Allow log on through Remote Desktop Services
- Article
- 10/28/2021
- 3 minutes to read
- 7 contributors
Is this page helpful?
Yes No
Any additional feedback?
Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy.
Submit
Thank you.
In this article
Applies to
- Windows10
Describes the best practices, location, values, policy management, and security considerations for the Allow log on through Remote Desktop Services security policy setting.
Archived Forums
>Remote Desktop Services [Terminal Services]
Question
-
1
Sign in to vote
We have enabled RDP on one of our server and want to access the same bymultiple users, but when trying to login RDP it is showing error "To sign in remotely, you need the right to sign in through remote desktop services. ..[long msg] ... "
By default all my domain users are allowed access to remotedesktop services in systems. As I gone through different discussion forum I have to enable the user/group in Group Policy also but while i m trying to enable the same the option shows greyed [not able to add user/group]. Tried below step -
- open gpedit.msc [the local group policy editor]
- Expand Local Computer Policy –> Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> User Rights Management
- Look for the setting on the right calledAllow log on through Remote Desktop Services
- Double click this policy
- Add the user/group you would like to have remote access to the box. [This box is greyed / disabled].
It is showing one user in this list and I am able to login using that particular user and not with even domain admin or local admin user.
Please help me to resolve this problem as I tried searching solution on internet but none is working.
Thanks in advance.
Saturday, January 31, 2015 11:10 AM
All replies
-
1
Sign in to vote
Hi Praful,
Can you add the users into local "remote desktop users" group?
Thanks,
Umesh.S.K
Saturday, January 31, 2015 11:41 AM
-
0
Sign in to vote
Did you open gpedit.msc chosing run as administrator? Do you see anything in event log related to this issue?
Saturday, January 31, 2015 12:12 PM
-
0
Sign in to vote
Hi,
In my scenario, DC and RDP server is different. And first of all I tried changing Allow RDP session privilege on DC GPO and as I could not make changes I tried making changes on RDP [local Server] but result is same.
As per your instruction I checked GPRESULT status also and I am accessing correct GPO.
And just for your information, with same user credential I can add/delete user / group in "deny RDP" in User Rights Management option.
I am sorry for not able to insert the screen shot as my account is yet not verified.
Monday, February 2, 2015 4:10 AM
Allow log on through Terminal Services
From ThinManager Knowledge Base
Jump to: navigation, search
Overview
By default, Windows Server does not allow login through remote desktop services by Non-Admin users. This can present problems when deploying ThinManager and configuring thin clients to use a regular user account.
Symptoms
When trying to login through remote desktop services to a server with a Non-Admin account, you will be prompted with the following error:
To log on to this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote Desktop Users group or another group that has this right, or if the Remote Desktop Users group does not have this right, or if the Remote Desktop Users group does not have this right, you must be granted this right manually.
Unable to Login
30 Replies
· · ·
Poblano
OP
May 20, 2013 at 16:08 UTC
If I'm following your question correctly, I think you may need to do thefollowing:
1] Set up a group and add those users to it. [We user a group called "Remote Users."
2] Add your new Remote Users group to the Remote Desktop Users group on your terminal server.
Does that make sense?
0
· · ·
Poblano
OP
May 20, 2013 at 16:11 UTC
Michael,
I will try your suggestion but I find it odd that I already have a "remote desktop users" group in AD and even though I can add users to that group I still receive the error message like they don't have permission. I have also added each user individually under the "remote settings" tab on the server.
0
· · ·
Poblano
OP
May 20, 2013 at 16:15 UTC
I still receive the error message "you must be granted the All logon through terminal services right"
0
· · ·
Jalapeno
OP
May 20, 2013 at 16:23 UTC
Check these:
Computer management - users properties - Terminal Services Profile - Deny logon to Terminal Server.
If it is domain user, go to AD for user properties and check the same.
Secpol.msc - user rights assignments - allow logon through terminal services.
1
· · ·
Habanero
OP
May 20, 2013 at 16:24 UTC
Check out your Group Policy in this path Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections and Enable "allow users to connect remotely by using Remote Desktop Services".
