When connecting to a Windows desktop computer or Windows Server running Remote Desktop Services (RDS) over the RDP, you may encounter an error:
To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Administrators group have this right, or if the right has been removed from the Administrators group, you need to be granted this right manually.
If the NLA (Network Level Authentication) security option is enabled on the remote computer for the RDP protocol, the error looks as follows:
Remote Desktop Connection
The connection was denied because the user account is not authorized for remote login.
You are facing these error messages because the user account you are using to connect to the computer doesn’t have the correct permission to use Remote Desktop.
How can you remotely connect to the desktop of such a computer (the screenshot with an error taken from Windows 10)?
By default, Windows security settings allow remote RDP logins through Remote Desktop Services (TermService) when:
- The user account is a member of one of the local groups Remote Desktop Users or Administrators;
- The user group is allowed to sign in remotely via the local Group Policy parameter Allow the log on through Remote Desktop Services.
How to Add User to Remote Desktop Users Group in Windows?
By default, members of the local Administrators group can remotely login to Windows computers through Remote Desktop (you need to enable RDP with PowerShell in the computer settings). Using the Local Users and Groups MMC console (lusrmgr.msc), you can list users in the local Administrators group on a computer. Expand the Local Users and Groups > Groups section, double-click on the Administrators group, and check if your account is in this list.
A non-admin can also connect to a computer via RDP if his account is added to the local Remote Desktop Users group (members in this group are granted permissions to sign on remotely).
Use the lusrmgr.msc snap-in as described above to check if your account is a member of the Remote Desktop Users group.
If you have administrator privileges on this computer, you can add a user account to this group by clicking the Add button. Enter the name of the user or Active Directory group and click OK twice to save the changes. This will allow the user to remotely connect to Windows Remote Desktop without granting local administrator privileges on the computer.
Use the following command to list the local groups which the user is a member of:
net user bjackson | find "Local Group Memberships"
This screenshot shows that the first user is a member of the local Users group only, and the second is added to two local groups: Administrators and Remote Desktop Users.I
If you want to check local group membership for a domain account, add the /DOMAIN parameter:
net user bjackson /DOMAIN| find "Local Group Memberships"
You can get group local membership information from a remote computer OfPCN21 using the Invoke-Command PowerShell:
Invoke-Command -ComputerName OfPCN21 -ScriptBlock{net user bjackson /DOMAIN| find “Local Group Memberships”}
You can add a user to the local group:
- Using PowerShell:
Add-LocalGroupMember -Group "Remote Desktop Users" -Member bjackson
- Using the net localgroup command:
net localgroup "Remote Desktop Users" /add corp\bjackson
- Or you can add domain user to Remote Desktop Group using the GPO.
After adding the user to the group, the user account will be assigned the SeRemoteInteractiveLogonRight right at login, and will be able to connect via RDP.
Try to connect to a Windows computer using an RDP client. If you still cannot connect, you need to check the Group Policy settings on the target computer.
How to Allow Logon Through Remote Desktop Services using GPO?
You can also allow users to remotely connect to Remote Desktop Services using the Local Group Policy Editor:
- Run the gpedit.msc console and go to the section Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment;
- Find a policy named Allow log on through Remote Desktop Services. This security policy determines which groups and users have the right to logon via RDP;
Tip. If this policy contains only the Administrators group, then for some reason your administrator has denied access to the system via RDP for the local Remote Desktop Users group; - Click the Add User and Group button, and add users or groups that you want to allow RDP login;
- Save changes and update computer policies using the gpupdate command:
gpupdate /force
Tip. Using this policy, you can grant RDP access to domain controllers to technical staff or users without granting them domain admin privileges in the Active Directory domain. This trick will also work if you have installed the Remote Desktop Services role on the AD domain controller (although this is not recommended) and you want to allow non-admin users to connect to it via RDP/RemoteApp.
Note that there is another Deny log on through Remote Desktop Services option in this GPO section. This policy allows you to determine which users and groups are prohibited from logging on as a Remote Desktop Services client. Check if your account is not listed in the settings of this policy. If a user is added to both policies at once, either directly or through a group, he won’t be able to remotely connect via RDP because the Deny policy has a higher priority.
Open the policy settings and remove users and groups from it.
If your computer is joined to the AD domain, these settings may be overwritten by the domain Group Policy Settings. You can check the resulting GPO settings on your computer using the rsop.msc snap-in or with the gpresult command.
If you need to check the applied domain GPO settings, open the elevated command prompt and run the command:
GPResult /h c:\gp_report.html /f
Open the gp_report.html using your favorite browser and check the configured options in the Allow and Deny log on through Remote Desktop Services policies.
Allow Remote Desktop Access with RDS Collection
If you faced the error “You need the right to sign in through…” occurs on a Windows Server with the Remote Desktop Services (RDS) role installed, you need to check the RDS session collection settings.
- Open the Server Manager > Remote Desktop Services > Tasks > Edit Deployment Properties;
- Open the Collections section and open the properties of the collection to which the user should connect;
- Go to the User Groups section. This list contains the Active Directory security groups whose members can connect to this host via RDP.
Note. If the access list in this section is empty, add the required groups (preferred) or users manually.
- Open the Active Directory Users and Computers snap-in (dsa.msc), find this group, and add the user to it;
- After that, this user will be able to connect to the Windows Server RDS host via RDP.
You can list the available RDS collections on the host using the PowerShell command:
Get-RDSessionCollection
To list the groups in the collection that are allowed RDP access, run the command:
Get-RDSessionCollectionConfiguration -CollectionName "myRDSCollection1" -UserGroup -ConnectionBroker "rdcb.theitbros.com"
You can add additional security groups to the RDS collection access list like this:
Set-RDSessionCollectionConfiguration -CollectionName "myRDSCollection1" -UserGroup @("THEITBROS\RDS Users","THEITBROS\NY_managers","THEITBROS\NY_IT_dept")
Disable Enhanced Session Mode on Hyper-V
In some cases, you may encounter the error message “To sign in remotely, you need the right to sign in through remote desktop services. By default, …” when connecting to the virtual machine console on hosts with the Hyper-V role.
By default, Enhanced Session Mode is enabled on the Hyper-V hosts. In this mode, a full-screen connection to the virtual machine’s console is made through Remote Desktop Services instead of a native connection via Hyper-V bus.
In order to connect to the VM console without using Remote Desktop, you must disable Enhanced Session Mode.
You can disable Enhanced Session for the current console connection only by turning off “Enhanced Mode” in your VM Connection menu (View > “Enhanced session”).
You can also completely disable Enhanced Session for all VMs on a host through the Hyper-V Manager console.
Or use the PowerShell command:
Set-VMHost -EnableEnhancedSessionMode $false -Passthru
1 comment
Thank you very much for this. After many hours of breaking my head it turned out Deny log on through Remote Desktop Services was the culprit in my case.
Comments are closed.