 8bit
    --->X-Newsreader: Microsoft CDO for Windows 2000
    --->Content-Class: urn:content-classes:message
    --->Importance: normal
    --->Priority: normal
    --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119
    --->Newsgroups: microsoft.public.windows.terminal_services
    --->Path: TK2MSFTNGHUB02.phx.gbl
    --->Xref: TK2MSFTNGHUB02.phx.gbl
    microsoft.public.windows.terminal_services:19526
    --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
    --->X-Tomcat-NG: microsoft.public.windows.terminal_services
    --->
    --->Windows 2008 sp1
    --->AD is on a separate 2008 server
    --->Installed terminal services, everything looks fine
    --->Added group to TS gateway policies “domain”\TS
    --->TS is a group I created in AD where to put users who can login to
    terminal
    --->services.
    --->First I added users to TS, tried to log in – connection refused.
    --->Added the user to TS and Remote Desktop group same thing.
    --->The error is
    --->The connection was denied because the user account is not authorized
    for
    --->remote login
    --->What am I missing?
    --->
    --->
     
  3. Morgan che

    Morgan che Guest

    Hi,

    From your description, I suspect this issue appears to Terminal Services
    access permission. Typically, there are two settings that must be
    configured before establishing Remote Desktop sessions. The first one is
    that remote connections must be enabled ; the other one is users must be
    granted permission to connect to the server. I think you have already done
    the first one. So, let's focus on the second.

    By default, the administrators group and Remote Desktop Users group have
    permissions to logon to TS. So, generally speaking, we can simply add your
    created groups into one of these groups to let them logon to TS. Because
    you have added it to Remote Desktop Users group, please check the
    following.I list the rights that a user needs to have to establish a remote
    desktop connection to a terminal server:

    1. Allow log on through Terminal Services
    2. Rdp-Tcp connection "User Access" and "Guest Access" permissions
    3. "Allow logon to Terminal Server" in the user property

    Please perform the following steps to check them one by one to check
    permissions:

    Step 1: Allow logon through Terminal Services
    -------------------------------------------
    To connect to terminal server properly, users need to be granted the "Allow
    logon through Terminal Services" right. If the server is a domain
    controller, users also need to have "Allow logon locally" right. I
    understand that you have checked the local access policy rights. Please
    also check the group policies that are applied to the domain or OU as they
    have higher priority and will override the configuration of local policy.

    1. Logon as administrator, click Start -> Run, type "rsop.msc" in the text
    box, and click OK.
    2. Locate the [Computer Configuration\Windows Settings\Security
    Settings\Local Policies\User Rights Assignment] item.
    3. Check the "Allow log on locally" item to see whether this policy is
    defined. If so, the "Source GPO" column displays the policy that defines
    this policy. Please ensure "Administrators", "Remote Desktop Users",
    "Backup Operators", "Account Operators", "Print Operators", "Server
    Operators" are granted this right. If it is different, please configure the
    corresponding policy to grant the permission.
    4. Check the "Allow log on through Terminal Services" item to see whether
    this policy is defined. If so, the "Source GPO" column displays the policy
    that defines this policy. Please ensure "Administrators", "Remote Desktop
    Users", and any other desired users are granted this right. If it is
    different, please configure the corresponding policy to grant the
    permission.
    5. Check the "Deny log on locally" item to see whether this policy is
    defined. If so, the "Source GPO" column displays the policy that defines
    this policy. Please ensure that the user or any user groups that remote
    user belongs to is not included in this right. If so, please modify the
    corresponding policy to remove them.
    6. Check the "Deny log on through Terminal Services" item to see whether
    this policy is defined. If so, the "Source GPO" column displays the policy
    that defines this policy. Please ensure that the user or any user groups
    that remote user belongs to is not included in this right. If so, please
    modify the corresponding policy to remove them.
    7. Click Start -> Run, type "cmd" in the text box, and click OK.
    8. Run the following command to refresh policy on both the domain
    controller and the terminal server:

    Gpupdate /force

    9. Wait for a while so that the group policy is replicated and then try to
    connect to the server again.

    Step 2: Allow logon to Terminal Server
    ------------------------------------
    To grant a user these permissions, start either the Active Directory Users
    and Computers snap-in or the Local Users And Groups snap-in, open the
    user's properties, click the Terminal Services Profile tab, and then click
    to select the Allow logon to Terminal Server check box.

    Step 3: Check TS permission
    ----------------------------
    1. Open the Terminal Services Configuration snap-in.
    2. Right click the Rdp-Tcp item, and click Properties.
    3. In the Permissions tab, click "Advanced".
    4. By default, administrators group and Remote Desktop Users group have
    been granted the permissions. You can also add other users and groups and
    grant them the corresponding permissions.

