REMOTE DESKTOP CONNECTION

H

HMO Fallen Angel

Hi eveybody,
Before, we used to have a windows 2000 as our domain controller and it was
the terminal server too, and we can RDC to this server. Then, we got a new
server, installed win 2003 server 'migrated' our 2000 domain to a 2003 domain
and right now they are co-existing.
We did this because we need to move our application from the win 2000 server
to the new 2003 server.
Right now users are connecting to the 2000 server using using terminal
server without any problems.
I have already installed terminal server and its licenses on the new win
2003 server but when i try to connect using RDC i'm getting the error:

"To log on this remote computer, you must be granted the Allow log on
through Terminal Services right. By default, members of the Remote Desktop
Users group have this right. If you are not a member of the Remote Desktop
group or another group thas has this right, or if the Remote Desktop User
group does not have this right, you must be grantes this right manually"

I'm trying (on the win 2003 server) the local computer policy/computer
configuration/ windows setting/ security settings/local policies/user rights
assignment/ Allow log on terminal services and allow the Remote Desktop User
group, but there is no Remote Desktop User group available. I tried then
selecting a single user and allowing this option for this user and is still
not working.

What can be the problem? I don't have any problem connecting to the 2003 as
an administrator.

I need to make this work before we can dcpromo the win 2000 server and just
keep the 2003 server

Any help will be really appreciated.

--
HMO Fallen Angel
 
V

Vera Noest [MVP]

So the 2003 server is a DC, correct?
I assume that it is *not* recommended to run TS on a DC, for both
performance and -most of all-security reasons. After all, by
installing TS, you turn your DC into a multi-user workstation!
Can't you demote the W2K server to a member server and then upgrade
it to 2003? That would give you a 2003 domain with a dedicated TS,
which is a much better environment.

That said, you'll have to make your users members of the Domain
Local built-in group Remote Desktop Users in AD and add that group to
this setting in the Default Domain Controller Policy:
Computer Configuration - Windows Settings - Security Settings - Local
Policies - User rights Assignment
"Allow log on through Terminal Services"
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?=
<HMOFallenAngel@discussions.microsoft.com> wrote on 12 jul 2007 in
microsoft.public.windows.terminal_services:

> Hi eveybody,
> Before, we used to have a windows 2000 as our domain controller
> and it was the terminal server too, and we can RDC to this
> server. Then, we got a new server, installed win 2003 server
> 'migrated' our 2000 domain to a 2003 domain and right now they
> are co-existing. We did this because we need to move our
> application from the win 2000 server to the new 2003 server.
> Right now users are connecting to the 2000 server using using
> terminal server without any problems.
> I have already installed terminal server and its licenses on the
> new win 2003 server but when i try to connect using RDC i'm
> getting the error:
>
> "To log on this remote computer, you must be granted the Allow
> log on through Terminal Services right. By default, members of
> the Remote Desktop Users group have this right. If you are not a
> member of the Remote Desktop group or another group thas has
> this right, or if the Remote Desktop User group does not have
> this right, you must be grantes this right manually"
>
> I'm trying (on the win 2003 server) the local computer
> policy/computer configuration/ windows setting/ security
> settings/local policies/user rights assignment/ Allow log on
> terminal services and allow the Remote Desktop User group, but
> there is no Remote Desktop User group available. I tried then
> selecting a single user and allowing this option for this user
> and is still not working.
>
> What can be the problem? I don't have any problem connecting to
> the 2003 as an administrator.
>
> I need to make this work before we can dcpromo the win 2000
> server and just keep the 2003 server
>
> Any help will be really appreciated.
 
H

HMO Fallen Angel

thanks for your reply Vera,
the main reason for having only 1 server is, of course, money. So, after we
can move everything to the new one we'll see what we can do with the old 2000
server.
About the Remote Desktop Users Group, my problem is that i don't have that
group, or i can't see it on my Active Directory, or is there any trick to
access this group?
--
HMO Fallen Angel


"Vera Noest [MVP]" wrote:

