This is a mixed AD environment, Server 2003 R2 and 2008 R2 I have a 2003 AD R2 and a 2008 R2 AD. GPO is usually managed from the 2008 R2 machine.
I have a RD Gateway on another server as well.
I setup the CAP and RAP to allow a normal user to log on to the departments workstation.
I also adjusted the GPO for that OU to allow Log on trhough Remote Desktop Gateway for the user group.
This worked on my windows 7 workstation. But unfortunately the policy is a different name in XP "allow log on through Terminal Services"
I can get through right into the machine but when the log on actually happens to the local machine i get the "Cannot log on interactively" error.
This is set in (for the local machine)
Secpol.msc > Local Security Policy > "user rights assignment"
but is controlled by the GPO in
Computer Configuration > Policies > Security Settings > Local Policies > "User Rights Assignment"
Do I simply need to adjust the same setting on the same GPO but with a server 2003 GP editor? Feel like that could cause issues… Looking for some direction. Or if anyone has run into this issue yet.
UPDATE
Should this work? support.microsoft.com/kb/186529
Still seems like I will have the issue as the actual GP settings for Log on through Terminal Services is still different between Server 2008 R2 and 2003 R2….
Another Thought: Should I delete the GPO made for the department and remake it with the 2003 R2 server? I have no 2008 specific settings as the whole department runs XP other than myself. If that's a solution I will move my computer out of the department as a solution… Thoughts?
Best Answer
Enabling the "Allow users to connect remotely using Terminal Services" policy setting will cause Windows XP machines to which the policy applies to begin allowing terminal services logons (assuming that you're not blocking inbound TCP port 3389 with a Windows Firewall or other firewall setting).
The "Local Policy Does Not Permit You to Log On Interactively" error you're receiving is best mitigated by nesting a group that contains the users who are allowed to logon via Terminal Services into each Windows XP computer's "Remote Desktop Users" group.
You can do this group nesting with Group Policy. Use the "Restricted Groups" functionality (under "Computer Configuration", "Windows Settings", and "Security Settings") to perform the nesting. Make an entry for the "DOMAIN\Domain Users" (or whatever group contains all the users who should have Terminal Services logon access) group there. In the properties for that entry add "Remote Desktop Users" in the "This group is a member of:" section of the policy.
I'd recommend, initially, applying this policy only to some test computers. You can verify it's working by examining the membership of the "Remote Desktop Users" group on the affected computers after the policy has been applied. Once it's to your liking apply it more broadly.