This is the most common problem that I have seen people facing when they need to manage remote client desktops in Active Directory environment, for example a user facing issues with his Outlook client and you need to troubleshoot from your desktop.
As the Outlook client is configured on domain user profile you will have to login using his credentials, yes I agree this is not suitable or agreed in organizations to use Users credentials but to get the users problem solved we can get the approvals.. right?
I am going to assume that “Allow users to connect remotely to this computer” option is enabled which can be found under “Remote” tab on “My Computer” properties. If this is not enabled you can set a GPO to achieve this.
All you computer accounts are in a separate OU, other than default “Computers”
You launch RDC and using the IP address or Host name connects to the remote desktop, when you try to login using Users credentials error pops-up saying “The local Policy of this system does not permit you to login interactively”
Lets start from our AD and create a GPO named as “Interactive logon policy” which will be applied to the OU where we have all our computer accounts.
Once created, we will edit this policy by right clicking on it and select “Edit…” option.
Now, browse in left pane to Computer Configuration – Windows settings – Security Settings – Local Policies – User Rights Assignment.
Select “Allow log on through Terminal Services” double click to modify, Enable check mark “Define this policy settings” and Click on “Add User and Group” button. Enter Domainname\Domain Users and click OK.
Why we used “Domain Users” group? any user that we create in AD is by default member of Domain Users group, and we want this policy to be applied to all users, as we are not sure which user will face problem..
Ok, now GPO is created and you restart the client system for the policy to be applied.
Now when you try to log in again use RDC you will be getting another Error “You do not have access to logon to this session”
Ok, this is coz the user is not member of “Remote Desktop Users” group on the clients desktop.
So once again lets use GPO to add “Domain Users” group to “Remote Desktop Users” group on all desktops on network.
Edit the GPO that we created in our previous step, in the left pane browse to Computer Configuration – Windows Settings – Security Settings – Restricted Groups.
Right click on “Restricted Groups” and select “Add group…” option.
Enter “Domain-name\Domain Users” as we want to configure this policy for all users. and click OK.
In the configuration window under “This group is a member of” section Add “Remote Desktop Users”
What this will do is Add Domain users group to remote desktop users group, if you login to users desktop using administrator credentials and check the Remote desktop users group, you can see Domain users as its member, once the policy is applied to computer.
Now logon using Users credentials will be successful.