To connect to terminal server properly, users need to be granted the "Allow
logon through Terminal Services" right. If the server is a domain
controller, users also need to have "Allow logon locally" right. I
understand that you have checked the local access policy rights. Please
also check the group policies that are applied to the domain or OU as they
have higher priority and will override the configuration of local policy.
1. Logon as administrator, click Start -> Run, type "rsop.msc" in the text
box, and click OK.
2. Locate the [Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment] item.
3. Check the "Allow log on locally" item to see whether this policy is
defined. If so, the "Source GPO" column displays the policy that defines
this policy. Please ensure "Administrators", "Remote Desktop Users",
"Backup Operators", "Account Operators", "Print Operators", "Server
Operators" are granted this right. If it is different, please configure the
corresponding policy to grant the permission.
4. Check the "Allow log on through Terminal Services" item to see whether
this policy is defined. If so, the "Source GPO" column displays the policy
that defines this policy. Please ensure "Administrators", "Remote Desktop
Users", and any other desired users are granted this right. If it is
different, please configure the corresponding policy to grant the
permission.
5. Check the "Deny log on locally" item to see whether this policy is
defined. If so, the "Source GPO" column displays the policy that defines
this policy. Please ensure that the user or any user groups that remote
user belongs to is not included in this right. If so, please modify the
corresponding policy to remove them.
6. Check the "Deny log on through Terminal Services" item to see whether
this policy is defined. If so, the "Source GPO" column displays the policy
that defines this policy. Please ensure that the user or any user groups
that remote user belongs to is not included in this right. If so, please
modify the corresponding policy to remove them.
7. Click Start -> Run, type "cmd" in the text box, and click OK.
8. Run the following command to refresh policy on both the domain
controller and the terminal server:
Gpupdate /force
9. Wait for a while so that the group policy is replicated and then try to
connect to the server again.