> So the 2003 server is a DC, correct?
> I assume that it is *not* recommended to run TS on a DC, for both
> performance and -most of all-security reasons. After all, by
> installing TS, you turn your DC into a multi-user workstation!
> Can't you demote the W2K server to a member server and then upgrade
> it to 2003? That would give you a 2003 domain with a dedicated TS,
> which is a much better environment.
>
> That said, you'll have to make your users members of the Domain
> Local built-in group Remote Desktop Users in AD and add that group to
> this setting in the Default Domain Controller Policy:
> Computer Configuration - Windows Settings - Security Settings - Local
> Policies - User rights Assignment
> "Allow log on through Terminal Services"
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?=
> <HMOFallenAngel@discussions.microsoft.com> wrote on 12 jul 2007 in
> microsoft.public.windows.terminal_services:
>
> > Hi eveybody,
> > Before, we used to have a windows 2000 as our domain controller
> > and it was the terminal server too, and we can RDC to this
> > server. Then, we got a new server, installed win 2003 server
> > 'migrated' our 2000 domain to a 2003 domain and right now they
> > are co-existing. We did this because we need to move our
> > application from the win 2000 server to the new 2003 server.
> > Right now users are connecting to the 2000 server using using
> > terminal server without any problems.
> > I have already installed terminal server and its licenses on the
> > new win 2003 server but when i try to connect using RDC i'm
> > getting the error:
> >
> > "To log on this remote computer, you must be granted the Allow
> > log on through Terminal Services right. By default, members of
> > the Remote Desktop Users group have this right. If you are not a
> > member of the Remote Desktop group or another group thas has
> > this right, or if the Remote Desktop User group does not have
> > this right, you must be grantes this right manually"
> >
> > I'm trying (on the win 2003 server) the local computer
> > policy/computer configuration/ windows setting/ security
> > settings/local policies/user rights assignment/ Allow log on
> > terminal services and allow the Remote Desktop User group, but
> > there is no Remote Desktop User group available. I tried then
> > selecting a single user and allowing this option for this user
> > and is still not working.
> >
> > What can be the problem? I don't have any problem connecting to
> > the 2003 as an administrator.
> >
> > I need to make this work before we can dcpromo the win 2000
> > server and just keep the 2003 server
> >
> > Any help will be really appreciated.

>
 
V

Vera Noest [MVP]

Mmm, it should be there, at least after a fresh install of AD on a
2003 server. But maybe it's not created when the 2003 server is made
a DC in an existing W2K AD.
I've never done any of this myself, so no guarantees, but I guess
that you could manually create a Domain Local security group
"Terminal Server Users" and add that group to the user right
assignment "Allow log on through Terminal Services" in the Default
Domain Controller Policy.

Note that I would *not* call this manually created group "Remote
Desktop Users", to be able to distinguish it from the Builtin group.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?=
<HMOFallenAngel@discussions.microsoft.com> wrote on 13 jul 2007 in
microsoft.public.windows.terminal_services:

> thanks for your reply Vera,
> the main reason for having only 1 server is, of course, money.
> So, after we can move everything to the new one we'll see what
> we can do with the old 2000 server.
> About the Remote Desktop Users Group, my problem is that i don't
> have that group, or i can't see it on my Active Directory, or
> is there any trick to access this group?
 
H

HMO Fallen Angel

ok
should I do this using "net localgroup groupname /Add" ??
--
HMO Fallen Angel


"Vera Noest [MVP]" wrote:

> Mmm, it should be there, at least after a fresh install of AD on a
> 2003 server. But maybe it's not created when the 2003 server is made
> a DC in an existing W2K AD.
> I've never done any of this myself, so no guarantees, but I guess
> that you could manually create a Domain Local security group
> "Terminal Server Users" and add that group to the user right
> assignment "Allow log on through Terminal Services" in the Default
> Domain Controller Policy.
>
> Note that I would *not* call this manually created group "Remote
> Desktop Users", to be able to distinguish it from the Builtin group.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?=
> <HMOFallenAngel@discussions.microsoft.com> wrote on 13 jul 2007 in
> microsoft.public.windows.terminal_services:
>
> > thanks for your reply Vera,
> > the main reason for having only 1 server is, of course, money.
> > So, after we can move everything to the new one we'll see what
> > we can do with the old 2000 server.
> > About the Remote Desktop Users Group, my problem is that i don't
> > have that group, or i can't see it on my Active Directory, or
> > is there any trick to access this group?

>
 
V

Vera Noest [MVP]

I'd use the GUI of Active Directory Users and Computers in
Administrative Tools.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?=
<HMOFallenAngel@discussions.microsoft.com> wrote on 14 jul 2007 in
microsoft.public.windows.terminal_services:

> ok
> should I do this using "net localgroup groupname /Add" ??
 
