Difficulty: Easy
Correct Answer: Grant users the right to log on locally
Explanation:
Introduction / Context:
On Windows 2000, Terminal Services in application mode on a domain controller enforces local security policies strictly. The error “does not allow you to log on interactively” indicates users lack a required logon right. Admins often can connect because they already possess the needed rights via built-in groups.
Given Data / Assumptions:
Concept / Approach:
In Windows 2000, Terminal Services connections check the “Log on locally” user right on domain controllers (later systems add a distinct “Allow log on through Terminal Services” right). Granting this right to an appropriate group (e.g., a TS Users group) enables non-admin users to log on via Terminal Services. “Log on as a service” applies to running services, not interactive sessions. “Log on over the network” affects network access to shares, not console/TS logons. Copying profiles or home folders does not change policy rights.
Step-by-Step Solution:
1) Open Domain Controller Security Policy or Local Security Policy (on the DC hosting TS).2) Navigate to Local Policies → User Rights Assignment.3) Add the appropriate user group to “Log on locally.”4) Force policy update (secedit /refreshpolicy or reboot) and test a user connection.
Verification / Alternative check:
Attempt a Terminal Services logon using a test user from the granted group; the session should establish successfully without policy denials in the Security log.
Why Other Options Are Wrong:
Common Pitfalls:
Granting overly broad rights (e.g., Everyone) on a domain controller; failing to scope the right to a specific group of TS users.
Final Answer:
Grant users the right to log on locally
Discussion & Comments