- Windows
- Windows 10
- Active Directory
- PowerShell
- Sysprep
- Windows Server
- Hardware
- Hard Drives
- Printers
- Routers
- Mobile
- Android
- iPhone
- iOS
- Office
- Outlook
- Office 365
- Drivers
- Browsers
- Reviews
- Others
- Adobe
- Internet
- Linux
- ConfigMgr
- CRM
- Browsers
- Gmail
- VMWare
- SQL
- About the Authors
- Contact Us
- Homepage
- Windows
To Sign in Remotely, You Need the Right to Sign in Through Remote Desktop Service
When connecting to a Windows desktop computer or Windows Server running Remote Desktop Services [RDS] over the RDP, you may encounter an error:
To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Administrators group have this right, or if the right has been removed from the Administrators group, you need to be granted this right manually.
The same error occurs if NLA [Network Level Authentication] security option is additionally enabled on the remote computer for the RDP protocol, looks as follows:
Remote Desktop Connection
The connection was denied because the user account is not authorized for remote login.
How can you remotely connect to the desktop of such a computer [the screenshot with an error taken from Windows 10]?
By default, Windows security settings allow remote RDP logins through Remote Desktop Services [TermService] when:
- The user account is a member of the local group Remote Desktop Users or Administrators;
- The user group is allowed to connect in the local Group Policy parameter Allow the log on through Remote Desktop Services.
Add User to Remote Desktop Users Group
As you probably know, the permission to remotely login via Remote Desktop is available to members of the local administrators group by default. The account under which you connect to the computer must be a member of the local Administrators group. You can check it on the computer using the Local Users and Groups MMC console [lusrmgr.msc].
In the Local Users and Groups console, go to the Groups section, select the Administrators group, and check if your account is in this list.
A common user [non-administrator] can also connect to a computer via RDP if his account is added to the local group Remote Desktop Users [members in this group are granted the permissions to log on remotely].
Use the lusrmgr.msc snap-in as described above to check if your account is a member of the Remote Desktop Users group.
If you have administrator privileges on this computer, you can add a user account to this group by clicking the Add button. Enter the name of the user or security group and click OK twice to save the changes.
Due to this, the user will have the permission to remotely logon via Remote Desktop, but wont have local administrator privileges on the computer.
You can list the local groups the user is a member of with the command:
net user bjackson | find "Local Group Memberships"On this screenshot, you can see that the first user is only a member of the local Users group, and the second is added to two local groups: Administrators and Remote Desktop Users.
If you want to check local group membership for a domain account, add the /DOMAIN parameter:
net user bjackson /DOMAIN| find "Local Group Memberships"You can get group local membership information from a remote computer OfPCN21 using the Invoke-Command PowerShell:
Invoke-Command -ComputerName OfPCN21 -ScriptBlock{net user bjackson /DOMAIN| find Local Group Memberships}
You can add a user to the local group:
- Using PowerShell:Add-LocalGroupMember -Group "Remote Desktop Users" -Member bjackson
- using the net localgroup command:net localgroup "Remote Desktop Users" /add corp\bjackson
- Or using the GPO to add users to Remote Desktop Group.
After adding the user to the group, the user account will be assigned the SeRemoteInteractiveLogonRight right at login, and will be able to connect via RDP.
Group Policy: Allow Log on Through Remote Desktop Services
You can also allow users to remotely connect to Remote Desktop Services using the local group policy editor:
- Run the gpedit.msc console and go to the section Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment;
- Find a policy named Allow log on through Remote Desktop Services;
Tip. If this policy contains only the Administrators group, then for some reason your administrator has denied access to the system via RDP for the local Remote Desktop Users group; - Click the Add User and Group button, and add users or groups that you want to allow RDP login;
- Save changes and update computer policies using the gpupdate command:gpupdate /force
Tip. Using this policy, you can grant RDP access to domain controllers to technical staff or users without granting them domain admin privileges in the Active Directory domain. This trick will also work if you have installed the Remote Desktop Services role on the AD domain controller [although this is not recommended] and you want to allow non-admin users to connect to it via RDP/RemoteApp.
Also, in the same section of the GPO editor, make sure your account is not specified in the Deny log on through Remote Desktop Services policy [this policy is also located under the GPO section Computer Configuration > Windows Settings > Security Settings > Local Policy > User Rights Assignments].
If a user is added to both policies at once, either directly or through a group, he wont be able to remotely connect via RDP because the Deny policy has a higher priority.
If your computer is joined to the AD domain, these settings may be overwritten by the domain Group Policy Settings. The current GPO settings can be obtained using the rsop.msc snap-in or with the gpresult command.
If you need to check the domain applied GPO settings, open the elevated command prompt and run the command:
Open the gp_report.html using your favorite browser and check the configured options in the Allow and Deny log on through Remote Desktop Services policies.
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
- How to Check CPU Temperature in Windows?
You need to monitor CPU temperatures in Windows to prevent your system from overheating and
- HTTP/HTTPS Requests via Invoke-WebRequest PowerShell Cmdlet
The Invoke-WebRequest cmdlet allows you to send HTTP/HTTPS/FTP requests, receive and process responses, and return
- How to Reserve IP Address on Windows Server DHCP?
DHCP reservation is the creation of a special entry on the DHCP server. Thanks to
Related Post
Recent Posts
- Active Directory
Enable/Disable MFA in Azure Active Directory
It used to be that username and password were the most secure way to authenticate
- Operating System
- Windows
How to Delete COM Port In Use?
Every time you plug in a COM or USB device to your computer, Plug-n-Play service
- Active Directory
ADSI Edit: How to View and Change Active Directory Object Properties?
The ADSI Edit tool [Active Directory Service Interface Editor] is a special mmc snap-in. It
- Office 365
How to Disable Multi Factor Authentication [MFA] in Office 365?
Multi Factor Authentication [MFA] in Microsoft 365 [Office 365] is an authentication method that requires
- Miscellaneous
Configure NTP Time Sync Using Group Policy
The Windows Time service is the basis for the normal functioning of the Active Directory
- Active Directory
Active Directory Organizational Unit [OU]: Ultimate Guide
Organizational Unit [OU] is a container in the Active Directory domain that can contain different
- Windows
- Windows 10
- Active Directory
- PowerShell
- Sysprep
- Windows Server
- Hardware
- Hard Drives
- Printers
- Routers
- Mobile
- Android
- iPhone
- iOS
- Office
- Outlook
- Office 365
- Drivers
- Browsers
- Reviews
- Others
- Adobe
- Internet
- Linux
- ConfigMgr
- CRM
- Browsers
- Gmail
- VMWare
- SQL
- t