By default, the RDP access to the desktop of Windows Server member servers or Active Directory domain controllers are restricted to users added to the local Administrators or Domain Admins groups. In this post, we’ll show you how to grant non-admin users RDP access to Windows Server hosts or domain controllers without assigning them local admin rights.
By default, Windows security settings allow a remote user to make RDP connections through Remote Desktop Services (TermService) if:
- The user is a member of the local Administrators or Remote Desktop Users group;
- The local Allow the log on through Remote Desktop Services policy allows the user to connect.
To Sign in Remotely, You Need the Right to Sign in Through Remote Desktop Services
The user receives an error when attempting to remotely connect to the Windows Server desktop:
To sign in remotely, you need the right to sign in Remote Desktop Services. By default only members of the Administrators group have this right. If the group you’re in doesn’t have this right, or if the right has been removed from Administrators group, you need to be granted this right manually.
If Network Level Authentication (NLA) is enabled in the RDP setting on the remote host, another error occurs when connecting:
The connection was denied because the user account is not authorized for remote login.
In this case, you simply need to add the user to the local Remote Desktop Users group to allow them to connect to Windows Server via RDP:
- Open the Local Users and Groups MMC snap-in (
lusrmgr.msc
) and navigate to the Groups section; - Double-click the Remote Desktop Users group;
- Click the Add button and enter the name of the user (or group) you want to grant RDP access to;
- Users can then connect to the Windows host via RDP.
It is also possible to add a user to an RDP access group from the command line:
net localgroup "Remote Desktop Users" /add woshub\testuser
or using PowerShell (Learn more about how to manage local users and local groups with PowerShell).
Add-LocalGroupMember -Group "Remote Desktop Users" -Member testuser
List users in the Remote Desktop Users group:
Get-LocalGroupMember -Group 'Remote Desktop Users'
By default, Windows Server allows two concurrent Remote Desktop sessions. This means that two users can work simultaneously in their own Remote Desktop sessions. If you need more concurrent RDP connections, you will need to purchase and activate licenses (RDP CALs) on the RDS License Server and install the Remote Desktop Services role (this can be a standalone RDSH server or a full RDS farm consisting of several hosts).
You can use RDS Collections to provide remote desktop access in an RDS farm. Open Server Manager -> Remote Desktop Services –> Tasks -> Edit Deployment Properties.
Open the collection and the User Group section will list the security group allowed to connect to the RDSH hosts in that collection.
Allow RDP Access to Domain Controller for Non-Admin User
If you need to grant a regular (non-admin) user remote access to the desktop of a domain controller, the method described above won’t work.
After the server role is promoted to an Active Directory domain controller, you cannot manage local users and groups from the Computer Management MMC snap-in. When you try to open the Local Users and Groups console (lusrmgr.msc
), the following error appears:
The computer xxx is a domain controller. This snip-in cannot be used on a domain controller. Domain accounts are managed with the Active Directory Users and Computers snap-in.
As you can see, there are no local groups on the domain controller. Instead of the local group Remote Desktop Users, the DC uses the built-in domain group Remote Desktop Users (located in the Builtin container). You can manage this group from the ADUC console or the DC command prompt.
However, it is not recommended to use this group to grant Remote Desktop access as this will give the user access to all DCs in the domain. In this case, it is better to grant permissions using the Allow log on through Remote Desktop Services policy.
However, in large corporate networks with a large number of employees, it is often necessary to provide RDP access to the DC (Usually to branch DCs or RODCs) for different groups of server administrators, on-duty administrators, or other technical staff. There are also situations where third-party services managed by non-domain administrators are deployed on the DC, and there’s a need to maintain these services.
How to Allow Log on Through Remote Desktop Services?
To allow a domain user or group to remotely connect to Windows via RDP, you must grant them the SeRemoteInteractiveLogonRight
privilege. You can grant this permission using the Allow log on through Remote Desktop Services policy.
To allow remote connection to the domain controllers for members of the Remote Desktop Users group you need to change the settings of this policy on your domain controller:
- Open the Local Group Policy Editor (
gpedit.msc
); - Go to the GPO section Computer Configuration -> Windows settings -> Security Settings -> Local policies -> User Rights Assignment;
- Find the policy Allow log on through Remote Desktop Services;Once the server has been promoted to a DC, the only group that remains in this local policy is the Administrators group (these are Domain Admins).
- Edit the policy and add the domain user or group directly (
domain\CA_Server_Admins
) to it; - Update the Local Group Policy settings on the DC using the command: :
gpupdate /force
Note that the group that you added to the Allow log on through Remote Desktop Services policy should not be present in the “Deny log on through Remote Desktop Services” policy because it has a higher priority (check the article Block remote access under local user accounts). Also, if you restrict the list of computers that users can log on to, you must add the server name to the user account properties in AD (LogonWorkstations user attribute).
- Backup Operators
- Administrators
- Print Operators
- Server Operators
- Account Operators
If you do not do this, you will get an error message when you try to connect to Remote Desktop: The sign-in method you’re trying to use isn’t allowed.
To make things easier, you can create a new security group in the domain, for example AllowDCLogin. Next, add the accounts that need to be allowed to remotely access the DC to the policy. If you need to allow access to all AD domain controllers at once, rather than editing the local policy on each DC, it’s better to add the user group to the Default Domain Controllers Policy using the Group Policy Management Console (GPMC.msc
). Edit the policy item Allow log on through Remote Desktop Services under the section Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
The users you added to the policy will now be able to connect to the AD domain controller’s desktop via RDP.
The Requested RDP Session Access is Denied
In some cases, you may receive the following error when you use RDP to connect to a Windows Server domain member host or domain controller:
The requested session access is denied.
The following problems may occur if you connect to the DC using a non-administrator account:
- You are trying to connect to the server console (using the
mstsc /admin
mode). This connection mode is only allowed for administrators. Attempt to connect to the server with the mstsc.exe client in normal RDP mode (without/admin
option); - It is possible that there are already two active RDP sessions on the host (By default, no more than two concurrent RDP sessions can connect to a Windows Server without an RDS role deployed). You can get the list of active sessions and logged-on users on the remote computer by using the command:
qwinsta /server:dc01
You cannot end other users’ sessions without administrator permissions. You must wait for administrators to release or end a session; - Restricted Admin mode or Windows Defender Remote Credential Guard is enabled on the Windows Server host