User receives group membership error to terminal server even though has rights

[Cerulean]

To log on to this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote Desktop Users group or another group that has this right, or if the Remote Desktop User group does not have this right, you must be granted this right manually.

Only as of today a particular user began receiving this message for a second terminal server they use; otherwise, they have never had any problems authenticating into this server. We have no restrictions on simultaneous and multiple logins.

On each terminal server, we have a group and security group like "<nameofserver>_Users" locally in the Builtin\Remote Desktop Users group. For this particular user, on this particular terminal server we have locally given him Administrator, Remote Desktop Users, and Users membership; in AD we have given him DOMAIN\Administrator, Builtin\Remote Desktop Users, DOMAIN\<nameofserver>_Users. It still gives us that error message. We gave him membership to another terminal server (random) by simply making him member of another DOMAIN\<nameofserver>_Users group -- successfully able to login to that random terminal server.

So, from scratch we created an AD account 'dummy' (username) with only Domain Users membership. Tried to login to this particular server, no success. So I added 'dummy' to DOMAIN\<nameofthisparticularserver>_Users group, and then was successfully able to login. Other users from this user's department are able to login to this particular server just fine as well.

We checked the Security logs on this particular server, and while it is logging everything, the only thing it appears to not log are these failed login attempts from this particular user who receives this error message. We have tried rebooting the server, and the user is still receiving that error message.

 

[/usr/home]

Easiest sounds like to just recreate the account.

 

[Cerulean]

We've already had something strange happen in the past where we wound up creating "username2" to 'solve' the issue and get by, and we would like to not do this. It is a concern there is a problem that needs to be fixed.

 

[RocketTech]

Is there a Deny entry on the user? Do you have trust relationships between the domains?

 

[dbwillis]

others can rdp to the server fine?

 

[Cerulean]

Other users can RDP to the server fine, there is no deny entry on the user, and this isn't across multiple domains but in just one domain.

 

[RocketTech]

Have you tried username as DOMAIN\user when logging in?

 

[Cerulean]

Have you tried username as DOMAIN\user when logging in?

Just tested, didn't work.

And though remote possibility this would solve it, I even renamed his user profile folder on the server. No dice, so that rules out the possibility of corrupt profile.

 

[RocketTech]

Can you copy a working user profile and test this user? Probably the fastest way to fix it.

 

[D-EJ915]

Can they login locally?