how to rdp into remote boxes using Active Directory Authentication ?

mlnpscda used Ask the Experts™
Hi all,

I know what I want to do, but not sure how to ask the question or even present the facts.  So bear with me...

I want usernames that are members of 'Remote Desktop Users' (or some other, similar group, maybe 'RDP Access') to be able to rdp into any box in our domain.

We have a Windows network with two Win2003 domain servers, two Win2003 application servers, and 15 (and counting) Windows XP Pro workstations.  The username 'Administrator' is disabled on all boxes.  There is a local username 'loc_adm' for each box for local administration in case it's needed.  All other authentication is done via Active Directory authentication.

We use RDP extensively to administrate all our boxes.  However, when we try to RDP into any box other than a domain server with a username other than 'loc_adm', we get an error 'The Local Policy of this system does not permit you to login interactively'.

I think I understand what this is actually saying.  When a user 'joeblow' (let's say) tries to rdp into a box, user 'joeblow' does not exist locally, so access is denied.

Except that 'joeblow' does exist in Active Directory.  And 'joeblow' is a member of 'Remote Desktop Users' in Active Directory.  And 'joeblow' can log in if he's sitting at the local machine.  I had thought that AD policies took precedence over local policies?

Googling this error simply says to put user 'joeblow' into the group 'Remote Desktop Users' on the machine in question.  Except that 'joeblow' doesn't exist locally on the machine in question.  We could, of course, create the user (and all the other support users) on the local machines, but then what's the point of using AD?

So, how do I remedy this?  I think I must be missing something fundamental and simple.  Or do I have to make a change in the local policy on each box?  If so, what is that change?  And is there a way to just do it once at the AD level and have it propagate out to all other boxes on the domain?  

What am I missing here?

Thanks in advance.  If things need clarifying don't hesitate to ask.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Steven CarnahanAssistant Vice President\Network Manager

Make a domain group for support in AD and add the support members to it. Then add the domain group to the Remote Desktop Users on the workstation using GPO.

Senior Technical Support Analyst
Top Expert 2010
instead of adding joeblow (local non existent user) to the local remote desktops group...  you would add domain\joeblow

you can do that manually, or from a server by right-click manage the my computer icon of the server, then where it says "local", right click there, connect remote computer, put in a computer name

you could also edit the domain group policy and change "allow log on locally" and add "domain\joeblow"...

in both cases, you could use "domain users", or domain\usernames too
Top Expert 2013

You can add the group using restricted groups, Florian has a good writeup here

Similar to what Florian did but you will add to Remote Desktop users instead of administrators.




Was not able to do the GPO thing, either straightforward or using the Florian method

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial