A windows 2003 server has recently been upgraded to domain controller.User used to be able to RDC to it now failed with error:
"To log on to this remote computer,you must be granted the allow log on trhough terminal services right.By default, members of the remote desktop users group have this right. If you are not a member of the remote desktop users group that has this right, or if the remote desktop users group does not have this right, you must be granted this right manually."
To troubleshoot this issue:
1. make sure Remote desktop is enabled on the server
2. make sure Remoet desktop users group has right to log on through terminal services.start > run > gpedit.msc > computer config > windows settings > local policies > user rights assign > allow log on through terminal services > make sure Remote Desktop users group is listed .
3. Make sure you have configured permissions for the remote desktop user group in the terminal services configuration (right click RDP-tcp, properties > permissions > add user access to the group)
The reason that caused this issue is quite simple:
By default, only Administrators are allowed log on to the DC. If you wish to allow other users to log on to this DC with TS, you will need to change the security settings in GP after AD has been installed.
When you promote A Windows 2003 server to Domain Controller, you may receive this message: “Terminal Services is installed in this computer. Installing AD on this PC will change security policy on this PC so that only Administrators will be able to log on to the PC... If you wish to allow other users to log on to this PC with TS, you will need to changethe security settings in GP after AD has been installed”
For this kind of issue, basicall you want to try one or more of the following settings:
1. Assign the user to The Allow log on through Terminal Services right using local policy (gpedit.msc).
2. Assign permission to use TS Configuration. Go to that, select the properties of RDP-Tcp.
3. The Allow logon to terminal server check box under user properties.
4. Assign the user to Access this computer from network.
5. Assign the user to Allow log on locally.