In order to login via Remote Desktop on Windows XP, you must be a member of the local machine's Remote Desktop Users group. This is slightly different than on Windows Server, where you can modify the permissions of Terminal Services and define custom groups to be allowed access.

Additionally, you've probably tried to change the GPO setting under Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment for 'Allow log on through Terminal Services' and discovered that it still doesn't work fully for non-Administrators.

The solution is to add the group, or the user, that you want to be able to login remotely, to the RDP computer's local Remote Desktop Users group. You cannot add people to the Active Directory domain Remote Desktop Users group, because this group is "local" to the Domain Controller only. So how does an administrator add a user or group to all client workstations' Remote Desktop Users groups without going to each computer manually? Use a GPO:

  • Create a new Group Policy Object at the domain level (or OU level, if you know what you're doing.)
  • Edit the new object
  • In the Group Policy MMC, browse to:
    • Computer Configuration/Windows Settings/Security Settings/Restricted Groups
  • Right-Click and choose "Add Group"
  • Add 'Remote Desktop Users'
  • Select the group and choose the allowed members (for example, 'Domain Users' or create a new group called  'Domain Remote Desktop Users')
  • Do a 'gpupdate /force' command on the target Remote Desktop computer. If you check the local group membership, you should see your new group now a member of the local Remote Desktop Users group.
  • Attempt to connect to the target computer as a member of your new group. (Instructions derived from Standford Windows Infrastructure.)