0

This is a mixed AD environment, Server 2003 R2 and 2008 R2 I have a 2003 AD R2 and a 2008 R2 AD. GPO is usually managed from the 2008 R2 machine. I have a RD Gateway on another server as well.

I setup the CAP and RAP to allow a normal user to log on to the departments workstation.

I also adjusted the GPO for that OU to allow Log on trhough Remote Desktop Gateway for the user group.

This worked on my windows 7 workstation. But unfortunately the policy is a different name in XP "allow log on through Terminal Services"

I can get through right into the machine but when the log on actually happens to the local machine i get the "Cannot log on interactively" error.

This is set in (for the local machine) Secpol.msc > Local Security Policy > "user rights assignment"

but is controlled by the GPO in Computer Configuration > Policies > Security Settings > Local Policies > "User Rights Assignment"

Do I simply need to adjust the same setting on the same GPO but with a server 2003 GP editor? Feel like that could cause issues... Looking for some direction. Or if anyone has run into this issue yet.

UPDATE Should this work? support.microsoft.com/kb/186529

Still seems like I will have the issue as the actual GP settings for Log on through Terminal Services is still different between Server 2008 R2 and 2003 R2....

Another Thought: Should I delete the GPO made for the department and remake it with the 2003 R2 server? I have no 2008 specific settings as the whole department runs XP other than myself. If that's a solution I will move my computer out of the department as a solution... Thoughts?

Campo
  • 1,609
  • 17
  • 33
  • There is a user rights assignment for interactive log on, have you checked that the user is allowed for that as well? – Aaron Friel Mar 18 '11 at 19:42
  • Ah let me see. Where is it exactly? I always forget its location – Campo Mar 18 '11 at 19:48
  • I thought its this http://support.microsoft.com/kb/289289 – Campo Mar 18 '11 at 19:51
  • Seems like this is actually what I want http://support.microsoft.com/kb/186529 – Campo Mar 18 '11 at 19:54
  • Can anyone confirm? my above comment? Thanks. – Campo Mar 18 '11 at 20:59
  • First, is this GPO applying only to the computers you want? You need to be very careful with these user rights assignments, and I'd hate for you to break your whole domain. Second, configure the "Allow log on through Remote Desktop Services" properties to include "Administrators", "Remote Desktop Users" and finally, create a new group in Active Directory containing the users permitted to log onto these machines and add that as "DOMAIN\Group". For example, if all users should be permitted, "DOMAIN\Domain Users". – Aaron Friel Mar 18 '11 at 21:35
  • @Aaron Friel, Yes this is a new GPO created just for the OU containing the computers I would like this to apply to. Yes I have ensured to follow best practices when adding the usual suspects to the GP setting I have added one addition which is the department security group. You suggest creating a new group. I can if necessary. I found I was unable to connect to the windows 7 machine even offsite despite the local GP displaying my department group.... Thoughts? – Campo Mar 18 '11 at 21:56
  • Just to be clear my admin account works, but my day to day user account does not.... They are members of the same department. – Campo Mar 18 '11 at 22:00

1 Answers1

2

Enabling the "Allow users to connect remotely using Terminal Services" policy setting will cause Windows XP machines to which the policy applies to begin allowing terminal services logons (assuming that you're not blocking inbound TCP port 3389 with a Windows Firewall or other firewall setting).

The "Local Policy Does Not Permit You to Log On Interactively" error you're receiving is best mitigated by nesting a group that contains the users who are allowed to logon via Terminal Services into each Windows XP computer's "Remote Desktop Users" group.

You can do this group nesting with Group Policy. Use the "Restricted Groups" functionality (under "Computer Configuration", "Windows Settings", and "Security Settings") to perform the nesting. Make an entry for the "DOMAIN\Domain Users" (or whatever group contains all the users who should have Terminal Services logon access) group there. In the properties for that entry add "Remote Desktop Users" in the "This group is a member of:" section of the policy.

I'd recommend, initially, applying this policy only to some test computers. You can verify it's working by examining the membership of the "Remote Desktop Users" group on the affected computers after the policy has been applied. Once it's to your liking apply it more broadly.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Thanks for the clear answer @Evan Anderson, I will give this a go and let you know how I make out. My only concern is that as stated above the setting is not there in Server 2008 GPO Editor. It is called "allow user to log on using Remote Desktop Services" and it does not seem to affect the "allow users to connect remotely using Terminal Services" on the XP machines Local security policy setting. Seems as though you are suggesting I can get around that by using the "Restricted Groups" Functionality? – Campo Mar 19 '11 at 01:32
  • 1
    @Campo: Exactly. The "Allow user to log on using Remote Desktop Services" turns on the Terminal Services server, but that's not enough to allow non-Administrator users to be able to logon. Nesting the affected users into "Remote Desktop Users" will give them the necessary "User Rights" assignment to allow them to logon. – Evan Anderson Mar 19 '11 at 01:34
  • You rock @Evan Anderson. Works like a charm. I thank you greatly. – Campo Mar 22 '11 at 18:02
  • @Campo: Glad I could help out. – Evan Anderson Mar 23 '11 at 01:41