Allowing users to connect using RPD on network

Posted on 2009-12-30
Last Modified: 2013-11-21

We are looking to implement a group policy that will allow the system administrators to log in on workstations using Domain User credentials. Currently we get the error "The local policy of this system does not permit you to logon interactively" when trying to log in.

We found that the users need to be part of the Local Admin group of the machine to be able to connect which is as a security measure, we would not like them to have.

What I would like to know is if it is possible to make system wide changes to allow logging on remotely to using users credentials without upgrading their security rights? Is there a group policy option that will allow this?

Many thanks
Question by:granite03
    LVL 31

    Expert Comment

    by:Henrik Johansson
    Interactive = local logon.
    If getting this when connecting with mstsc.exe, it's a sign of using /admin parameter (/console in earlier versions) connecting to the console session.
    LVL 3

    Expert Comment

    Ensure Domain\Users are listed under remote desktop users on the desktop in question

    Better yet add the users that need to connect to the "remote desktop users" group - that will give them the permisisons they need to connect without having admin permissions.
    LVL 38

    Assisted Solution

    Adding a group to the local Remote Desktop Users group allows its members to log on through Remote Desktop without granting any additional privileges.  You could apply this change to all workstations using the Restricted Groups feature.

    Accepted Solution

    there is gpo  create and link to servers ou ....the setting is under the computer configuration>>>windows setting>>>local policies>>>user rights assigments>>>>

    the setting allow log on through terminal services  you can add users or groups

    Expert Comment

    or link gpo to the computer ou of your workstations

    Author Comment

    BarepAssets, I have added the domain\users group to the gpo of the workstations. Now when I log in, I get a new error message "you do not have access to logon to this session"

    The users have already been set as member of the "remote desktop users" on the domain, I know by adding the domain\users as a member of the local machine's "remote desktop users" will solve the issue but is there any other way? Especially one that involves making system wide changes and not having to go to each machine locally or connect to it remotely as an admin to make the changes? A gpo object would be perfect in this scenario, if such a thing exists.
    LVL 3

    Assisted Solution

    It is possible to set a GPO to add for instance Domain Remote Desktop Users to Local Desktop Users Group.

    To do so:
    Open the GPO editor for the GPO you want to edit on your server
    Go to Computer Config > Security > Restricted Groups
    Right click on Restricted Groups and select Add Group
    Select your remote desktop group from your domain
    Click Add under "Members of this group:"
    add the users you want added to the local remote users group

    Deploy the policy, when deployed it should take the Local Remote Desktop Users group and add the users that you selected.

    Author Closing Comment

    All three solutions had an equally helping hand

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    [b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now