In this article, we will see how to add or remove Remote Desktop users in Windows 10. This will allow them to make connections to the target computer over the Remote Desktop protocol. By default, only members of the Administrators group [e.g. administrative accounts] have access to RDP. Here we go.
Before we continue, here are some details about how RDP works. While any edition of Windows 10 can act as Remote Desktop Client, to host a remote session, you need to be running Windows 10 Pro or Enterprise. You can connect to a Windows 10 Remote Desktop host from another PC running Windows 10, or from an earlier Windows version like Windows 7 or Windows 8, or Linux. Windows 10 comes with both client and server software out-of-the-box, so you don't need any extra software installed.
First of all, enable the Remote Desktop feature as described here:
//winaero.com/blog/enable-rdp-windows-10/
Now, you can configure user permissions.
- Press Win + R hotkeys on the keyboard. The Run dialog will appear on the screen, type the following into the text box and press Enter:SystemPropertiesAdvanced
- Advanced System Properties will open.
- Go to the Remote tab. There, click on the button Select Users.
- The following dialog will open. Click on the Add button.
- The Select Users dialog will appear. There, type the desired user name to add or click on the Advanced button to select the user from the list. To populate the list, click on the Find now button in Advanced mode.
- Select the desired user in the list and click OK.
- Click OK once again to add the user.
You are done.
Alternative ways to add Remote Desktop users in Windows 10
There are two more ways to add or remove Remote Desktop users in Windows 10.
You can use Local Users and Groups snap-in
You can use Local Users and Groups snap-in if your Windows edition comes with this app.
- Press Win + R shortcut keys on your keyboard and type the following in the run box:lusrmgr.mscThis will open the Local Users and Groups app.
- Click on Groups on the left.
- Double-click "Remote Desktop Users" in the list of groups.
- Click the Add button to add one or more users.
You are done.
You can the net.exe console tool
- Open an elevated command prompt.
- Type the following command:net localgroup "Remote Desktop Users" "UserName" /add
Replace the "UserName" portion with the actual user account name you want to add to Remote Desktop users.
net localgroup "Remote Desktop Users" "Alice" /add
In my case, the command looks as follows: - To remove a user from the "Remote Desktop Users", substitute the /add argument in the command above with the /delete switch, as follows:net localgroup "Remote Desktop Users" "Alice" /delete
See the following screenshot.
Articles of interest:
Support us
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!
By default, only members of the Domain Admins group have the remote RDP access to the Active Directory domain controllers‘ desktop. In this article we’ll show how to grant RDP access to domain controllers for non-admin user accounts without granting administrative privileges.
Many of you can quite reasonably ask: why would ordinary domain users should have access to the DC desktop? Indeed, in small or middle size infrastructures, when several administrators with the privileges of domain admins maintain them, you’ll hardly need this. In most cases, delegating some administrative permissions in Active Directory or using PowerShell Just Enough Administration [JEA] is sufficient.
However, in large corporate networks maintained by many administrators, it may become necessary to grant RDP access to the DC [usually to branch office DC’s or RODC] for different server admin groups, monitoring team, on-duty administrators, or other technical staffs. Also, from time to time some of the third-party services, not managed by the domain administrators, are deployed on the DC, and there’s a need to maintain these services.
To Sign in Remotely, You Need the Rights to Sign in through Remote Desktop Services
After the server has been promoted to the domain controller, you cannot manage local users and groups from the Computer Management mmc snap-in. When you try to open Local Users and Groups [lusrmgr.msc] console, the following error appears:
The computer xxx is a domain controller. This snip-in cannot be used on a domain controller. Domain accounts are managed with the Active Directory Users and Computers snap-in.As you can see, there are no local groups on the domain controller. Instead of the local group Remote Desktop Users, the DC uses the built-in domain group Remote Desktop Users [located in the Builtin container]. You can manage this group from the ADUC console or from the command prompt on the DC.
Display the members of the domain group Remote Desktop Users on the domain controller using the command:
net localgroup "Remote Desktop Users"
As you can see, it is empty. Add a domain user it-pro to it [in our example, it-pro is a regular domain user without administrative privileges]:
net localgroup "Remote Desktop Users" /add corp\it-pro
Make sure that the user is added to this group:
net localgroup "Remote Desktop Users"
You can also verify that the user is now a member of the Remote Desktop Users domain group using the ADUC [dsa.msc] snap-in.
To sign in remotely, you need the right to sign in through Remote Desktop Services. By default members of the Administrators group have this right. If the group you’re in does not have the right, or if the right has been removed from the Administrators group, you need to be granted the right manually.
Group Policy: Allow Log on through Remote Desktop Services
To allow a domain user or group a remote RDP connection to Windows, you must grant it the SeRemoteInteractiveLogonRight privileges. By default, only members of the Administrators group have this right. You can grant this permission using the Allow log on through Remote Desktop Services policy.
To allow remote connection to the domain controllers for members of the Remote Desktop Users group you need to change the settings of this policy on your domain controller:
- Launch the Local Group Policy Editor [gpedit.msc];
- Go to the GPO section Computer Configuration -> Windows settings -> Security Settings -> Local policies -> User Rights Assignment;
- Find the policy Allow log on through Remote Desktop Services;
- Edit the policy, add the domain group Remote Desktop Users [like this: domainname\Remote Desktop Users], or directly the domain user, or a group [domain\CA_Server_Admins] to it;
- Update the Local Group Policy settings on the DC using the command: gpupdate /force
Note that the group that you added to the Allow log on through Remote Desktop Services policy should not be present in the “Deny log on through Remote Desktop Services” policy , because it has a higher priority [check the article Restricting Network Access under local accounts]. In addition, if you are restricting the list of computers on which users can log on, you need to add the DC name to the properties of the AD account [LogonWorkstations user attribute].
It is better to create a new security group in the domain, for example, AllowLogonDC and add user accounts to it that need remote access to the DC. If you want to allow access to all AD domain controllers at once, instead of editing of the Local Policy on each DC, it’s better to add a the user group to the Default Domain Controllers Policy using the GPMC.msc console [change the policy settings in the same section: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment -> Allow log on through Remote Desktop Services].
Warning. If you change the Default Domain Controllers Policy, don’t forget to add the domain/enterprise administrator groups to the policy Allow log on through Remote Desktop Services, otherwise they will lose remote access to the DCs.
Now the users [groups] you added to the policy will be able to connect to the AD domain controllers via RDP.
The Requested RDP Session Access is Denied
In some cases, when connecting via RDP to a domain controller, an error may appear:
The requested session access is denied.If you are connecting to the DC under a non-admin user account, this could be due to two problems:
- You are trying to connect to the server console [using the mstsc /admin mode]. This connection mode is only allowed for administrators. Try to connect to the server using mstsc.exe client in normal RDP mode [without /admin option];
- The server may already have two active RDP sessions [by default, you can’t use more than two simultaneously RDP sessions on Windows Server without RDS role]. You cannot log off other users without administrator permissions. You need to wait for the administrators to release one of the sessions.