1
· · ·
Poblano
OP
Verify your account to enable IT peers to see that you are a professional.
May 20, 2013 at 16:32 UTC
talk nerdy,
the secpol.msc allow logon option has the list of three users but the option to add users is greyed out. there seems to be another policy at work here.
0
· · ·
Habanero
OP
May 20, 2013 at 16:34 UTC
mrtimyork wrote:
talk nerdy,
the secpol.msc allow logon option has the list of three users but the option to add users is greyed out. there seems to be another policy at work here.
That would most likely be group policy, do you have RSAT installed on your PC that could allow you to access Group Policy Management Console? If on a domain I believe this will take precedence and you need to manage through this way. Otherwise if you do not you can access on your domain controller and do as listed above.
0
· · ·
Poblano
OP
May 20, 2013 at 16:36 UTC
Sean,
I do not see Remote desktop services, only Terminal Services
0
· · ·
Poblano
OP
May 20, 2013 at 16:41 UTC
sean,
I was able to set the policy to "enable" and did a gpupdate on the server. still receiving the same error regarding the allow logon through terminal services right.
0
· · ·
Habanero
OP
May 20, 2013 at 16:41 UTC
That should be it if under Windows 2003 domain
Computer Configuration, Administrative Templates, Windows Components, Terminal Services, double-click the Allow users to connect remotely using Terminal Services = Enabled
0
· · ·
Jalapeno
OP
May 20, 2013 at 16:49 UTC
mrtimyork wrote:
talk nerdy,
the secpol.msc allow logon option has the list of three users but the option to add users is greyed out. there seems to be another policy at work here.
Are you on a domain?
0
· · ·
Habanero
OP
May 20, 2013 at 16:52 UTC
Try to do a gpupdate /force to do a background and foreground refresh and then try using RDC to the server.
0
· · ·
Poblano
OP
May 20, 2013 at 16:55 UTC
yes
0
· · ·
Jalapeno
OP
May 20, 2013 at 17:01 UTC
OK then you need to make these changes at the domain level. Let me be more specific so we know we are in the right place.
Open gpedit.msc
Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> User Rights Management
Look for the setting on the right called Allow log on through Remote Desktop Services
Double click this policy
Add the user/group you would like to have remote access to the box.
Also, keep in mind that users will not be allowed to Remote Desktop to a domain controller. Only Administrators can do this. This is by design. If you need to get around this, I may be able to help you.
You can also control this Local Group by using Group Policy restricted groups feature.
0
· · ·
Poblano
OP
May 20, 2013 at 17:07 UTC
talk nerdy,
I am there but "add user or group" is still greyed out. i see two additional users listed her besides the administrator and i need to add two more.
0
· · ·
Jalapeno
OP
May 20, 2013 at 17:12 UTC
Are you on the domain controller?
0
· · ·
Jalapeno
OP
May 20, 2013 at 17:17 UTC
Run "rsop.msc" on the Terminal Server. Then change the "Allow log through terminal services" settings.
0
· · ·
Ghost Chili
OP
If the option is greyed out it is most likely because a group policy has been applied to the server whereby remote desktop users is a restricted group for which membership can only be controlled in that group policy.
0
· · ·
Jalapeno
OP
May 20, 2013 at 17:27 UTC
Exactly. If you use RSOP.msc the "Precedence" TAB will tell you which policy you need to edit.
1
· · ·
Habanero
OP
May 20, 2013 at 17:29 UTC
Can we check something to see if your policy is being applied on the server? Go into regedit on the affected server and then locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server and then the DWORD value of fDenyTSConnections, to enable it should be set 0 to deny it should be 1, what do you see?
0
· · ·
Jalapeno
OP
May 20, 2013 at 17:29 UTC
It should in most cases be "Default Domain Controllers" policy. This may differ if you have created a custom policy or if you have a dedicated Terminal services server, which is probably best practice but not the most common. Most 2008 networks have the Domain controller configured as the primary services provider for just about every service including Terminal services.
