Your interactive logon privilege has been disabled

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

This is a thought, but perhaps access to the terminal server is
disabled in the domain user account. I know how and where to set this
in a Win2K/Win2K3 environment, but not in a NT 4 domain.. Try posting
this to one of the Terminal Server newsgroups to see if any of them
may remember where this setting was for NT 4.

Jeffrey Randow (Windows Networking & Smart Display MVP)
jeffreyr-support@remotenetworktechnology.com

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

On 23 Aug 2004 06:39:02 -0700, talltim@hotmail.com (Tim David) wrote:

>We have XP workstations running on an NT domain. We have a PC set up
>for users to use when they need to run a particular piece of software
>that we only have one licence for, they have a shortcut to an .rdp
>file on their desktops that connects them via remote desktop to the PC
>where they logon with their standard NT logon.
>On our PCs the standard setup for Remote Desktop is to allow the
>Domain Administrators group and a global group called Remote Desktop
>to logon through a connection, all other groups are denied (not
>specifically but not allowing in this case denies)
>On this particular PC the global group that uses the PC is added to
>the allowed users. This has been working fine for a couple of months.
>However I now have one user that can't get logged on, she gets 'Your
>interactive logon privilege has been disabled' I have checked the
>account and the PC; she is still in the group and the group still has
>permissions.
>Creating a copy of her account (within NT user Manager) for testing
>revealed that this copy account also has the same problem. A fresh
>account set up with the same global groups etc does not suffer from
>this problem. Also a copy of another user's account within the same
>department does not suffer.
>I have also tried adding individual permission for the user to log
>onto the PC and putting her in the global Remote Desktop group and
>testing connecting to another PC with no joy.
>
>The problem looks to be with the user's account but is not in any of
>the settings configurable from User Manager. Now I am a bit stumped. I
>am loath to delete and recreate her account as it would be a lot of
>work changing permissions on all her stuff to allow for the new SID,
>plus she has a laptop with a local profile.
>Does anyone have any ideas?
>
>Tim

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

OK thanks, I have asked the question (
http://makeashorterlink.com/?T2E325229 ) and will post the answer here
if I find out.

Tim

"Jeffrey Randow (MVP)" <jeffreyr-support@remotenetworktechnology.com> wrote in message news:<1p7li0lf7gcf6sv8cnv9upgqh58m51ticl@4ax.com>...
> This is a thought, but perhaps access to the terminal server is
> disabled in the domain user account. I know how and where to set this
> in a Win2K/Win2K3 environment, but not in a NT 4 domain.. Try posting
> this to one of the Terminal Server newsgroups to see if any of them
> may remember where this setting was for NT 4.
>
> Jeffrey Randow (Windows Networking & Smart Display MVP)
> jeffreyr-support@remotenetworktechnology.com
>
> Please post all responses to the newsgroups for the benefit
> of all USENET users. Messages sent via email may or may not
> be answered depending on time availability....
>
> Remote Networking Technology Support Site -
> http://www.remotenetworktechnology.com
> Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone
>
> On 23 Aug 2004 06:39:02 -0700, talltim@hotmail.com (Tim David) wrote:
>
> >We have XP workstations running on an NT domain. We have a PC set up
> >for users to use when they need to run a particular piece of software
> >that we only have one licence for, they have a shortcut to an .rdp
> >file on their desktops that connects them via remote desktop to the PC
> >where they logon with their standard NT logon.
> >On our PCs the standard setup for Remote Desktop is to allow the
> >Domain Administrators group and a global group called Remote Desktop
> >to logon through a connection, all other groups are denied (not
> >specifically but not allowing in this case denies)
> >On this particular PC the global group that uses the PC is added to
> >the allowed users. This has been working fine for a couple of months.
> >However I now have one user that can't get logged on, she gets 'Your
> >interactive logon privilege has been disabled' I have checked the
> >account and the PC; she is still in the group and the group still has
> >permissions.
> >Creating a copy of her account (within NT user Manager) for testing
> >revealed that this copy account also has the same problem. A fresh
> >account set up with the same global groups etc does not suffer from
> >this problem. Also a copy of another user's account within the same
> >department does not suffer.
> >I have also tried adding individual permission for the user to log
> >onto the PC and putting her in the global Remote Desktop group and
> >testing connecting to another PC with no joy.
> >
> >The problem looks to be with the user's account but is not in any of
> >the settings configurable from User Manager. Now I am a bit stumped. I
> >am loath to delete and recreate her account as it would be a lot of
> >work changing permissions on all her stuff to allow for the new SID,
> >plus she has a laptop with a local profile.
> >Does anyone have any ideas?
> >
> >Tim

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Have discovered a solution. We use Hyena which is designed for both NT
and Ad domains within the user settings in Hyena there is a an option
to allow or disallow Terminal Services for the user. Changing this
seems to have the affect you would expect, however I don't know how
Microsoft expect you to access it without a third party tool!

