How to : domain user can log on remotely on a Windows 2012 Server

I thought this was going to be simple, but I'm stuck, need your help :)

I would like to give the right to a domain user to be able to log on remotely on a Windows 2012 Server.

- Step 1 : give the rights to the user to log on remotely (right click on computer, properties, remote settings, "allow remote connections to this computer").
- Step 2 : give the rights to the user to open a session on the server. To do so, I read that I would go in the group policy management, domain controller policy, edit, windows settings, security settings, user rights assignment, log on locally. I see that the usual groups are there (administrator, server operators, print operators, and so on... and I add there my user.

Gpupdate /force... and then I check in RSOP. Red cross :

"The policy default domain controllers policy resulted in the following error : No mapping between accounts names and security IDs was done. For more information, check the logs".

In my log :

"Error 1332" : No mapping between account names and security IDs was done. Cannot find server".

Huh ? Cannot find server Oo ? All I did was to add a domain user to have the right to log on locally.

All I can find on the web is people saying if I removed people from lists etc... but this is not the case. I want to add one user, and that user is clearly in the AD.

If I remove the user, the error is still there! I'm lost ...

Thanks for your help !
LVL 1
StephRuAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

StephRuAuthor Commented:
Ok, I'll wait for an expert's comment, but maybe I do have an error in my list of authorized users / groups :

- Account operators
- Administrators
- Backup Operators
- Enterprise Domain controllers
- Print operators
- Server
- Server operators

There is no "server" in my AD... should I remove it ?
0
SreRajCommented:
Hi,

Are you trying to grant log on locally right for a user in a Domain Controller? If there server is not a Domain Controller then you dont need to edit Domain Controller policy.
If the Server is a member server in the Domain, then you could add the user to any of the following local groups.

Administrators
Backup Operators
Print Operators

These groups have log on locally permission assigned on servers.

Also, you could open local group policy settings by running 'gpedit.msc' and then browse to windows settings, security settings, user rights assignment, log on locally and add the user there. This too will work the same way.
0
StephRuAuthor Commented:
Hi SreRaj,

Yes, it's a domain controller, sorry for not stating this in my first post.

I don't want the profile to be an administrator, can't I just add the user name ?

I cannot use the local group policy because these settings are controlled by group policies (the options are greyed).
0
StephRuAuthor Commented:
What about "log on through remote desktop services" ? Should I change anything in that policy ?
0
SandeshdubeySenior Server EngineerCommented:
Allow logon locally will allow user to login locally.To login to remotely you need to add the user in log on through remote desktop services.http://technet.microsoft.com/en-us/library/dn221985.aspx.

If user is not added you need to add the same in the policy.By default remote desktop user group is configured in this policy adding the user to remote desktop users group will allow the user to login remotely.

More see this:http://social.technet.microsoft.com/Forums/windowsserver/en-US/be63ab4a-49a0-4245-a41b-0fefccaaabb0/domain-normal-user-account-is-not-authorized-to-login-to-dc-via-remote-desktop-even-after-assigned?forum=winserverDS

If this is DC why are you allow normal user to login you can install RSAT(Wim7) or admin pak(WinXP) on client computer to manage basic AD activity.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.