Hardware

Get IT Done: Consider local permissions when installing Win2K Terminal Services

Find out why new users are unable to print or connect to the terminal server, although they are using the same printer driver and connection client as the original user who is able to print and connect.

While working with Terminal Services over the past two years, I have encountered a problem that occurs when new users are added to a PC running Windows 2000 and the Terminal Services client. The new users are unable to print or connect to the terminal server although they are using the same printer driver and connection client as the original user who is able to print and connect.

I scoured Microsoft's Knowledge Base and the Internet but come up empty handed. I checked the following potential causes but none proved to be the culprit:
  • The versions of Windows 2000 on the server and PC have the same level service packs.
  • The drivers on both the server and PC are the same version from the same source.
  • The applications are installed on the server so they are identical for all users who log on to the terminal server.
  • Different printers have been tried to see if the problem was driver-related to the specific printer driver.

I also tried uninstalling and reinstalling the Terminal Services client using the new user's account; unfortunately, after doing this, neither the original user nor the new users could print or connect to the terminal server. I was beginning to lose hope until I began experimenting with different methods of installing the Terminal Services client. In doing so I discovered that local permissions were causing the problems.

A permissions pickle
Deciding to start with a clean slate I uninstalled the Terminal Services client. I logged on as the original user and reinstalled the client. I then logged on as the new user and tried to connect to the terminal server and print—no luck. I logged on as the original user again and uninstalled the client. I then logged on as a local administrator and installed the client. This time I was able to connect and print from the local administrator account but not from any other accounts. Using the administrator account I uninstalled and again reinstalled the client, choosing to install the software for all users when prompted with the dialog box shown in Figure A. I thought for sure this would work, but alas no. I was unable to connect to the Terminal Server or print using any account except the local administrator.

Figure A


Although my installation experiment didn't solve my problem, it did get me thinking about each account's local permissions. Examining the users' local permissions, I found that only the first was a member of the Power Users group. All of the other accounts were members of the Users group only. I removed one of the accounts from the Users group and added it to the Power User group. When I logged on with that user, I was able to connect to the Terminal Server and print with no problems. I added the other accounts to the local Power Users group and they also could connect and print.

To ensure this solution wasn't giving my users more power than I wanted them to have, I checked each account's domain-level permissions and found them to have the appropriate Terminal Services permissions and to be members of the Users group only—as it should be.

A solution without an answer
Although adding each user to the local Power Users group solved my problem, I'm still unsure about why it solved the problem. As I mentioned before, I researched this problem extensively and could find no satisfactory answers, from Microsoft or anyone else. Here is some of the information that I did find:

If you know why adding the users to the local Power Users group allowed them to connect to the Terminal Server and print please share that knowledge with your fellow TechRepublic members and me by posting a comment to this article.
0 comments

Editor's Picks