When connecting to a Windows computer or server over the RDP, you may encounter an error:
To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Administrators group have this right, or if the right has been removed from the Administrators group, you need to be granted this right manually.
How can you remotely connect to the desktop of such a computer (the screenshot with an error taken from Windows 10)?
As you probably know, by default, the permissions to remotely login via Remote Desktop is available to members of the local administrators group. The account under which you connect to the computer must be a member of the local Administrators group. You can check it on the computer using the Local Users and Groups MMC console (lusrmgr.msc).
In the Local Users and Groups console, go to the Groups section, select the Administrators group, and check if your account is in this list.
A common user (non-administrator) can also connect to a computer via RDP if his account is added to the local group Remote Desktop Users (members in this group are granted the right to logon remotely).
In the same lusrmgr.msc snap-in, check out these group members. If you have administrator privileges on this computer, you can add a user account to this group by clicking the Add button. Enter the name of the user or security group and click OK twice to save the changes.
Due to this, the user will have the permission to remotely logon via Remote Desktop, but won’t have local administrator privileges on the computer.
You can also allow users to remotely connect to Remote Desktop Services using the local group policy editor:
- Run the gpedit.msc console and go to the section Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment;
- Find a policy named Allow log on through Remote Desktop Services Properties;
Tip. If this policy only contains the Administrators group, then your administrator, for some reason, has denied access to the system via RDP for the local Remote Desktop Users group.
- Click the Add User and Group button, and add users or groups that you want to allow RDP login;
- Save changes and update computer policies using the gpupdate command:
Tip. Using this policy, you can grant RDP access to domain controllers to technical staff or users without giving them domain admin permissions in the Active Directory domain. This trick will also work if you have installed the Remote Desktop Services role on the AD domain controller (although this is not recommended) and you want to allow ordinary users to connect to it via RDP/RemoteApp.
Also in the same section of the GPO editor, make sure your account is not specified in the Deny log on through Remote Desktop Services policy. This policy has a higher priority.
If your computer is joined to the AD domain, these settings may be overwritten by domain policies. The current GPO settings can be obtained using the rsop.msc snap-in.