Windows 2016 local access for Domain User

Windows 2016 Standard. You used to be able to turn on "Logon locally" and add users. Not an option now, well it's there but cannot modify. Don't want to go to the expense of RDS CALs, for a single user, to access a single app. Planning on using an en expensive remote connection tool, is there a work around or idea anyone can share?
LVL 1
HaroldNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
If you cannot modify it, it's set by a domain policy. Start rsop.msc at the server - its output will tell you which policy is responsible so you can edit it.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HaroldNetwork EngineerAuthor Commented:
@McKnife....what am I looking for? I see the same as if I was editing to change. Buttons grey.
0
McKnifeCommented:
There is a column that would should which policy has set this, right there where you are looking at in rsop.msc
0
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

HaroldNetwork EngineerAuthor Commented:
Default domain controller policy, as I have setup no more than drive mappings. Literally brand new box.
0
McKnifeCommented:
So that tells you, it's set in the default domain controllers policy and that's where you could modify it, if you indeed wanted to let users logon to your domain controller (should be avoided!).
0
HaroldNetwork EngineerAuthor Commented:
@McKnife, so I'm in GPedit correct, to modify? I know it's not suggested, but it's a one user, sparse usage.
0
McKnifeCommented:
If you fully trust that user himself AND also trust his behavior to be secure when it comes to guarding his credentials (this, I wouldn't do even for closest colleagues), you may do that.

Yes, in gpedit.msc, modify that section in the def. domain controllers policy.
0
HaroldNetwork EngineerAuthor Commented:
@Mcknife, I totally respect that and with that being said, options would be remote to a desktop, then resources needed or setup RDS?
0
McKnifeCommented:
Without installing the RDSH role, you may use two rdp sessions at a time for administrative purposes only.
Else, non-administrative, would require the RDSH role and with ut, you'd need to buy CALs.
0
HaroldNetwork EngineerAuthor Commented:
@McKnife right, that is the reason for me thinking I can just give this user general access as user and not logging in as RDP Admin account. This not applicable in this scenario?
0
McKnifeCommented:
I don't know if license terms explicitly forbid non-administrative usage over rdp, but it could be. Technically, it would work, but if you may and want to do it, is up to you to find out.
0
HaroldNetwork EngineerAuthor Commented:
Never could find where to change, this always grey buttons.

Thanks
0
McKnifeCommented:
So you found out, it was set in the default domain controllers policy - you will be able to change it there, won't you?
0
HaroldNetwork EngineerAuthor Commented:
I saw the area the default domain controller policy but the buttons are still grey.
0
McKnifeCommented:
Where? If you open the default domain controller policy, you can edit them - no ifs or buts.
0
HaroldNetwork EngineerAuthor Commented:
@McKnife...thanks...I was doing it all wrong. I see it now. We have a temp connection to a desktop, to see if that works for them, if not I may do this.

Regards
0
HaroldNetwork EngineerAuthor Commented:
thanks again
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.