I know what I want to do, but not sure how to ask the question or even present the facts. So bear with me...
I want usernames that are members of 'Remote Desktop Users' (or some other, similar group, maybe 'RDP Access') to be able to rdp into any box in our domain.
We have a Windows network with two Win2003 domain servers, two Win2003 application servers, and 15 (and counting) Windows XP Pro workstations. The username 'Administrator' is disabled on all boxes. There is a local username 'loc_adm' for each box for local administration in case it's needed. All other authentication is done via Active Directory authentication.
We use RDP extensively to administrate all our boxes. However, when we try to RDP into any box other than a domain server with a username other than 'loc_adm', we get an error 'The Local Policy of this system does not permit you to login interactively'.
I think I understand what this is actually saying. When a user 'joeblow' (let's say) tries to rdp into a box, user 'joeblow' does not exist locally, so access is denied.
Except that 'joeblow' does exist in Active Directory. And 'joeblow' is a member of 'Remote Desktop Users' in Active Directory. And 'joeblow' can log in if he's sitting at the local machine. I had thought that AD policies took precedence over local policies?
Googling this error simply says to put user 'joeblow' into the group 'Remote Desktop Users' on the machine in question. Except that 'joeblow' doesn't exist locally on the machine in question. We could, of course, create the user (and all the other support users) on the local machines, but then what's the point of using AD?
So, how do I remedy this? I think I must be missing something fundamental and simple. Or do I have to make a change in the local policy on each box? If so, what is that change? And is there a way to just do it once at the AD level and have it propagate out to all other boxes on the domain?
What am I missing here?
Thanks in advance. If things need clarifying don't hesitate to ask.