When connecting to a Windows desktop computer or Windows Server running Remote Desktop Services (RDS) over the RDP, you may encounter an error:
To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Administrators group have this right, or if the right has been removed from the Administrators group, you need to be granted this right manually.
The same error occurs if NLA (Network Level Authentication) security option is additionally enabled on the remote computer for the RDP protocol, looks as follows:
Remote Desktop Connection
The connection was denied because the user account is not authorized for remote login.
How can you remotely connect to the desktop of such a computer (the screenshot with an error taken from Windows 10)?
By default, Windows security settings allow remote RDP logins through Remote Desktop Services (TermService) when:
- The user account is a member of the local group Remote Desktop Users or Administrators;
- The user group is allowed to connect in the local Group Policy parameter Allow the log on through Remote Desktop Services.
Add User to Remote Desktop Users Group
As you probably know, the permission to remotely login via Remote Desktop is available to members of the local administrators’ group by default. The account under which you connect to the computer must be a member of the local Administrators’ group. You can check it on the computer using the Local Users and Groups MMC console (lusrmgr.msc).
In the Local Users and Groups console, go to the Groups section, select the Administrators group, and check if your account is in this list.
A common user (non-administrator) can also connect to a computer via RDP if his account is added to the local group Remote Desktop Users (members in this group are granted the permissions to log on remotely).
Use the lusrmgr.msc snap-in as described above to check if your account is a member of the Remote Desktop Users group.
If you have administrator privileges on this computer, you can add a user account to this group by clicking the Add button. Enter the name of the user or security group and click OK twice to save the changes.
Due to this, the user will have the permission to remotely logon via Remote Desktop, but won’t have local administrator privileges on the computer.
You can list the local groups the user is a member of with the command:
net user bjackson | find "Local Group Memberships"
On this screenshot, you can see that the first user is only a member of the local Users group, and the second is added to two local groups: Administrators and Remote Desktop Users.
If you want to check local group membership for a domain account, add the /DOMAIN parameter:
net user bjackson /DOMAIN| find "Local Group Memberships"
You can get group local membership information from a remote computer OfPCN21 using the Invoke-Command PowerShell:
Invoke-Command -ComputerName OfPCN21 -ScriptBlock{net user bjackson /DOMAIN| find “Local Group Memberships”}
You can add a user to the local group:
- Using PowerShell:
Add-LocalGroupMember -Group "Remote Desktop Users" -Member bjackson
- using the net localgroup command:
net localgroup "Remote Desktop Users" /add corp\bjackson
- Or using the GPO to add users to Remote Desktop Group.
After adding the user to the group, the user account will be assigned the SeRemoteInteractiveLogonRight right at login, and will be able to connect via RDP.
Group Policy: Allow Log on Through Remote Desktop Services
You can also allow users to remotely connect to Remote Desktop Services using the local group policy editor:
- Run the gpedit.msc console and go to the section Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment;
- Find a policy named Allow log on through Remote Desktop Services;
Tip. If this policy contains only the Administrators group, then for some reason your administrator has denied access to the system via RDP for the local Remote Desktop Users group; - Click the Add User and Group button, and add users or groups that you want to allow RDP login;
- Save changes and update computer policies using the gpupdate command:
gpupdate /force
Tip. Using this policy, you can grant RDP access to domain controllers to technical staff or users without granting them domain admin privileges in the Active Directory domain. This trick will also work if you have installed the Remote Desktop Services role on the AD domain controller (although this is not recommended) and you want to allow non-admin users to connect to it via RDP/RemoteApp.
Also, in the same section of the GPO editor, make sure your account is not specified in the Deny log on through Remote Desktop Services policy (this policy is also located under the GPO section Computer Configuration > Windows Settings > Security Settings > Local Policy > User Rights Assignments).
If a user is added to both policies at once, either directly or through a group, he won’t be able to remotely connect via RDP because the Deny policy has a higher priority.
If your computer is joined to the AD domain, these settings may be overwritten by the domain Group Policy Settings. The current GPO settings can be obtained using the rsop.msc snap-in or with the gpresult command.
If you need to check the domain applied GPO settings, open the elevated command prompt and run the command:
GPResult /h c:\gp_report.html /f
Open the gp_report.html using your favorite browser and check the configured options in the Allow and Deny log on through Remote Desktop Services policies.
- Installing Active Directory Users and Computers (ADUC) Snap-in on Windows 11/10 - October 5, 2022
- How to Enable Root Login on Ubuntu? - October 1, 2022
- Fix: StartTLS is Required to Send Email - October 1, 2022
Thank you very much for this. After many hours of breaking my head it turned out Deny log on through Remote Desktop Services was the culprit in my case.