0
· · ·
Jalapeno
OP
May 20, 2013 at 17:32 UTC
SeanMD wrote:
Can we check something to see if your policy is being applied on the server? Go into regedit on the affected server and then locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server and then the DWORD value of fDenyTSConnections, to enable it should be set 0 to deny it should be 1, what do you see?
He hasn't gotten that far yet. He is still unable to add the users he needs to the allow logon policy. This is likely due to attempting to edit the policy on the local machine instead of the terminal server or from a custom GPO instead of the default one for that server.
0
· · ·
Ghost Chili
OP
May 20, 2013 at 17:33 UTC
SeanMD wrote:
Can we check something to see if your policy is being applied on the server? Go into regedit on the affected server and then locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server and then the DWORD value of fDenyTSConnections, to enable it should be set 0 to deny it should be 1, what do you see?
It should be 0 - because he's actually getting a connection; just unable to login.
0
· · ·
Ghost Chili
OP
May 20, 2013 at 17:39 UTC
None of the settings referenced above are going to grey out the "add/remove" function from the local Remote Desktop Users group.
In your group policy management console, you'll want to review the Group Policy Results for the subject server. Review any configured settings in the following area:
Computer Config -> [Policies ->] Windows Settings -> Security Settings-> Restricted Groups
You should see an entry somewhere for "Remote Desktop Users," when you find this setting, you will need to add the appropriate Domain account/groups here, or un-configure the setting so that the Local Add/Remove Users/Groups box is available for selection and you can apply these restrictions on a server by server basis.
Additionally, on the server you could go into the local policy on the server in question, [gpedit.msc] and manually adjust these settings [I wouldn't recommend it, just because if it's not in the Domain GPO, somebody's going to forget about this setting]
Computer Config -> [Policies ->] Windows Settings -> Security Settings-> Local Policies -> User Rights Assignment: "Allow log on through remote desktop [terminal] services," and add the users/groups in this box.
1
- 1
- 2
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.
15 Replies
· · ·
Serrano
OP
Nov 18, 2015 at 17:15 UTC
Brand Representative for Virsage
Double check the tab in AD Users & Computers under "Remote Desktop Services Profile" make sure it is NOT checked for "Deny this user permissions to log on to Remote Desktop Session Host Server."
1
· · ·
Mace
OP
Nov 18, 2015 at 17:15 UTC
Brand Representative for AJ Tek
Check on the RDS server that the Local Remote Desktop Users group has an entry in there for either your AD Remote Desktop Users group, or something else like Domain Users.
1
· · ·
Datil
OP
Nov 18, 2015 at 17:19 UTC
Also check the local computer if the users are member of the remote desktop group.
2
· · ·
Jalapeno
OP
Nov 18, 2015 at 17:36 UTC
This seems to be at least part of the problem. The local Remote Desktop Users group is empty but I cannot add the AD Remote Desktop Users group to it. I can add other groups like Domain Admins and they can now log in fine but Remote Desktop Users object cannot be found.
0
· · ·
Datil
OP
Nov 18, 2015 at 17:42 UTC
Are your users RDP'ing to a RDP server or their workstations?
Try adding just a single user and not the whole group for now and then test it.
0
· · ·
Jalapeno
OP
Nov 18, 2015 at 17:46 UTC
Users are connecting to their workstations. I can add an individual user and it works fine. It seems that none of the AD built-in security groups are visible to add.
0
· · ·
Datil
OP
Nov 18, 2015 at 17:48 UTC
How many users are we talking about here? It would be easier if you just add them individually.
0
· · ·
Jalapeno
OP
Nov 18, 2015 at 17:50 UTC
Around 50 users. I'd rather not add them manually, especially since I know this should work- in fact it did work up until a few days ago.
0
· · ·
Datil
OP
Best Answer
Nov 18, 2015 at 18:04 UTC
Tyson3790 wrote:
Around 50 users. I'd rather not add them manually, especially since I know this should work- in fact it did work up until a few days ago.
You're right.
check this out: //social.technet.microsoft.com/Forums/windowsserver/en-US/d53a59f4-ff06-4f9b-bfdf-8dc6708844da...
What do you think changed before it stopped working?
