Link to home
Start Free TrialLog in
Avatar of granite03
granite03

asked on

Allowing users to connect using RPD on network

Hi

We are looking to implement a group policy that will allow the system administrators to log in on workstations using Domain User credentials. Currently we get the error "The local policy of this system does not permit you to logon interactively" when trying to log in.

We found that the users need to be part of the Local Admin group of the machine to be able to connect which is as a security measure, we would not like them to have.

What I would like to know is if it is possible to make system wide changes to allow logging on remotely to using users credentials without upgrading their security rights? Is there a group policy option that will allow this?

Many thanks
Avatar of Henrik Johansson
Henrik Johansson
Flag of Sweden image

Interactive = local logon.
If getting this when connecting with mstsc.exe, it's a sign of using /admin parameter (/console in earlier versions) connecting to the console session.
Ensure Domain\Users are listed under remote desktop users on the desktop in question

Better yet add the users that need to connect to the "remote desktop users" group - that will give them the permisisons they need to connect without having admin permissions.
SOLUTION
Avatar of Shift-3
Shift-3
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
or link gpo to the computer ou of your workstations
Avatar of granite03
granite03

ASKER

BarepAssets, I have added the domain\users group to the gpo of the workstations. Now when I log in, I get a new error message "you do not have access to logon to this session"

The users have already been set as member of the "remote desktop users" on the domain, I know by adding the domain\users as a member of the local machine's "remote desktop users" will solve the issue but is there any other way? Especially one that involves making system wide changes and not having to go to each machine locally or connect to it remotely as an admin to make the changes? A gpo object would be perfect in this scenario, if such a thing exists.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
All three solutions had an equally helping hand