H

HMO Fallen Angel

Hi Vera,
well, i was about to do this, but i remembered have seen 'terminal server
users' group somewhere in my server.
So, If i go to my AD and try adding users to a specific group, this
'terminal server users' groupo is NOT there.
Then, I went to my policy editor to the computer configuration/windows
serrings/security settings/local policies/user rights assigment/ and on the
'allow log on through terminal services properties' the "TERMINAL SERVER
USER" group is already 'allowed' but I can't see this group on my AD. So i'm
not sure if i have to create this group using the same name or what to do.
Also, i tried and added a user directly on the 'allow log on through
terminal services propierties' policy and i'm still unable to RDC using this
user (should i be able to do it or not)
Should I continue and create the 'terminal server user' group anyways? If
so, the group is all capital letters on the policy setting, shoul i create it
using all capitals too or it doesn't matter?
--
HMO Fallen Angel


"Vera Noest [MVP]" wrote:

> I'd use the GUI of Active Directory Users and Computers in
> Administrative Tools.
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?=
> <HMOFallenAngel@discussions.microsoft.com> wrote on 14 jul 2007 in
> microsoft.public.windows.terminal_services:
>
> > ok
> > should I do this using "net localgroup groupname /Add" ??

>
 
V

Vera Noest [MVP]

I hardly dare to give you any more advice, since your setup is
completely unfamiliar to me. I've never performed an inplace
upgrade of any OS, just to avoid problems like these.

That said, I would create a group with a completely different name
and then add that group to the Logon Locally user right policy.
Recreating the TERMINAL SERVER USER group might work, but it's also
possible that the recreated group gets another SID and would only
add to the confusion. If it works with a freshly created group and
you are sure that the TERMINAL SERVER USER doesn't exist, then you
can delete it from the user right assignment policy.

WARNING: before changing anything at all, make sure that you have a
working backup!

Note that you have to assign the user right in the Default Domain
Controller Policy, not in the Default Domain Policy.
You could try if this solves the porblem by first adding a single
test user account to it.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?=
<HMOFallenAngel@discussions.microsoft.com> wrote on 17 jul 2007 in
microsoft.public.windows.terminal_services:

> Hi Vera,
> well, i was about to do this, but i remembered have seen
> 'terminal server users' group somewhere in my server.
> So, If i go to my AD and try adding users to a specific group,
> this 'terminal server users' groupo is NOT there.
> Then, I went to my policy editor to the computer
> configuration/windows serrings/security settings/local
> policies/user rights assigment/ and on the 'allow log on through
> terminal services properties' the "TERMINAL SERVER USER" group
> is already 'allowed' but I can't see this group on my AD. So i'm
> not sure if i have to create this group using the same name or
> what to do. Also, i tried and added a user directly on the
> 'allow log on through terminal services propierties' policy and
> i'm still unable to RDC using this user (should i be able to do
> it or not) Should I continue and create the 'terminal server
> user' group anyways? If so, the group is all capital letters on
> the policy setting, shoul i create it using all capitals too or
> it doesn't matter?
 
H

HMO Fallen Angel

I have to add the new group to the Logon Locally user right policy or to the
allow log on through terminal services?

--
HMO Fallen Angel


"Vera Noest [MVP]" wrote:

> I hardly dare to give you any more advice, since your setup is
> completely unfamiliar to me. I've never performed an inplace
> upgrade of any OS, just to avoid problems like these.
>
> That said, I would create a group with a completely different name
> and then add that group to the Logon Locally user right policy.
> Recreating the TERMINAL SERVER USER group might work, but it's also
> possible that the recreated group gets another SID and would only
> add to the confusion. If it works with a freshly created group and
> you are sure that the TERMINAL SERVER USER doesn't exist, then you
> can delete it from the user right assignment policy.
>
> WARNING: before changing anything at all, make sure that you have a
> working backup!
>
> Note that you have to assign the user right in the Default Domain
> Controller Policy, not in the Default Domain Policy.
> You could try if this solves the porblem by first adding a single
> test user account to it.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?=
> <HMOFallenAngel@discussions.microsoft.com> wrote on 17 jul 2007 in
> microsoft.public.windows.terminal_services:
>
> > Hi Vera,
> > well, i was about to do this, but i remembered have seen
> > 'terminal server users' group somewhere in my server.
> > So, If i go to my AD and try adding users to a specific group,
> > this 'terminal server users' groupo is NOT there.
> > Then, I went to my policy editor to the computer
> > configuration/windows serrings/security settings/local
> > policies/user rights assigment/ and on the 'allow log on through
> > terminal services properties' the "TERMINAL SERVER USER" group
> > is already 'allowed' but I can't see this group on my AD. So i'm
> > not sure if i have to create this group using the same name or
> > what to do. Also, i tried and added a user directly on the
> > 'allow log on through terminal services propierties' policy and
> > i'm still unable to RDC using this user (should i be able to do
> > it or not) Should I continue and create the 'terminal server
> > user' group anyways? If so, the group is all capital letters on
> > the policy setting, shoul i create it using all capitals too or
> > it doesn't matter?

