• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 708
  • Last Modified:

"The local policy of this sytem does not permit you to logon interactively."


I have a domain lab (Windows 2003/2008) and want to give a user  remote desktop to some servers and an XP machine.

I added the user to remote desktop AD group but if he remotely logs on to the XP machine, he gets

"The local policy of this sytem does not permit you to logon interactively."

Please advise.
1 Solution
You need to do it on the machine that you want to let the user remote into


That will do it for you
Check your User Rights Assignment:

Allow log on through Remote Desktop Services
Deny log on locally
Deny log on through Remote Desktop Services
Simplest solution , add him to local admin on XP.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Meir RivkinFull stack Software EngineerCommented:
Click Start, point to Settings, and then click Control Panel.
    Double-click System, and then on the Remote tab, click Select Remote Users.
    Click Add type in the user account name, and then click OK.

    If you are adding more than one user name, use a semicolon to separate the names.

Note: Adding users to the Remote Desktop Group requires that you are logged on through an administrator account.

Also, make sure that the Remote Desktop Users group has sufficient permissions to log on through Terminal Services. To do this, follow these steps:

    Click Start, click Run, type secpol.msc, and then click OK.
    Expand Local Policies, and then click User Rights Assignment.
    In the right pane, double-click Allow logon through Terminal Services. Make sure that the Remote Desktop Users group is listed.
    Click OK.
    In the right pane, double-click Deny logon through Terminal Services. Make sure that the Remote Desktop Users group is not listed, and then click OK.
    Close the Local Security Settings snap-in.

janhoedtAuthor Commented:
Forgot to mention: I'm working in a domain, so I'm not setting it on the machine itself. Isn't the remote desktop users group sufficient or should I also work via GPO?
janhoedtAuthor Commented:
Adapted the policy, it is there (checked it) but still same message. Please advise.

ThinkPaperIT ConsultantCommented:
Do an RSoP on that machine. It will tell you what policies are being applied to the machine, and if any policies is prohibiting the user from RDPing. Take a look at what motnahpoo stated.

Also logon directly on the machine, right click "My Computer", Properties and select the "Remote" tab. Make sure that one of the  "Allow connection from computers etc." is checked and that "Don't allow connections to this computer" is NOT checked.

Another question - can YOU remote into the workstation or anyone else (admin and non-admin)? Or is only the user having the issue?
janhoedtAuthor Commented:
I have checked rsop and it is correct, local setting on machine also.
Yes I can remote connect via RDP, that's how I connect always.
janhoedtAuthor Commented:
I used a policy "restricted groups" and added the users to remote desktop users. This works. However, now I wonder why the ad group remote desktop users exists also.
janhoedtAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now