Remote Administration of Terminal Services by Non-Administrators Accounts (253831)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
This article was previously published under Q253831

SYMPTOMS

Terminal Services running in Remote Administration mode is designed to be used for remotely managing servers. Remote Administration mode does not require client licensing and is limited to two simultaneous connections. Groups that typically manage servers, such as Server Operators, are not included in the default RDP-TCP permissions, and therefore cannot log on. When a user who is not an administrator tries to log on, the user receives the following error message:
Logon Message

You do not have access to logon to this Session.

OK

CAUSE

Members of the Administrators group are the only accounts with default permissions to log on to a Terminal Services-based server in Remote Administration mode. The System service account appears in the list also, but is not used for user access.

RESOLUTION

You can give additional groups and users logon permissions. The members of the Server Operators group, for example, would then be able to log on and manage the Terminal Services-based server without having to be a member of the Administrators group. To add additional groups or users:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Terminal Services Configuration.
  2. in the tree in the left pane, click Connections.
  3. Click the RDP-TCP connection in the right pane, and then click Properties on the Action menu.
  4. Click the Permissions tab.

    NOTE: Only Administrator and System accounts appear.
  5. Click Add. Search for the groups or users that are appropriate for your Terminal Services management (such as the Server Operators group). Click Add to place them in the bottom pane. Click OK.

    NOTE: The Server Operators group appears in the RDP-TCP properties; the permissions in the bottom pane are not enough to manage the server because only Guest Access is selected by default.
  6. Click to select the User Access check box for basic tasks or both the User Access and Full Control check boxes to fully manage the server, and then click Apply.
  7. Click OK.
  8. Test by logging on the accounts in the Server Operators group.

STATUS

This behavior is by design.

MORE INFORMATION

Only two concurrent logons to a Terminal Services-based server are allowed. This is not changed by adding additional groups to the allowable logon list. Remote Administration mode is not designed for users to log on and use programs. Install Terminal Services in Application Server mode for this type of usage.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

246109 Error Messages Generated When Logging on with Terminal Services Client

243554 Explanation of RDP-TCP Permissions in Windows 2000

Modification Type:MajorLast Reviewed:11/20/2003
Keywords:kbenv kbprb kbTermServ KB253831
©2003 Microsoft Corporation. All rights reserved.