Allowing users to connect using RPD on network


We are looking to implement a group policy that will allow the system administrators to log in on workstations using Domain User credentials. Currently we get the error "The local policy of this system does not permit you to logon interactively" when trying to log in.

We found that the users need to be part of the Local Admin group of the machine to be able to connect which is as a security measure, we would not like them to have.

What I would like to know is if it is possible to make system wide changes to allow logging on remotely to using users credentials without upgrading their security rights? Is there a group policy option that will allow this?

Many thanks
Who is Participating?
BarepAssetsSys AdminCommented:
there is gpo  create and link to servers ou ....the setting is under the computer configuration>>>windows setting>>>local policies>>>user rights assigments>>>>

the setting allow log on through terminal services  you can add users or groups
Henrik JohanssonSystems engineerCommented:
Interactive = local logon.
If getting this when connecting with mstsc.exe, it's a sign of using /admin parameter (/console in earlier versions) connecting to the console session.
Ensure Domain\Users are listed under remote desktop users on the desktop in question

Better yet add the users that need to connect to the "remote desktop users" group - that will give them the permisisons they need to connect without having admin permissions.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Adding a group to the local Remote Desktop Users group allows its members to log on through Remote Desktop without granting any additional privileges.  You could apply this change to all workstations using the Restricted Groups feature.
BarepAssetsSys AdminCommented:
or link gpo to the computer ou of your workstations
granite03Author Commented:
BarepAssets, I have added the domain\users group to the gpo of the workstations. Now when I log in, I get a new error message "you do not have access to logon to this session"

The users have already been set as member of the "remote desktop users" on the domain, I know by adding the domain\users as a member of the local machine's "remote desktop users" will solve the issue but is there any other way? Especially one that involves making system wide changes and not having to go to each machine locally or connect to it remotely as an admin to make the changes? A gpo object would be perfect in this scenario, if such a thing exists.
It is possible to set a GPO to add for instance Domain Remote Desktop Users to Local Desktop Users Group.

To do so:
Open the GPO editor for the GPO you want to edit on your server
Go to Computer Config > Security > Restricted Groups
Right click on Restricted Groups and select Add Group
Select your remote desktop group from your domain
Click Add under "Members of this group:"
add the users you want added to the local remote users group

Deploy the policy, when deployed it should take the Local Remote Desktop Users group and add the users that you selected.
granite03Author Commented:
All three solutions had an equally helping hand
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.