This is a mixed AD environment, Server 2003 R2 and 2008 R2 I have a 2003 AD R2 and a 2008 R2 AD. GPO is usually managed from the 2008 R2 machine. I have a RD Gateway on another server as well.

I setup the CAP and RAP to allow a normal user to log on to the departments workstation.

I also adjusted the GPO for that OU to allow Log on trhough Remote Desktop Gateway for the user group.

This worked on my windows 7 workstation. But unfortunately the policy is a different name in XP "allow log on through Terminal Services"

I can get through right into the machine but when the log on actually happens to the local machine i get the "Cannot log on interactively" error.

This is set in (for the local machine) Secpol.msc > Local Security Policy > "user rights assignment"

but is controlled by the GPO in Computer Configuration > Policies > Security Settings > Local Policies > "User Rights Assignment"

Do I simply need to adjust the same setting on the same GPO but with a server 2003 GP editor? Feel like that could cause issues... Looking for some direction. Or if anyone has run into this issue yet.

UPDATE Should this work? support.microsoft.com/kb/186529

Still seems like I will have the issue as the actual GP settings for Log on through Terminal Services is still different between Server 2008 R2 and 2003 R2....

Another Thought: Should I delete the GPO made for the department and remake it with the 2003 R2 server? I have no 2008 specific settings as the whole department runs XP other than myself. If that's a solution I will move my computer out of the department as a solution... Thoughts?