    After checking the steps above and this issue still persist, please check
    security settings on General tab of Terminal Services Configuration
    snap-in. In security level, dose it set 'negotiate'? In Encryption level,
    dose it set 'Client Compatible'?

    As for 'Added group to TS gateway policies ?€?domain?€\TS>', could you
    please explain it more? How do you configure it? Also, please test to logon
    to TS on other computer to see the symbols?


    Hope this helps.


    Sincerely
    Morgan Che
    Microsoft Online Support
    Microsoft Global Technical Support Center

    Get Secure! -
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.


    --------------------
    --->Thread-Topic: Users are not authorized for remote login
    --->thread-index: AcjygM4c4sGvIM5PStKCCUSqoZwyuA==
    --->X-WBNR-Posting-Host: 207.46.193.207
    --->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam>
    --->Subject: Users are not authorized for remote login
    --->Date: Wed, 30 Jul 2008 13:14:00 -0700
    --->Lines: 13
    --->Message-ID: <17AED4C5-BF7C-4F1C-BC1E-08DC98ED56B9@microsoft.com>
    --->MIME-Version: 1.0
    --->Content-Type: text/plain;
    ---> charset="Utf-8"
    --->Content-Transfer-Encoding: 8bit
    --->X-Newsreader: Microsoft CDO for Windows 2000
    --->Content-Class: urn:content-classes:message
    --->Importance: normal
    --->Priority: normal
    --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119
    --->Newsgroups: microsoft.public.windows.terminal_services
    --->Path: TK2MSFTNGHUB02.phx.gbl
    --->Xref: TK2MSFTNGHUB02.phx.gbl
    microsoft.public.windows.terminal_services:19526
    --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
    --->X-Tomcat-NG: microsoft.public.windows.terminal_services
    --->
    --->Windows 2008 sp1
    --->AD is on a separate 2008 server
    --->Installed terminal services, everything looks fine
    --->Added group to TS gateway policies “domain”\TS
    --->TS is a group I created in AD where to put users who can login to
    terminal
    --->services.
    --->First I added users to TS, tried to log in – connection refused.
    --->Added the user to TS and Remote Desktop group same thing.
    --->The error is
    --->The connection was denied because the user account is not authorized
    for
    --->remote login
    --->What am I missing?
    --->
    --->
     
  4. Eli

    Eli Guest

    Thanks for advise.
    I added users to a new created group in AD, then added that group to "local"
    remote destktop users on TS server and everything works fine now.


    "Vera Noest [MVP]" wrote:
    <!--coloro:blue--><span style="color:blue <!--/coloro-->
    > Maybe you added the users to the AD group Remote Desktop Users?
    >
    > You have to add them to the *local* Remote Desktop Users group on
    > the Terminal Server.
    >
    > _________________________________________________________
    > Vera Noest
    > MCSE, CCEA, Microsoft MVP - Terminal Server
    > TS troubleshooting:
    > *----------- Please reply in newsgroup -------------*
    >
    > =?Utf-8?B?RWxp?= <eli@newsgroup.nospam> wrote on 30 jul 2008:
    > <!--coloro:green--><span style="color:green <!--/coloro-->
    > > Windows 2008 sp1
    > > AD is on a separate 2008 server
    > > Installed terminal services, everything looks fine
    > > Added group to TS gateway policies “domain”TS
    > > TS is a group I created in AD where to put users who can login
    > > to terminal services.
    > > First I added users to TS, tried to log in – connection
    > > refused. Added the user to TS and Remote Desktop group same
    > > thing. The error is
    > > The connection was denied because the user account is not
    > > authorized for remote login
    > > What am I missing?<!--colorc--><!--/colorc-->
    > <!--colorc--><!--/colorc-->
     
  5. Ruslan

    Ruslan Guest

    TRY

    You are required to be a member to post replies. After logging in or becoming a member, you will be redirected back to this page.



    Posted as a reply to:

    Users are not authorized for remote login

    Windows 2008 sp1
    AD is on a separate 2008 server
    Installed terminal services, everything looks fine
    Added group to TS gateway policies ???domain???\TS
    TS is a group I created in AD where to put users who can login to terminal
    services.
    First I added users to TS, tried to log in ??? connection refused.
    Added the user to TS and Remote Desktop group same thing.
    The error is
    The connection was denied because the user account is not authorized for
    remote login
    What am I missing?

    EggHeadCafe - Software Developer Portal of Choice
    WCF Workflow Services Using External Data Exchange
     

Share This Page