Terminal Services on Domain Controller

[jfransen]

Hi,

I created a GPO where I accidently added 'Deny logon trough Terminal Services' for Authenticated users. I deleted the GPO but now I don't have access on my Domain Controller through Terminal Server not with Administrator nor with a member of the Domain Administrators. I checked the Default Domain Controller policy and they do have access, also Remote Desktop Control is allowed. But still I get the message 'The local policy of the system does not permit you to logon interactively'

Can somebody help me on this issue.

Thanks in advance.

Johan

[pj]

The first step is to find where this policy is being applied from. If you are using w2k3 use Group Policy Result Wizard in the Group Policy Management Console (download from Microsoft) and if you are using Windows 2k from the command line type gpresult.

I don't know how long ago you deleted the gp but your server may not have updated it's computer policy yet. You can force this by rebooting or typing gpupdate /force

Hope this is of help.

Peter Jessop

[jfransen]

Hi,

I already run gpresult /force but it still doesn't work.
I already ran gpresult (even with -z, although I don't see a lot of difference with -v ;-) ) and saw something strange. The policy is denied for security reasons. Now I'm finding out why, but this is not so easy. gpresult only says that the policy isn't applied with no further comment. So I checked wether this GPO can be read and applied to the domain administrators. This is the case.
Perhaps a small architecture can help
OU: domain.com
OU: Domain controllers
GPO: Default domain controller
GPO: DC_LOGON_LOCALY
SYS_TEAM (members are member of domain admins & administrators)
setting: acces from network: SYS_TEAM
allow local logon: SYS_TEAM; Administrators
allow logon through TS: SYS_TEAM

I hope this is a little bit clear.

Kind regards,

Johan

[pj]

If the GPO is not being applied, perhaps the problem comes from the local policy and not the group policy.

[jfransen]

Hi,

I found the problem. Indeed it's in the local policy. Due to the fact that I put 'Authenticated Users' in the deny TS in a GPO, it was copied in the local policy. But as I removed the GPO, the local policy was not updated although I did a gpupdate /force.

Thanks for the help.

Kind regards.

Johan