This article was previously published under Q278433
This article describes new options that you can use to assign user rights in Windows that affect the Terminal Services feature.
Windows Server 2003 includes the following new User Rights options:
Allow logon through Terminal Services
Deny logon through Terminal Services
You can use these options to change the set of permissions a user must have to establish a Terminal Services session.
To establish a Terminal Services session, a user must have the following permissions:
Allow logon through Terminal Services To grant a user these permissions, start the Group Policy snap-in, open the Local Security Policy or the appropriate Group Policy, and then navigate to the following location:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Allow logon to Terminal Server
To grant a user these permissions, start either the Active Directory Users and Computers snap-in or the Local Users And Groups snap-in, open the user's properties, click the Terminal Services Profile tab, and then click to select the Allow logon to Terminal Server check box.
Guest Access: Logon to the RDP-TCP connection
To grant guests Logon rights to the RDP-TCP connection, start the Terminal Services Configuration snap-in, edit the RDP-TCP so that the guest has at least Logon rights.
The pivotal difference between Windows 2000 and Windows Server 2003 is the "Allow logon through Terminal Services" user right. When you grant this user right, you no longer have to grant the user the Log on locally right (this was a requirement in Windows 2000). In Windows Server 2003, it is possible for a user to establish a Terminal Services session to a particular server, but not be able to log on to the console of that same server.