By default, only the members of Domain Admins group have the remote RDP access to the Active Directory domain controllers‘ desktop. In this article we’ll show how to grant domain users (non-admin user accounts) RDP access to the domain controllers without granting administrative privileges.
Many of you can quite reasonably ask: why would ordinary domain users should have access to the DC desktop? Indeed, in small or middle size infrastructures, when several administrators with the privileges of domain admins maintain them, you’ll hardly need this. However, in large corporate networks maintained by many administrators, it may become necessary to grant RDP access to the DC (usually to branch office DC’s or RODC) for different server administration groups, monitoring team, on-duty administrators, or other technical staffs. Also, from time to time some of the third-party services, not managed by the domain administrators, are deployed on the DC, and there’s a need to maintain these services.
After the server has been promoted to the domain controller, when you try to open Local Users and Groups (lusrmgr.msc) console, the following error returns:
As you can see, there are no local groups on the domain controller. Instead of the local group Remote Desktop Users, DC uses the built-in domain group Remote Desktop Users (located in the Builtin container). You can manage this group from the ADUC console or from the command prompt on the DC.
Display the members of the domain group Remote Desktop Users on the domain controller:
net localgroup "Remote Desktop Users"
As you can see, it is empty. Add a domain user it-pro to it (in our example, it-pro is a standard domain user without administrative privileges):
net localgroup "Remote Desktop Users" /add corp\it-pro
Make sure that the user is added to this group:
net localgroup "Remote Desktop Users"
You can also verify that the user is now a member of the Remote Desktop Users domain group using the ADUC snap-in.
However, after that a user still cannot connect to the DC using Remote Desktop.
The matter is that the possibility of the RDP connection in Windows is determined by Allow log on through Remote Desktop Services policy (in Windows 2003 and older this policy is called Allow log on through terminal services). After the server is promoted to the DC, only the Administrators group (these are domain administrators) remains in this policy.
To allow remote connection to the domain controllers for members of the Remote Desktop Users group you need to perform the following action for each of your DCs:
- Start Local Group Policy Editor (gpedit.msc);
- Go to the section Computer Configuration -> Windows settings -> Security Settings -> Local policies -> User Rights Assignment;
- Find the policy Allow log on through Remote Desktop Services;
- Edit the policy by adding the domain group Remote Desktop Users (like this: domainname\Remote Desktop Users), or directly the domain user, or a group (domain\somegroupname) to it;
- Update local policies on the DC using the command
gpupdate /force
Note that the required groups should not be present in the Deny log on through Remote Desktop Services policy, because it has a higher priority (see Restricting Network Access under local accounts).
- Backup Operators
- Administrators
- Print Operators
- Server Operators
- Account Operators
It is better to create a new security group in the domain, for example, AllowLogonDC and add user accounts that need remote access to the DC into it. If you want to allow access to all AD domain controllers at once, instead of editing the local policy on each DC, it’s better to add a group of users to the Default Domain Controllers Policy via the GPMC.msc console (edit the policy settings in the same section: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment -> Allow log on through Remote Desktop Services).
After these changes, the specified users and groups will be able to connect to the AD domain controllers over RDP. Try using RDP to connect to the DC under the user account. The user should see the domain controller’s desktop. You can grant non-administrators the right to start/stop certain services on the DC as follows.
18 comments
Hi there.
Went through your post.
I am having windows 2012 AD with more than 350 active users. What I want to achieve is – I want to create a user group in AD for some users and have it administered by someone else apart from the server administrator (basically creating/deleting users in that group and resetting their password.) I want this group administrator to access the server through remote desktop but, in AD users & computers only his group should be visible to him and not the entire AD.
How to achieve this.
Kindly advice.
Thanks.
Hi
Quite a strange requirements
Create separate OU in AD, move user to it and delegates the necessary permissions to admin
Give him permissions locally on the server, not through AD
hi guys,
i have problem on windows 10 home edition, i want using RDP Session but not working, still error “the requested session access is denied”. after login.
help me please!
out of all the articles i researched on how to enable non-admins to RDP into domain controllers (or any other server for that matter) …. this is the ONLY article that actually works. Thank you very much for posting this
Thanks for posting this. It’s spot on.
Thanks a lot …
i just want to access a domain server, but i don’t have any admin rights the administrator have blocked almost every thing even i cannot install a program or even uninstall a program. please help
I have a data but its coded in shell script i just want to read it please suggest.
Thank you, this worked a charm.
Thank you!! BCH address?
Welcome! You can donate us via PayPal on http://woshub.com/about/
This is also valuable for reversing the process – i.e. when you inherit a setup where lots of users can RDP to the DCs – this shows you how to stop this happening!
[…] http://woshub.com/allow-non-administrators-rdp-access-to-domain-controller/ […]
Normally with Remote Desktop into Windows Server 2016, if someone tries to log on and both licenses are being used, the user can disconnect of the connected users so he can log on. Is there a way to prevent the new user from knocking off a currently connected user?
much thanks bill
Only an administrator can kick off another user RDP session, you can’t disable this feature.
CAUTION !!!!!, Dont do this setting through the default domain controller policy, you will be screwed. Once you enable the allow logon through remote desktop services, the default permission like domain admin everything wiped out and the only added groups might have rdp access to the domain controllers. It’s one way change no going back.
THANK YOU!! This post was the answer to my prayers after hours of searching. Thank you, and thank you again.
This is such BAD ADVICE.
There is no reason for ANYONE who is not a domain admin to RDP onto a DC in an enterprise where there are any other admins who are not Domain Admins.
There should be NO third party tools installed on a DC except by the Domain Admin after careful analysis to determine whether they need to be there.
Answer, always, is “no”, except for system monitoring tools.
Some products need to have schema modifications in the domain – e.g. Exchange, Sharepoint, etc. These do not need to be run ON the DC. They need to be run by someone with Schema Admins (and perhaps Enterprise Admins) rights on a domain-joined server in the same site as a DC running the Global Catalog role (preferably the Schema Master).
For other administrators who have been delegated account or computer management rights in the domain, they should use Active Directory Users and Computers (if they need that console) installed preferably on a jump server they can RDP to (or on a workstation, if you must), as well as any other RBAC tools they need for their tasks.
I’m not even going to get into putting management servers on their own networks and configuring firewall rules, but at least don’t let non Domain Admin techs log onto your DCs!
Also, using a GPO to add someone to any of the BUILTIN domain groups is ridiculous. You just add them directly. The point of BUILTIN is that it applies to all DCs (and only DCs, btw).