Domain Controllers Require the "Log on Locally" Group Policy Object for Terminal Services Client Connections (247989)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
This article was previously published under Q247989

SYMPTOMS

When you attempt to connect to a Microsoft Windows 2000-based domain controller running Terminal Services, you may receive the following error message:
The local policy of this system does not permit you to logon interactively.
This error message is not generated when the user account you logged on with is a member of the following default groups:
  • Account Operators
  • Administrators
  • Backup Operators
  • Print Operators
  • Server Operators
  • Others based on services on the computer such as TsInternetUser
NOTE: Member servers and stand-alone servers have the users group included in the "Log on Locally" user right. Because of this, they do not prevent logons from non-administrative users.

CAUSE

This issue can occur if the Windows 2000-based domain controller running Terminal Services does not have the Users, Authenticated Users, or Everyone global group added to the Group Policy Object for the "Log on Locally" user right.

RESOLUTION

To work around this issue, modify the Group Policy Object for the domain controller:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Domain Controller Security Policy.
  2. Double-click the Security Settings folder, double-click Local Policies, and then click User Rights Assignment.
  3. Under the Policy column, click Log on Locally, and then click Add.
  4. Click Browse, click the appropriate group, and then click Add.
  5. Click OK, click OK, and then click OK.
  6. At a command prompt, type secedit /refreshpolicy machine_policy /enforce, press ENTER, and then press ENTER.

STATUS

This behavior is by design.

MORE INFORMATION

The issue described in this article occurs on Windows 2000-based domain controllers running Terminal Services configured to use Application Server mode for user access. Windows 2000-based domain controllers running Terminal Services configured to use Remote Administration mode do not permit user logon, with the exception of two concurrent administrator accounts for server management. When a user attempts to connect to a Windows 2000-based domain controller running Terminal Services configured to use Remote Administration mode, the following error message is generated:
You do not have access to logon to this Session.
"Log on Locally" is a required user right in Microsoft Windows NT 4.0, Terminal Server Edition and Windows 2000 Terminal Services. This is because the Terminal Services sessions are the user's desktop environment and the user needs the same rights on the Terminal Server computer that he or she has on other workstations.

The issue described in this article occurs when the Windows 2000-based computer running Terminal Services is a domain controller, because domain controllers share a common security database. Windows NT 4.0-based domain controllers use the Security Accounts Manager (SAM) database, and Windows 2000-based domain controllers use Active Directory, which is common to all domain controllers. The "Log on Locally" user right is assigned to a group in Windows NT 4.0, and to Group Policy Objects in Windows 2000. In Windows 2000, one domain controller that is given the "Log on Locally" user right shares this user right with all domain controllers in the domain.

For additional information about Terminal Services client connection error messages, click the article numbers below to view the articles in the Microsoft Knowledge Base:

246109 Error Messages Generated When Logging on with Terminal Services

224395 Error Message: You Do Not Have Access to Logon to This Session


NOTE: The Ntrights.exe utility can be used to add the "Log On Locally" right remotely.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

279664 How to Set Logon User Rights with the Ntrights.exe Utility

Modification Type:MajorLast Reviewed:11/13/2003
Keywords:kberrmsg kbprb KB247989
©2003 Microsoft Corporation. All rights reserved.