To Sign in Remotely, You Need the Right to Sign in Through Remote Desktop Service

When connecting to a Windows computer or server over the RDP, you may encounter an error:

To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Administrators group have this right, or if the right has been removed from the Administrators group, you need to be granted this right manually.

To sign in remotely you need the right to sign in through Remote Desktop Services

How can you remotely connect to the desktop of such a computer (the screenshot with an error taken from Windows 10)?

As you probably know, by default, the permissions to remotely login via Remote Desktop is available to members of the local administrators group. The account under which you connect to the computer must be a member of the local Administrators group. You can check it on the computer using the Local Users and Groups MMC console (lusrmgr.msc).

In the Local Users and Groups console, go to the Groups section, select the Administrators group, and check if your account is in this list.

To sign in remotely you need the right to sign in Remote Desktop Services

A common user (non-administrator) can also connect to a computer via RDP if his account is added to the local group Remote Desktop Users (members in this group are granted the right to logon remotely).

In the same lusrmgr.msc snap-in, check out these group members. If you have administrator privileges on this computer, you can add a user account to this group by clicking the Add button. Enter the name of the user or security group and click OK twice to save the changes.

Due to this, the user will have the permission to remotely logon via Remote Desktop, but won’t have local administrator privileges on the computer.

fix To sign in remotely you need the right to sign in Remote Desktop Services

You can also allow users to remotely connect to Remote Desktop Services using the local group policy editor:

  1. Run the gpedit.msc console and go to the section Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment;
  2. Find a policy named Allow log on through Remote Desktop Services Properties;
    . If this policy only contains the Administrators group, then your administrator, for some reason, has denied access to the system via RDP for the local Remote Desktop Users group.
  3. Click the Add User and Group button, and add users or groups that you want to allow RDP login;
  4. Save changes and update computer policies using the gpupdate command:
    gpupdate /force

fix To sign in remotely you need the right to sign in Remote Desktop Services error

Tip. Using this policy, you can grant RDP access to domain controllers to technical staff or users without giving them domain admin permissions in the Active Directory domain. This trick will also work if you have installed the Remote Desktop Services role on the AD domain controller (although this is not recommended) and you want to allow ordinary users to connect to it via RDP/RemoteApp.

Also in the same section of the GPO editor, make sure your account is not specified in the Deny log on through Remote Desktop Services policy. This policy has a higher priority.

Deny logon through Remote Desktop Services

If your computer is joined to the AD domain, these settings may be overwritten by domain policies. The current GPO settings can be obtained using the rsop.msc snap-in.

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

One comment

  1. Thank you very much for this. After many hours of breaking my head it turned out Deny log on through Remote Desktop Services was the culprit in my case.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.