Tim

talltim@hotmail.com (Tim David) wrote in message news:<4a59e422.0408250540.c3a13cf@posting.google.com>...
> OK thanks, I have asked the question (
> http://makeashorterlink.com/?T2E325229 ) and will post the answer here
> if I find out.
>
> Tim
>
> "Jeffrey Randow (MVP)" <jeffreyr-support@remotenetworktechnology.com> wrote in message news:<1p7li0lf7gcf6sv8cnv9upgqh58m51ticl@4ax.com>...
> > This is a thought, but perhaps access to the terminal server is
> > disabled in the domain user account. I know how and where to set this
> > in a Win2K/Win2K3 environment, but not in a NT 4 domain.. Try posting
> > this to one of the Terminal Server newsgroups to see if any of them
> > may remember where this setting was for NT 4.
> >
> > Jeffrey Randow (Windows Networking & Smart Display MVP)
> > jeffreyr-support@remotenetworktechnology.com
> >
> > Please post all responses to the newsgroups for the benefit
> > of all USENET users. Messages sent via email may or may not
> > be answered depending on time availability....
> >
> > Remote Networking Technology Support Site -
> > http://www.remotenetworktechnology.com
> > Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone
> >
> > On 23 Aug 2004 06:39:02 -0700, talltim@hotmail.com (Tim David) wrote:
> >
> > >We have XP workstations running on an NT domain. We have a PC set up
> > >for users to use when they need to run a particular piece of software
> > >that we only have one licence for, they have a shortcut to an .rdp
> > >file on their desktops that connects them via remote desktop to the PC
> > >where they logon with their standard NT logon.
> > >On our PCs the standard setup for Remote Desktop is to allow the
> > >Domain Administrators group and a global group called Remote Desktop
> > >to logon through a connection, all other groups are denied (not
> > >specifically but not allowing in this case denies)
> > >On this particular PC the global group that uses the PC is added to
> > >the allowed users. This has been working fine for a couple of months.
> > >However I now have one user that can't get logged on, she gets 'Your
> > >interactive logon privilege has been disabled' I have checked the
> > >account and the PC; she is still in the group and the group still has
> > >permissions.
> > >Creating a copy of her account (within NT user Manager) for testing
> > >revealed that this copy account also has the same problem. A fresh
> > >account set up with the same global groups etc does not suffer from
> > >this problem. Also a copy of another user's account within the same
> > >department does not suffer.
> > >I have also tried adding individual permission for the user to log
> > >onto the PC and putting her in the global Remote Desktop group and
> > >testing connecting to another PC with no joy.
> > >
> > >The problem looks to be with the user's account but is not in any of
> > >the settings configurable from User Manager. Now I am a bit stumped. I
> > >am loath to delete and recreate her account as it would be a lot of
> > >work changing permissions on all her stuff to allow for the new SID,
> > >plus she has a laptop with a local profile.
> > >Does anyone have any ideas?
> > >
> > >Tim

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

One question that arises in my mind:

You mentioned that a newly created profile didn't have the problem.

I wonder what mechanism created the change in the setting which you were
able to reverse using the Hyena-related management tool?

Is it possible that, in fact, the Hyena tool is both cause and cure?

There is, of course, an NT-based terminal server. I've never used it, and
don't have any idea what management tools were available for it. I assume
you don't have one of those beasts, either.

"Tim David" <talltim@hotmail.com> wrote in message
news:4a59e422.0408260410.28de12fd@posting.google.com...
> Have discovered a solution. We use Hyena which is designed for both NT
> and Ad domains within the user settings in Hyena there is a an option
> to allow or disallow Terminal Services for the user. Changing this
> seems to have the affect you would expect, however I don't know how
> Microsoft expect you to access it without a third party tool!
>
> Tim
>
> talltim@hotmail.com (Tim David) wrote in message
> news:<4a59e422.0408250540.c3a13cf@posting.google.com>...
>> OK thanks, I have asked the question (
>> http://makeashorterlink.com/?T2E325229 ) and will post the answer here
>> if I find out.
>>
>> Tim
>>
>> "Jeffrey Randow (MVP)" <jeffreyr-support@remotenetworktechnology.com>
>> wrote in message news:<1p7li0lf7gcf6sv8cnv9upgqh58m51ticl@4ax.com>...
>> > This is a thought, but perhaps access to the terminal server is
>> > disabled in the domain user account. I know how and where to set this
>> > in a Win2K/Win2K3 environment, but not in a NT 4 domain.. Try posting
>> > this to one of the Terminal Server newsgroups to see if any of them
>> > may remember where this setting was for NT 4.
>> >
>> > Jeffrey Randow (Windows Networking & Smart Display MVP)
>> > jeffreyr-support@remotenetworktechnology.com
>> >
>> > Please post all responses to the newsgroups for the benefit
>> > of all USENET users. Messages sent via email may or may not
>> > be answered depending on time availability....
>> >
>> > Remote Networking Technology Support Site -
>> > http://www.remotenetworktechnology.com
>> > Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone
>> >
>> > On 23 Aug 2004 06:39:02 -0700, talltim@hotmail.com (Tim David) wrote:
>> >
>> > >We have XP workstations running on an NT domain. We have a PC set up
>> > >for users to use when they need to run a particular piece of software
>> > >that we only have one licence for, they have a shortcut to an .rdp
>> > >file on their desktops that connects them via remote desktop to the PC
>> > >where they logon with their standard NT logon.
>> > >On our PCs the standard setup for Remote Desktop is to allow the
>> > >Domain Administrators group and a global group called Remote Desktop
>> > >to logon through a connection, all other groups are denied (not
>> > >specifically but not allowing in this case denies)
>> > >On this particular PC the global group that uses the PC is added to
>> > >the allowed users. This has been working fine for a couple of months.
>> > >However I now have one user that can't get logged on, she gets 'Your
>> > >interactive logon privilege has been disabled' I have checked the
>> > >account and the PC; she is still in the group and the group still has
>> > >permissions.
>> > >Creating a copy of her account (within NT user Manager) for testing
>> > >revealed that this copy account also has the same problem. A fresh
>> > >account set up with the same global groups etc does not suffer from
>> > >this problem. Also a copy of another user's account within the same
>> > >department does not suffer.
>> > >I have also tried adding individual permission for the user to log
>> > >onto the PC and putting her in the global Remote Desktop group and
>> > >testing connecting to another PC with no joy.
>> > >
>> > >The problem looks to be with the user's account but is not in any of
>> > >the settings configurable from User Manager. Now I am a bit stumped. I
>> > >am loath to delete and recreate her account as it would be a lot of
>> > >work changing permissions on all her stuff to allow for the new SID,
>> > >plus she has a laptop with a local profile.
>> > >Does anyone have any ideas?
>> > >
>> > >Tim