>
 
V

Vera Noest [MVP]

Sorry, I mixed your post up with someone else who has a W2K DC as TS.
In your case, it should be allow log on through terminal services.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?=
<HMOFallenAngel@discussions.microsoft.com> wrote on 18 jul 2007 in
microsoft.public.windows.terminal_services:

> I have to add the new group to the Logon Locally user right
> policy or to the allow log on through terminal services?
 
H

HMO Fallen Angel

should i create the group under 'Builtin' or at the same level of builtin,
computers, users??

--
HMO Fallen Angel


"Vera Noest [MVP]" wrote:

> Sorry, I mixed your post up with someone else who has a W2K DC as TS.
> In your case, it should be allow log on through terminal services.
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?=
> <HMOFallenAngel@discussions.microsoft.com> wrote on 18 jul 2007 in
> microsoft.public.windows.terminal_services:
>
> > I have to add the new group to the Logon Locally user right
> > policy or to the allow log on through terminal services?

>
 
H

HMO Fallen Angel

Should i create this group under 'builtin' or at the same level than builtin,
computers, users ???
--
HMO Fallen Angel


"Vera Noest [MVP]" wrote:

> Sorry, I mixed your post up with someone else who has a W2K DC as TS.
> In your case, it should be allow log on through terminal services.
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?=
> <HMOFallenAngel@discussions.microsoft.com> wrote on 18 jul 2007 in
> microsoft.public.windows.terminal_services:
>
> > I have to add the new group to the Logon Locally user right
> > policy or to the allow log on through terminal services?

>
 
V

Vera Noest [MVP]

Technically, I assume that it doesn't matter.
But since the name of the preconfigured OU is "Builtin", that would
be the only OU where I would *not* create it.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?=
<HMOFallenAngel@discussions.microsoft.com> wrote on 20 jul 2007 in
microsoft.public.windows.terminal_services:

> should i create the group under 'Builtin' or at the same level
> of builtin, computers, users??
 
H

HMO Fallen Angel

You are right, it doesn't matter. It doesn't work in anyways
any other idea?
--
HMO Fallen Angel


"Vera Noest [MVP]" wrote:

> Technically, I assume that it doesn't matter.
> But since the name of the preconfigured OU is "Builtin", that would
> be the only OU where I would *not* create it.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?=
> <HMOFallenAngel@discussions.microsoft.com> wrote on 20 jul 2007 in
> microsoft.public.windows.terminal_services:
>
> > should i create the group under 'Builtin' or at the same level
> > of builtin, computers, users??

>
 
V

Vera Noest [MVP]

I'm sorry, no. As I said before, I don't dare to say anything more,
since I don't understand what's going on.
I would call Microsoft Support, or start from scratch, creating a
completely new 2003 forest.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?=
<HMOFallenAngel@discussions.microsoft.com> wrote on 23 jul 2007 in
microsoft.public.windows.terminal_services:

> You are right, it doesn't matter. It doesn't work in anyways
> any other idea?
 
H

HMO Fallen Angel

I guess i'll have to do that.
thanks so much for your help
--
HMO Fallen Angel


"Vera Noest [MVP]" wrote:

> I'm sorry, no. As I said before, I don't dare to say anything more,
> since I don't understand what's going on.
> I would call Microsoft Support, or start from scratch, creating a
> completely new 2003 forest.
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?=
> <HMOFallenAngel@discussions.microsoft.com> wrote on 23 jul 2007 in
> microsoft.public.windows.terminal_services:
>
> > You are right, it doesn't matter. It doesn't work in anyways
> > any other idea?

>
>
 
H

HMO Fallen Angel

One more question.
Even if i don't have the remote desktop user group, I tried adding a regular
user directly to the allow connecting through terminal services entry and it
doesn't work either. should this be part of the same 'migration' thing
--
HMO Fallen Angel


"HMO Fallen Angel" wrote:

> I guess i'll have to do that.
> thanks so much for your help
> --
> HMO Fallen Angel
>
>
> "Vera Noest [MVP]" wrote:
>
> > I'm sorry, no. As I said before, I don't dare to say anything more,
> > since I don't understand what's going on.
> > I would call Microsoft Support, or start from scratch, creating a
> > completely new 2003 forest.
> > _________________________________________________________
> > Vera Noest
> > MCSE, CCEA, Microsoft MVP - Terminal Server
> > TS troubleshooting: http://ts.veranoest.net
> > ___ please respond in newsgroup, NOT by private email ___
> >
> > =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?=
> > <HMOFallenAngel@discussions.microsoft.com> wrote on 23 jul 2007 in
> > microsoft.public.windows.terminal_services:
> >
> > > You are right, it doesn't matter. It doesn't work in anyways
> > > any other idea?

