JSI Tip 6959. How do I prevent users from logging on when their Terminal Server User Configuration data cannot be obtained?

Windows 2000 SP4 provides a new Group Policy Object, Log users off when roaming profile fails at Computer Configuration / Administrative Templates / System / User Profiles

If the policy is Not Configured, you can implement it via the registry:

1. Copy / Paste the following to a FailLogonOnRegUserConfigErrorsForW2K.reg file:


\[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\]

2. Merge the FailLogonOnRegUserConfigErrorsForW2K.reg file with the clients registry, or run regedit /s FailLogonOnRegUserConfigErrorsForW2K.reg.

When you enable this functionality, users will NOT be able to log on to the terminal server remotely if their Terminal Server User Configuration data cannot be obtained. They will receive the following message:

Your interactive logon privilege has been disabled.

This behavior will occur if the terminal server cannot resolve the host name of a user's computer with a domain controller in the user's local domain. It will also happen if both of the following conditions are true:

- NetBIOS name resolution is not enabled on the terminal server that the user tries to connect to.

- The terminal server does not have the user's domain in it's DNS suffix search list. If you can't add the user's domain to the DNS suffix search list on the terminal server, have the user log on as [email protected]FQDN (Fully Qualified Domain Name).

NOTE: You can use Workstation.bat or PsExec to deploy the FailLogonOnRegUserConfigErrorsForW2K.reg file.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.