1
· · ·
Jalapeno
OP
Nov 18, 2015 at 18:29 UTC
-Aldrin- wrote:
Tyson3790 wrote:
Around 50 users. I'd rather not add them manually, especially since I know this should work- in fact it did work up until a few days ago.
You're right.
check this out: //social.technet.microsoft.com/Forums/windowsserver/en-US/d53a59f4-ff06-4f9b-bfdf-8dc6708844da...
What do you think changed before it stopped working?
If I understand this right, the built-in Remote Desktop Users group is for DC's only and cannot be applied to workstations. I created a new security group called RDP Users and added my remote users to that, then added the RDP Users group to the "Allow log on through Remote Desktop Services" GPO and everything works.
I don't know what changed but obviously it wasn't set up originally the way I thought it was. Thanks for the help.
0
· · ·
Datil
OP
Nov 18, 2015 at 18:45 UTC
Tyson3790 wrote:
-Aldrin- wrote:
Tyson3790 wrote:
Around 50 users. I'd rather not add them manually, especially since I know this should work- in fact it did work up until a few days ago.
You're right.
check this out: //social.technet.microsoft.com/Forums/windowsserver/en-US/d53a59f4-ff06-4f9b-bfdf-8dc6708844da...
What do you think changed before it stopped working?
If I understand this right, the built-in Remote Desktop Users group is for DC's only and cannot be applied to workstations. I created a new security group called RDP Users and added my remote users to that, then added the RDP Users group to the "Allow log on through Remote Desktop Services" GPO and everything works.
I don't know what changed but obviously it wasn't set up originally the way I thought it was. Thanks for the help.
Glad I was able to help!
0
· · ·
Serrano
OP
Nov 24, 2015 at 15:04 UTC
Just wanted to confirm you found the right solution. "Remote Desktop Users" can be consider like a dynamic group rather than an actual security group. You need to create your own security group [call it MyRemoters or such]. Then you add MyRemoters to Remote Desktop Users. Once you do that, you can work with MyRemoters via Group Policy and other tools without issue.
0
· · ·
Jalapeno
OP
Nov 24, 2015 at 15:16 UTC
FreakyFerret wrote:
Just wanted to confirm you found the right solution. "Remote Desktop Users" can be consider like a dynamic group rather than an actual security group. You need to create your own security group [call it MyRemoters or such]. Then you add MyRemoters to Remote Desktop Users. Once you do that, you can work with MyRemoters via Group Policy and other tools without issue.
I did create my own security group [RDP Users] but I didn't even add that group to the built-in Remote Desktop Users group. I just added the RDP Users group to the "Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services" GPO.
0
· · ·
Serrano
OP
Nov 24, 2015 at 15:59 UTC
Hi Tyson,
Well, it was about 3 years ago I last set this up, so I might be a bit rusty on the details. One thing I remember for certain was having to create a new security group to get remote desktop services working. I could not use the built-in one. If you got it working though, sounds like you got it right. :]
0
· · ·
Jalapeno
OP
Dec 22, 2015 at 17:50 UTC
Update:
I just realized I left out a step in my last comment. I hadn't noticed that this was a requirement because my test machines already had this set up.
In addition to adding the RDP Users group to the "Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services" GPO...
You then have to also add the RDP Users group to the local Remote Desktop Users security group on each computer by using the following GPO: Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups
Add New Local Group
Action: Update
Group Name: Remote Desktop Users
Members: Domain\RDP Users
Now ANY user that is a member of the RDP Users group can remotely login to any computer on which these two GPO's are applied.
2
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.
Allow logon through Remote Desktop Services
In most cases the system admins prefer configure Allow logon through remote desktop services using local policy. This is done using Start > Administrator Tools > Local Security Policy > Local Policies > User Rights Assignment. Edit the policy setting “Allow log on through remote desktop services” and add the user group to allow RDP access.
Allow log on through Remote Desktop Services – This security setting determines which users or groups have permission to log on as a Remote Desktop Services client.
Most of all you can also achieve this by creating a new GPO and applying it to required organizational unit. I prefer using a group policy than editing local policy on domain controllers.