> >
> >
 
V

Vera Noest [MVP]

Assuming that the user also has at least "User" permissions on the
rdp-tcp connection, that should work, yes.
But I've got the feeling that the issue is bigger than just the
missing "Remote Desktop Users" group.
Otherwise we would have solved the problem by now. That's why I
personally would start from scratch.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?=
<HMOFallenAngel@discussions.microsoft.com> wrote on 24 jul 2007 in
microsoft.public.windows.terminal_services:

> One more question.
> Even if i don't have the remote desktop user group, I tried
> adding a regular user directly to the allow connecting through
> terminal services entry and it doesn't work either. should this
> be part of the same 'migration' thing
 
H

HMO Fallen Angel

I tried adding 'users' to the permissions on rdp-tcp and that worked.
it's connecting to the terminal server and opening my application.
I'm having now another problem which i dont' know if that's part of the
application or of terminal server.
If i log either as administrator or regular user, i open the application
enter my sign in information and can work in it, and when i close the
application, it never closes, the screen only goes blue and i have to
disconnect the session.
do you think this is part of terminal server or the application.


--
HMO Fallen Angel


"Vera Noest [MVP]" wrote:

> Assuming that the user also has at least "User" permissions on the
> rdp-tcp connection, that should work, yes.
> But I've got the feeling that the issue is bigger than just the
> missing "Remote Desktop Users" group.
> Otherwise we would have solved the problem by now. That's why I
> personally would start from scratch.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?=
> <HMOFallenAngel@discussions.microsoft.com> wrote on 24 jul 2007 in
> microsoft.public.windows.terminal_services:
>
> > One more question.
> > Even if i don't have the remote desktop user group, I tried
> > adding a regular user directly to the allow connecting through
> > terminal services entry and it doesn't work either. should this
> > be part of the same 'migration' thing

>
 
V

Vera Noest [MVP]

OK, I believed that we had covered the rdp-tcp permissions a long
time ago in this multi-part story :)
But I'm glad that you can make the connections now.

About your next problem:

From:
http://ts.veranoest.net/ts_faq_applications.htm#logoffsession

Q: User sessions don't logoff when users quit their starting or
published application

A: If you define a Starting application, either in Terminal
Services Configuration, a GPO or in the RDP client, the session
should be automatically logged off when users quit the application.
Sometimes, this doesn't happen and users are left with a session
which only shows the desktop background, without the possibility to
log off the session manually. The cause for this problem is a
process which is still running in the session, preventing it from
closing and logging off. The same can happen after quitting a
Citrix published application.

To solve the problem, open a connection to the Terminal Server and
check in Task manager which process is keeping the session from
closing. Some anti-virus applications are known to cause this
behaviour.
If you can't avoid running the process, you can use a work-around
to log off user sessions.

Create a batch file, containing something like this:

cd <path_to_application>
start /wait <application_executable>
logoff

Now define this batch file as the starting application.
Or use the following vb script (courtesy of Steven Bendis) to
launch your application, and define the vb script as the starting
application.

Dim objWshShell, objExec, strAppExe
strAppExe = "<path_to_application>\<application_executable>"
Set objWshShell = CreateObject("WScript.Shell")
Set objExec = objWshShell.Exec(strAppExe)
Do While objExec.Status = 0
WScript.Sleep 500
Loop
Set objExec = objWshSHell.Exec("logoff")

For a different solution to the problem, and a list of known
processes which cause this behaviour, check:
CTX891671 - Graceful Logoff from a Published Application Keeps
Sessions in Active State
http://support.citrix.com/article/CTX891671

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?SE1PIEZhbGxlbiBBbmdlbA==?=
<HMOFallenAngel@discussions.microsoft.com> wrote on 24 jul 2007 in
microsoft.public.windows.terminal_services:

> I tried adding 'users' to the permissions on rdp-tcp and that
> worked. it's connecting to the terminal server and opening my
> application. I'm having now another problem which i dont' know
> if that's part of the application or of terminal server.
> If i log either as administrator or regular user, i open the
> application enter my sign in information and can work in it, and
> when i close the application, it never closes, the screen only
> goes blue and i have to disconnect the session.
> do you think this is part of terminal server or the application.
 
Back
Top Bottom