SeRemoteInteractiveLogonRight is a Privilege (you can grant this privilege with the following policy: Allow log on through Remote Desktop Services). As the documentation says:
This policy setting determines which users or groups can access the
logon screen of a remote device through a Remote Desktop Services
connection[...]
Great! However, as you saw it, the users still receives an error message unless they are members of Remote Desktop Users. That's documented too:
To use Remote Desktop Services to successfully log on to a remote
device, the user or group must be a member of the Remote Desktop Users
or Administrators group and be granted the Allow log on through Remote
Desktop Services right.[...]
Well, this is because there are (at least) two layers:
- The Remote Desktop Service security descriptor: Remote Desktop service has its own access list.
- The SeRemoteInteractiveLogonRight privilege
The order is relevant here: The user connects to Remote Desktop Services first, and if this is allowed, then Windows will check that the user's token holds the SeRemoteInteractiveLogonRight before opening the user's session.
You can see the Remote Desktop Service security descriptor in the Win32_TSPermissionsSetting WMI class (StringSecurityDescriptor for RDP-Tcp). For example, you can give the StringSecurityDescriptor to the Powershell cmdlet ConvertFrom-SddlString to see its content in a prettier format :
$sddl = Get-WmiObject -class win32_tspermissionssetting -Namespace root\cimv2\terminalservices | where {$_.TerminalName -eq "RDP-Tcp"} |select StringSecurityDescriptor
ConvertFrom-SddlString -Sddl $sddl.StringSecurityDescriptor | select -ExpandProperty DiscretionaryAcl
The output will show you that the Remote Desktop Users group is allowed by default:
[...]
Remote Desktop Users: AccessAllowed
[...]
Basically, granting SeRemoteInteractiveLogonRight will not add the user/group to the Remote Desktop security descriptor, so, Remote Desktop Services denies the logon before Windows even had to check if the SeRemoteInteractiveLogonRight was granted.
You can manually add users or groups in the Remote Desktop Services security descriptor with the AddAccount method: the SDDL will be modified and you'll see your account/group in it. If you granted the SeRemoteInteractiveLogonRight privilege, then you should be able to log on (unless other restrictions are effective on this computer or user, of course).
Now, what happens if you add a user in the Remote Desktop Service security descriptor, without granting SeRemoteInteractiveLogonRight? Well, Remote Desktop Services will accept the connection, but you'll see an error when Windows tries to open your session, and as you can see, this is not an error thrown by the RDP client, the graphics channel is opened and the error is shown by the remote computer:
And that's what the security auditing logs tells us in this case (if you are auditing):
You'll not see this event if the user is not allowed to connect according to the Remote Desktop Service security descriptor because the logon operation fails before Windows had a chance to check privileges.
I strongly recommend you to use the Remote Desktop Users group, because this group is present by default in the Remote Desktop service security descriptor, and is allowed to use the SeRemoteInteractiveLogonRight privilege (unless the server is a DC). You should not need to fiddle with the RDS security descriptor.
