Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Group Policies / Allow Non-admin Users RDP Access to Windows Server

May 22, 2023 Active DirectoryGroup PoliciesWindows Server 2016Windows Server 2019

Allow Non-admin Users RDP Access to Windows Server

By default, the RDP access to the desktop of Windows Server member servers or Active Directory domain controllers are restricted to users added to the local Administrators or Domain Admins groups. In this post, we’ll show you how to grant non-admin users RDP access to Windows Server hosts or domain controllers without assigning them local admin rights.

Contents:
  • To Sign in Remotely, You Need the Right to Sign in Through Remote Desktop Services
  • Allow RDP Access to Domain Controller for Non-Admin User
  • How to Allow Log on Through Remote Desktop Services?
  • The Requested RDP Session Access is Denied

By default, Windows security settings allow a remote user to make RDP connections through Remote Desktop Services (TermService) if:

  • The user is a member of the local Administrators or Remote Desktop Users group;
  • The local Allow the log on through Remote Desktop Services policy allows the user to connect.

To Sign in Remotely, You Need the Right to Sign in Through Remote Desktop Services

The user receives an error when attempting to remotely connect to the Windows Server desktop:

To sign in remotely, you need the right to sign in Remote Desktop Services. By default only members of the Administrators group have this right. If the group you’re in doesn’t have this right, or if the right has been removed from Administrators group, you need to be granted this right manually.

To sign in remotely, you need the right to sign in Remote Desktop Services

If Network Level Authentication (NLA) is enabled in the RDP setting on the remote host, another error occurs when connecting:

The connection was denied because the user account is not authorized for remote login.

The connection was denied because the user account is not authorized

In this case, you simply need to add the user to the local Remote Desktop Users group to allow them to connect to Windows Server via RDP:

  1. Open the Local Users and Groups MMC snap-in (lusrmgr.msc) and navigate to the Groups section;
  2. Double-click the Remote Desktop Users group;
  3. Click the Add button and enter the name of the user (or group) you want to grant RDP access to;add user to local remote desktop users group
  4. Users can then connect to the Windows host via RDP.

It is also possible to add a user to an RDP access group from the command line:

net localgroup "Remote Desktop Users" /add woshub\testuser

or using PowerShell (Learn more about how to manage local users and local groups with PowerShell).

Add-LocalGroupMember -Group "Remote Desktop Users" -Member testuser

List users in the Remote Desktop Users group:

Get-LocalGroupMember -Group 'Remote Desktop Users'

powershell - list remote desktop users group membership

Similarly, you can grant users RDP access to Windows 10 or 11 workstations (don’t forget to enable RDP on these devices.).

By default, Windows Server allows two concurrent Remote Desktop sessions. This means that two users can work simultaneously in their own Remote Desktop sessions. If you need more concurrent RDP connections, you will need to purchase and activate licenses (RDP CALs) on the RDS License Server and install the Remote Desktop Services role (this can be a standalone RDSH server or a full RDS farm consisting of several hosts).

You can use RDS Collections to provide remote desktop access in an RDS farm. Open Server Manager -> Remote Desktop Services –> Tasks -> Edit Deployment Properties.

Open the collection and the User Group section will list the security group allowed to connect to the RDSH hosts in that collection.

RDS collection - grant access to RDSH

Allow RDP Access to Domain Controller for Non-Admin User

If you need to grant a regular (non-admin) user remote access to the desktop of a domain controller, the method described above won’t work.

After the server role is promoted to an Active Directory domain controller, you cannot manage local users and groups from the Computer Management MMC snap-in. When you try to open the Local Users and Groups console (lusrmgr.msc), the following error appears:

The computer xxx is a domain controller. This snip-in cannot be used on a domain controller. Domain accounts are managed with the Active Directory Users and Computers snap-in.

The computer xxx is a domain controller. This snip-in cannot be used on a domain controller. Domain accounts are managed with the Active Directory Users and Computers snap-in.

As you can see, there are no local groups on the domain controller. Instead of the local group Remote Desktop Users, the DC uses the built-in domain group Remote Desktop Users (located in the Builtin container). You can manage this group from the ADUC console or the DC command prompt.

domain builtin group Remote Desktop Users

However, it is not recommended to use this group to grant Remote Desktop access as this will give the user access to all DCs in the domain. In this case, it is better to grant permissions using the Allow log on through Remote Desktop Services policy.

Many might reasonably ask why non-administrators need remote access to the DC desktop. Indeed, in small and medium-sized infrastructures, where the entire infrastructure is managed by several administrators with domain admin permissions, this is unlikely to be necessary. In most cases, it is sufficient to delegate some administrative permissions in Active Directory or use PowerShell Just Enough Administration (JEA).

However, in large corporate networks with a large number of employees, it is often necessary to provide RDP access to the DC (Usually to branch DCs or RODCs) for different groups of server administrators, on-duty administrators, or other technical staff. There are also situations where third-party services managed by non-domain administrators are deployed on the DC, and there’s a need to maintain these services.

How to Allow Log on Through Remote Desktop Services?

