Using remote desktop and attempting to login to a Domain Member Server (running Windows 2003 Enterprise R2, fully patched, with Remote Desktop enabled with default config) using the Domain Administrator account (in the root domain of a single domain forest) I get an error that reads"The system cannot log you on due to the following error: Access is denied. Please try again or consult your system administrator."

Hello,check you Group policies relating to the member server and make sure the allow logon through is configure and domain admin is in it Gpedit.msc user rights assignments - allow logon through terminal services Isaac Oben MCITP:EA, MCSE

Hi,In addition to ISaac's suggestion, please also check the following items: Check the Service of Terminal Service is automatic and started ------------------------------------------ Click Start, and Run "Services.msc" without quotes, navigate to Terminal Service item and make sure the Startup Type is automatic and Status is started Check the terminal service is listening on the port 3389. ------------------------------------------ Run "netstat -na|findstr 3389" on the terminal server. Which interfaces are 3389 port listening on? Please ensure the firewall does not block the port traffic. Add users who need to remote desktop to the Remote Desktop Users group on the terminal server. Allow logon through Terminal Services ------------------------------------------ To connect to terminal server properly, users need to be granted the "Allow logon through Terminal Services" right. 1. Logon as administrator, click Start -> Run, type "rsop.msc" in the text box, and click OK. 2. Locate the [Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment] item. 3. Check the "Allow log on through Terminal Services" item to see whether this policy is defined. If so, the "Source GPO" column displays the policy that defines this policy. Please ensure "Administrators", "Remote Desktop Users", and any other desired users are granted this right. If it is different, please configure the corresponding policy to grant the permission. 4. Check the "Deny log on through Terminal Services" item to see whether this policy is defined. If so, the "Source GPO" column displays the policy that defines this policy. Please ensure that the user or any user groups that remote user belongs to is not included in this right. If so, please modify the corresponding policy to remove them. 5. Click Start -> Run, type "cmd" in the text box, and click OK. 6. Run the following command to refresh policy: gpupdate /force 7. Wait for a while so that the group policy is replicated and then try to connect to the server again. Allow logon to Terminal Server ------------------------------------ To grant a user these permissions, start either the Active Directory Users and Computers snap-in or the Local Users And Groups snap-in, open the user’s properties, click the Terminal Services Profile tab, and make sure the check box "Deny this user permissions to logon to Terminal Server" is NOT selected. Check TS permission ---------------------------- I understand that you may have checked this setting. Just for your reference, please double check this setting again: 1. Open the Terminal Services Configuration snap-in. 2. Right click the Rdp-Tcp item, and click Properties. 3. In the Permissions tab, click "Advanced". 4. Click the "Default" button to set the permission to the default state. 5. Close the RDP-Tcp Properties dialog. 6. Reopen it to ensure that Remote Desktop Users have "User Access" and "Guest Access" permission, Administrators has Full Control permission, and there are no deny entries. 7. Click OK. Best regards, Wilson JiaThis posting is provided "AS IS" with no warranties, and confers no rights.

Thank you som much! Best regards!