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

The error that you are getting could either be from a user right that
prevents interactive logon or a terminal server setting. User Rights
are visible in User Manager or Hyena (look under User Rights under any
domain). There is a specific right for interactive logon.

Terminal server (TSE) settings are more complicated. Since NT was
designed before Terminal Server, the settings can be in a state of
'limbo' when creating new user accounts using User Manager. In Hyena,
the Terminal tab on the user properties dialog will let you
allow/disallow logon to terminal sever sessions. Without checking in
more detail, I think the default is to disallow logon in Hyena to TSE
(since it can be a security concern), but there was a bug in some
versions of Windows that caused this setting to be corrupted when
changing other non-TSE values, since they are kept in the same binary
field. Perhaps your user account simply lost this setting and needed
to have it re-enabled to logon.

If you need more information, open a support case with us by sending
an email to support@systemtools.com.

Kevin Stanush
SystemTools Software Inc.
Home of 'Hyena' for Windows Adminstration
http://www.systemtools.com

talltim@hotmail.com (Tim David) wrote in message news:<4a59e422.0408260410.28de12fd@posting.google.com>...
> Have discovered a solution. We use Hyena which is designed for both NT
> and Ad domains within the user settings in Hyena there is a an option
> to allow or disallow Terminal Services for the user. Changing this
> seems to have the affect you would expect, however I don't know how
> Microsoft expect you to access it without a third party tool!
>
> Tim
>

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

I have since discovered that the settings to allow/disallow terminal
services IS present in the Windows 2000 version of User Manager, so if
you check from a 2000 server you should have no problems, meaning that
you don't need Hyena.
How the setting got changed in the first place is another matter!

Tim

kevin@systemtools.com (Kevin Stanush) wrote in message news:<8b0a3be0.0408271836.73ef8a1b@posting.google.com>...
> The error that you are getting could either be from a user right that
> prevents interactive logon or a terminal server setting. User Rights
> are visible in User Manager or Hyena (look under User Rights under any
> domain). There is a specific right for interactive logon.
>
> Terminal server (TSE) settings are more complicated. Since NT was
> designed before Terminal Server, the settings can be in a state of
> 'limbo' when creating new user accounts using User Manager. In Hyena,
> the Terminal tab on the user properties dialog will let you
> allow/disallow logon to terminal sever sessions. Without checking in
> more detail, I think the default is to disallow logon in Hyena to TSE
> (since it can be a security concern), but there was a bug in some
> versions of Windows that caused this setting to be corrupted when
> changing other non-TSE values, since they are kept in the same binary
> field. Perhaps your user account simply lost this setting and needed
> to have it re-enabled to logon.
>
> If you need more information, open a support case with us by sending
> an email to support@systemtools.com.
>
> Kevin Stanush
> SystemTools Software Inc.
> Home of 'Hyena' for Windows Adminstration
> http://www.systemtools.com
>
> talltim@hotmail.com (Tim David) wrote in message news:<4a59e422.0408260410.28de12fd@posting.google.com>...
> > Have discovered a solution. We use Hyena which is designed for both NT
> > and Ad domains within the user settings in Hyena there is a an option
> > to allow or disallow Terminal Services for the user. Changing this
> > seems to have the affect you would expect, however I don't know how
> > Microsoft expect you to access it without a third party tool!
> >
> > Tim
> >