To allow a domain user or group to remotely connect to Windows via RDP, you must grant them the SeRemoteInteractiveLogonRight privilege. You can grant this permission using the Allow log on through Remote Desktop Services policy.

The policy is called Allow log on through terminal services in Windows Server 2003 and earlier.

To allow remote connection to the domain controllers for members of the Remote Desktop Users group you need to change the settings of this policy on your domain controller:

  1. Open the Local Group Policy Editor (gpedit.msc);
  2. Go to the GPO section Computer Configuration -> Windows settings -> Security Settings -> Local policies -> User Rights Assignment;
  3. Find the policy Allow log on through Remote Desktop Services;
    Once the server has been promoted to a DC, the only group that remains in this local policy is the Administrators group (these are Domain Admins).
  4. Edit the policy and add the domain user or group directly (domain\CA_Server_Admins) to it;group policy: Allow log on through Remote Desktop Services
  5. Update the Local Group Policy settings on the DC using the command: : gpupdate /force

Note that the group that you added to the Allow log on through Remote Desktop Services policy should not be present in the “Deny log on through Remote Desktop Services” policy because it has a higher priority (check the article Block remote access under local user accounts). Also, if you restrict the list of computers that users can log on to, you must add the server name to the user account properties in AD (LogonWorkstations user attribute).

Note. To allow users to log on to the DC locally (via the server console), their account or group must also be added to the “Allow log on locally” policy. By default, the following built-in domain groups have this permission:

  • Backup Operators
  • Administrators
  • Print Operators
  • Server Operators
  • Account Operators

If you do not do this, you will get an error message when you try to connect to Remote Desktop: The sign-in method you’re trying to use isn’t allowed.

To make things easier, you can create a new security group in the domain, for example AllowDCLogin. Next, add the accounts that need to be allowed to remotely access the DC to the policy. If you need to allow access to all AD domain controllers at once, rather than editing the local policy on each DC, it’s better to add the user group to the Default Domain Controllers Policy using the Group Policy Management Console (GPMC.msc). Edit the policy item Allow log on through Remote Desktop Services under the section  Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.

Warning. If you change the Default Domain Controllers Policy, don’t forget to add the Domain/Enterprise Admins group to the policy Allow log on through Remote Desktop Services, otherwise, they will lose remote access to the DCs.

default domain controller policy: allow logon over rdp

The users you added to the policy will now be able to connect to the AD domain controller’s desktop via RDP.

If you need to allow non-admin users to start/stop certain services on a DC, use the following guide.

The Requested RDP Session Access is Denied

In some cases, you may receive the following error when you use RDP to connect to a Windows Server domain member host or domain controller:

The requested session access is denied.

the requested rdp session access is denied

The following problems may occur if you connect to the DC using a non-administrator account:

  • You are trying to connect to the server console (using the mstsc /admin mode). This connection mode is only allowed for administrators. Attempt to connect to the server with the mstsc.exe client in normal RDP mode (without /admin option);
  • It is possible that there are already two active RDP sessions on the host (By default, no more than two concurrent RDP sessions can connect to a Windows Server without an RDS role deployed). You can get the list of active sessions and logged-on users on the remote computer by using the command:
    qwinsta /server:dc01
    You cannot end other users’ sessions without administrator permissions. You must wait for administrators to release or end a session;
  • Restricted Admin mode or Windows Defender Remote Credential Guard is enabled on the Windows Server host

24 comments
5
Facebook Twitter Google + Pinterest
previous post
How to Create, Change, and Remove Local Users or Groups with PowerShell?
next post
Enable Single Sign-On (SSO) Authentication on RDS Windows Server

Related Reading

Recovering Files from BitLocker Encrypted Drive

June 1, 2023

Microsoft Key Management Service (KMS) Volume Activation FAQs

May 31, 2023

Configuring Event Viewer Log Size on Windows

May 24, 2023

How to Detect Who Changed the File/Folder NTFS...

May 24, 2023

Enable Single Sign-On (SSO) Authentication on RDS Windows...

May 23, 2023

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Recovering Files from BitLocker Encrypted Drive

    June 1, 2023
  • Microsoft Key Management Service (KMS) Volume Activation FAQs

    May 31, 2023
  • Configuring Event Viewer Log Size on Windows

    May 24, 2023
  • How to Detect Who Changed the File/Folder NTFS Permissions on Windows?

    May 24, 2023
  • Enable Single Sign-On (SSO) Authentication on RDS Windows Server

    May 23, 2023
  • Allow Non-admin Users RDP Access to Windows Server

    May 22, 2023
  • How to Create, Change, and Remove Local Users or Groups with PowerShell?

    May 17, 2023
  • Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

    May 16, 2023
  • View Success and Failed Local Logon Attempts on Windows

    May 2, 2023
  • Fix: “Something Went Wrong” Error When Installing Teams

    May 2, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • How to Find the Source of Account Lockouts in Active Directory?
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • How to Disable or Enable USB Drives in Windows using Group Policy?
  • How to Automatically Fill the Computer Description in Active Directory?
  • Adding Domain Users to the Local Administrators Group in Windows
  • How to Disable NTLM Authentication in Windows Domain?
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top