Remote Desktop policy

w^rl0rd · October 2006

I would like to configure all users in the enterprise to be able to Remote Desktop into their XP workstations.

Assuming that Remote Desktop is enabled on each machine, I thought I just needed to configure the default domain policy so that the Allow logon through Term Svc right is set to Authenticated Users as well as the Allow log on locally right.

Am I missing something? I find myself going to each machine and adding the users' domain accounts to the Remote tab in System Properties.

Note: Each user has a domain acct added to the Remote Desktop Users group.

w^rl0rd · October 2006

Is it that the Allow logon through Term Svc right is for server machines running Terminal Services and that workstations using Remote Desktop require users to be manually added at each console?

royal · October 2006

Remote Desktop Group in AD is different than the one on the local machines. Domain Controllers use the Remote Desktop Users group that is in AD because DCs don't have thieir own SAM database. All other member servers and domain machines use their own Remote Desktop Users group.

There is one way that you could add your users users to the remote desktop users group on all local machines. Go into group policy on the DC, computer configuration > security settings > Restricted Groups. Add the remote desktop users group and inside, add users. Unfortunately, you aren't allowed to add groups to the remote desktop users. The bad side to this, is you have to go in and add a bunch of users to this restricted group setting. Once the client applies the gpo, any user can login to that machine.

You could also just create a script that'll add the user who logs onto a machine and add them to the remote desktop users group. There are a lot of different ways to approach this. I wont get into this since i'm not an elite scripter, unfortunately.

w^rl0rd · October 2006

So what exactly is the Allow Logon Through Terminal Services right for
in the Default Domain Policy?

Is it strictly for domain controllers or for any machine running Terminal Services, not Remote Desktop?

royal · October 2006

I'm fairly certain clients also need the allow logon through terminal services right since it's a setting on the local policy of an xp machine. Member Servers as well as clients allow Administrators and Remote Desktop Users group by default for the allow logon through terminal services. Domain Controllers only allow Administrators as a security precautionary measure.

Also, when I was doing 290 I did a ton of terminal services lab. I remember that terminal services can use the Active Directory Remote Desktop Users group as well as the local remote desktop users group. Clients can't use the AD Remote Desktop Users though (I tested this last night because I was curious as well).

w^rl0rd · October 2006

icroyal wrote:

Clients can't use the AD Remote Desktop Users though (I tested this last night because I was curious as well).

Exactly. Thats the problem I'm running into. All of my domain users are added to the Remote Desktop Users group in AD but get an error stating that the local policy does not allow them to logon interactively.

They all have the log on locally and logon through terminal services right in the default domain policy, but cannot login unless added manually to the local Remote Desktop Users group.

D-boy · October 2006

Cannot Log On to the Remote Computer

If you do not have the correct permissions to access a remote computer running Windows XP Professional, the following message appears:

“The local policy of this system does not permit you to log on interactively.”

You must add yourself to the Remote Desktop Users group (or to a group with administrative rights) so that you can use Remote Desktop.

This link might help you: http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/c08621675.mspx

We use Remote desktop at work all the time to connect to our Servers and client's...

D-boy

Remote Desktop policy

Comments