Posted on June 4, 2015 · Posted in Active Directory

Allow non-administrators RDP Access to Domain Controller

By default, only the members of Domain Admins group have the remote RDP access to the domain controllers. In this article we’ll show how to grant domain users  RDP access to the domain controllers.

Many can quite reasonably object why ordinary domain users should have access to the DC desktop. Indeed, in small or middle size infrastructures, when several administrators with the privileges of domain admins maintain them, you’ll hardly need this. However, in large corporate networks maintained by many administrators, it may become necessary to grant RDP access to the DC for different server administration groups, monitoring team, duty administrators, or other technical specialists. Also, sometimes some third-party services, not managed by the domain administrators, are deployed on the DC, and there’s a need to maintain these services.

Tip. The simultaneous operation of Active Directory Domain Services and Remote Desktop Service (terminal) roles is not supported on a single server. If there is only one physical server, on which both DC and terminal services have to be deployed, you’d better use virtualization, since Microsoft license policy allows to run two virtual servers under one Windows Server 2012 Standard license.

After the server has been promoted to a domain controller, when trying to open Local Users and Groups (lusrmgr.msc) console, it returns the following error:

The computer xxx is a domain controller. This snip-in cannot be used on a domain controller. Domain accounts are managed with the Active Directory Users and Computers snap-in.

The computer xxx is a domain controller. This snip-in cannot be used on a domain controller. Domain accounts are managed with the Active Directory Users and Computers snap-in.

So it feels that there are no local groups on the domain controller. Actually, local groups on the domain controller don’t disappear. They can be managed from the command prompt.

Display the members of the local group Remote Desktop Users on the domain controller:

net localgroup "Remote Desktop Users"

As you can see, it is empty. Add a domain user it-pro to it. (In our example, it-pro is a standard domain user without administrative privileges.)

net localgroup "Remote Desktop Users" /add corp\it-pro

Make sure that the user is added to this group:

net localgroup "Remote Desktop Users"

net localgroup "Remote Desktop Users"

However, after that a user still cannot connect to the DC using Remote Desktop.

you need remote desktop services rights

To sign in remotely, you need the right to sign in through Remote Desktop Services. By default members of the Administrators group have this right. If the group you’re in does not have the right, or  if the right has been removed from the Administrators group, you need to be granted the right manually.

The matter is that the possibility of the RDP connection in Windows is determined by Allow log on through Remote Desktop Services policy (In Windows 2003 or earlier this policy is called Allow log on through terminal services). After the server is promoted to the DC, only the Administrators group is left in this policy.

To allow connection to the domain controllers members of the Remote Desktop Users group you need to:

  • Start local policy editor (gpedit.msc)
  • Go to Computer Configuration -> Windows settings -> Security Settings -> Local policies -> User Rights Assignment
  • Find the policy Allow log on through Remote Desktop Services Allow log on through Remote Desktop Services Policy
  • Edit the policy by adding the local group Remote Desktop Users (like this: dc-name\Remote Desktop Users), a domain user, or a group (like this: domain\somegroupname) to it
  • Run the update of the local policies gpupdate /force

After the changes are made, the users or groups specified above will have the opportunity to connect to the domain controller using RDP.

Previous:
Next:
Related Articles