Allowing users to connect using RPD on network

Posted on 2009-12-30
Medium Priority
Last Modified: 2013-11-21

We are looking to implement a group policy that will allow the system administrators to log in on workstations using Domain User credentials. Currently we get the error "The local policy of this system does not permit you to logon interactively" when trying to log in.

We found that the users need to be part of the Local Admin group of the machine to be able to connect which is as a security measure, we would not like them to have.

What I would like to know is if it is possible to make system wide changes to allow logging on remotely to using users credentials without upgrading their security rights? Is there a group policy option that will allow this?

Many thanks
Question by:granite03
  • 2
  • 2
  • 2
  • +2
LVL 31

Expert Comment

by:Henrik Johansson
ID: 26145440
Interactive = local logon.
If getting this when connecting with mstsc.exe, it's a sign of using /admin parameter (/console in earlier versions) connecting to the console session.

Expert Comment

ID: 26145482
Ensure Domain\Users are listed under remote desktop users on the desktop in question

Better yet add the users that need to connect to the "remote desktop users" group - that will give them the permisisons they need to connect without having admin permissions.
LVL 38

Assisted Solution

Shift-3 earned 249 total points
ID: 26145504
Adding a group to the local Remote Desktop Users group allows its members to log on through Remote Desktop without granting any additional privileges.  You could apply this change to all workstations using the Restricted Groups feature.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Accepted Solution

BarepAssets earned 252 total points
ID: 26145537
there is gpo  create and link to servers ou ....the setting is under the computer configuration>>>windows setting>>>local policies>>>user rights assigments>>>>

the setting allow log on through terminal services  you can add users or groups

Expert Comment

ID: 26145572
or link gpo to the computer ou of your workstations

Author Comment

ID: 26146730
BarepAssets, I have added the domain\users group to the gpo of the workstations. Now when I log in, I get a new error message "you do not have access to logon to this session"

The users have already been set as member of the "remote desktop users" on the domain, I know by adding the domain\users as a member of the local machine's "remote desktop users" will solve the issue but is there any other way? Especially one that involves making system wide changes and not having to go to each machine locally or connect to it remotely as an admin to make the changes? A gpo object would be perfect in this scenario, if such a thing exists.

Assisted Solution

stealthwifi12 earned 249 total points
ID: 26147526
It is possible to set a GPO to add for instance Domain Remote Desktop Users to Local Desktop Users Group.

To do so:
Open the GPO editor for the GPO you want to edit on your server
Go to Computer Config > Security > Restricted Groups
Right click on Restricted Groups and select Add Group
Select your remote desktop group from your domain
Click Add under "Members of this group:"
add the users you want added to the local remote users group

Deploy the policy, when deployed it should take the Local Remote Desktop Users group and add the users that you selected.

Author Closing Comment

ID: 31671184
All three solutions had an equally helping hand

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question