Windows Server - logon error: error occured while an inital user program was starti

Asked By Michae on 09-Mar-07 08:36 AM
I'm trying to setup a pilot TS server, but if I try and logon in a session
with any user who has less than administrative rights over the server, I
receive the following error:
You are connected to the remote computer. However, an error occured while an
inital user program was starting, so you are being logged off. Contact the
system administrator for assistance.

It's a new Windows Server 2003 install from CD with SP1. The computer's a
member of the domain and I've given domain users the right to logon via
terminal servers, and granted permissions on RDP for domain users and guest
to logon. I can't find anything useful in the event logs. I tried enabling
verbose userenv logging, but couldn't see anything obvious. Has anyone seen
this and worked around it? cheers

MattShel replied on 09-Mar-07 12:07 PM
I have not had this problem, but a couple of things come to mind.

1.  Are their any applications that startup when the session starts up?
Such as run this program at logon? Does a program start when an admin logs on?

2.  Would you be willing to reformat?

Michae replied on 09-Mar-07 02:55 PM
Hi Matt,

1. Not that I'm aware of. If I add a program to run when a session is
started, I don't get this error, but only that program runs, and explorer
doesn't seem to load (no start menu bar, system tray etc.

2. Tried that.

MattShel replied on 09-Mar-07 04:21 PM
Yeah the actions that you describe with the first question is what should
happen. I wonder what would happen if you said to run explorer.exe... maybe
something to try although I really don't know what will happen.  Sometimes,
and I don't completley understand why, compaines only want their people to
have access to one application, or have created their own custom desktop
enviroment they want to impliment.  Hence these weird settings and the
actoins you described.

If a reformat of the server does not work, I would also try a different
client.  Client's can also have something that says to load a specific file.
I can also give you a place to log in on my TS server with your client to see
what would happen and that would tell you for sure whether it was the server
or the client.

Sorry for taking so long in my response.

Michae replied on 10-Mar-07 05:53 AM
I tried setting explorer.exe but I just get an error fails to run and exits,
sorry can't remember the error off hand.

I've tried different clients, blocking GPO inheritance etc. Is there
anything in AD, apart from GPOs that could cause this type of behaviour?

MattShel replied on 12-Mar-07 12:01 PM
I kind of figured that starting the computer with the application
explorer.exe would give some kind of error, only because it seems like that
would be an un-natural thing to do, but I figured, why not lets give it a

From the sounds of things, there is a critical file (or at least Windows
believes it to be critical) that gets called up when it is started and only
administrators have rights to it.  The only thing I know that you could do is
reformat (I know the cheap way out) and reinstall Windows.  From there I
would download all Windows Updates and then enable TS.  Install any other
updates and then see what you have.  You might even try leaving it in its own
workgroup or creating a Test Domain with it as the DC just to see if that
could be the factor.

Michae replied on 12-Mar-07 12:15 PM
Hi Matt,

Thanks for all your help. I've figured it out. It's caused by only
administrators and server operators only have permission to read
explorer.exe. I added domain users, and everything started working.

Is this default behaviour? I would expect users other than admins and server
operators to be prevented from logging on interactively or via terminal
services by default, but would have thought there'd be a smoother way of
enabling for users. I certainly haven't seen this sort of instruction
anywhere in terms of setting up terminal services. Any thoughts?

Again, many thanks.
MattShel replied on 12-Mar-07 12:24 PM
Wow, that is a crazy solution.  I have not run into that kind of a thing
before, but it makes sense that it would cause the problem.  I checked my
explorer.exe permissinos and I have Administrators, Authenticated Users,
Server Operators, System as the groups that have permissions, with the
Authenticated Users having less permissions.  They have Read & Execute and
Read permissions, which they inherited from the \Windows folder.  I would
check to make sure your users have these permissions as well to prevent other
to the other folders.

Michae replied on 12-Mar-07 12:36 PM
Found it! There is a GPO which sets the file system permission on
explorer.exe and explorer.scf.

Thanks again.