"local policy does not allow you to login interactively"
Posted on 2004-04-22
we're used to RDP'ing into workstations as the currently logged in users and do admin tasks as needed. then logging out and the user logging back in. recently we decided to switch all workstations' user permissions from local admin to user only. as we started doing this we've noticed that now when we attempt to RDP as the user to test any changes we made as an rdp'ed admin, we get the above mentioned error.
we have a domain with a few win2k advanced servers (one being the AD DC) as well as 2 2003 servers. all workstations are xp.
i have looked around a bit and found 2 hints pointing at domain policies so i did make the following changes on the AD server
Active Directory Users and Computers
Right click your Domain (usually my-company.prv format)
Slide down to and chose Properties
Click the third tab "Group Policy"
Click the Default Domain Policy and hit "Edit" from the buttons below.
Go to Computer Configuration/Windows Settings/Security Settings/User Rights Assingments/ and add "Domain Users" and "Domain Admins" (We added user and administrator to blank list), and any other group that needs to logon locally, which will enable those groups to logon.
Administrative Tools>Domain Controller Security Policy>Security Settings>Local Policies>User Rights Assignment>Policy>Log on Locally>Add>Browse, click the appropriate group, and then click Add. (added users to existing list)
unfortunately we still get the same error on the workstation when trying to RDP into them as a user after the previous rdp session was an admin
any further help or pointing in the proper direction would be greatly appreciated.