how to rdp into remote boxes using Active Directory Authentication ?

Hi all,

I know what I want to do, but not sure how to ask the question or even present the facts.  So bear with me...

I want usernames that are members of 'Remote Desktop Users' (or some other, similar group, maybe 'RDP Access') to be able to rdp into any box in our domain.

We have a Windows network with two Win2003 domain servers, two Win2003 application servers, and 15 (and counting) Windows XP Pro workstations.  The username 'Administrator' is disabled on all boxes.  There is a local username 'loc_adm' for each box for local administration in case it's needed.  All other authentication is done via Active Directory authentication.

We use RDP extensively to administrate all our boxes.  However, when we try to RDP into any box other than a domain server with a username other than 'loc_adm', we get an error 'The Local Policy of this system does not permit you to login interactively'.

I think I understand what this is actually saying.  When a user 'joeblow' (let's say) tries to rdp into a box, user 'joeblow' does not exist locally, so access is denied.

Except that 'joeblow' does exist in Active Directory.  And 'joeblow' is a member of 'Remote Desktop Users' in Active Directory.  And 'joeblow' can log in if he's sitting at the local machine.  I had thought that AD policies took precedence over local policies?

Googling this error simply says to put user 'joeblow' into the group 'Remote Desktop Users' on the machine in question.  Except that 'joeblow' doesn't exist locally on the machine in question.  We could, of course, create the user (and all the other support users) on the local machines, but then what's the point of using AD?

So, how do I remedy this?  I think I must be missing something fundamental and simple.  Or do I have to make a change in the local policy on each box?  If so, what is that change?  And is there a way to just do it once at the AD level and have it propagate out to all other boxes on the domain?  

What am I missing here?

Thanks in advance.  If things need clarifying don't hesitate to ask.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steven CarnahanAssistant Vice President\Network ManagerCommented:
Make a domain group for support in AD and add the support members to it. Then add the domain group to the Remote Desktop Users on the workstation using GPO.

B HCommented:
instead of adding joeblow (local non existent user) to the local remote desktops group...  you would add domain\joeblow

you can do that manually, or from a server by right-click manage the my computer icon of the server, then where it says "local", right click there, connect remote computer, put in a computer name

you could also edit the domain group policy and change "allow log on locally" and add "domain\joeblow"...

in both cases, you could use "domain users", or domain\usernames too

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mike KlineCommented:
You can add the group using restricted groups, Florian has a good writeup here

Similar to what Florian did but you will add to Remote Desktop users instead of administrators.


mlnpscdaAuthor Commented:
Was not able to do the GPO thing, either straightforward or using the Florian method
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Project Management

From novice to tech pro — start learning today.