Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Group Policies / Allow RDP Access to Domain Controller for Non-admin Users

October 6, 2020 Active DirectoryGroup PoliciesWindows Server 2012 R2Windows Server 2016

Allow RDP Access to Domain Controller for Non-admin Users

By default, only members of the Domain Admins group have the remote RDP access to the Active Directory domain controllers‘ desktop. In this article we’ll show how to grant RDP access to domain controllers for non-admin user accounts without granting administrative privileges.

Many of you can quite reasonably ask: why would ordinary domain users should have access to the DC desktop? Indeed, in small or middle size infrastructures, when several administrators with the privileges of domain admins maintain them, you’ll hardly need this. In most cases, delegating some administrative permissions in Active Directory or using PowerShell Just Enough Administration (JEA) is sufficient.

However, in large corporate networks maintained by many administrators, it may become necessary to grant RDP access to the DC (usually to branch office DC’s or RODC) for different server admin groups, monitoring team, on-duty administrators, or other technical staffs. Also, from time to time some of the third-party services, not managed by the domain administrators, are deployed on the DC, and there’s a need to maintain these services.

Contents:
  • To Sign in Remotely, You Need the Rights to Sign in through Remote Desktop Services
  • Group Policy: Allow Log on through Remote Desktop Services
  • The Requested RDP Session Access is Denied

Tip. Microsoft doesn’t recommend to install the Active Directory Domain Services and Remote Desktop Service role (terminal server) on a single server. If there is only one physical server, on which you want to deploy both DC and RDS, you’d better use virtualization, since Microsoft virtualization licensing policy allows you to run two virtual servers under the same Windows Server Standard license.

To Sign in Remotely, You Need the Rights to Sign in through Remote Desktop Services

After the server has been promoted to the domain controller, you cannot manage local users and groups from the Computer Management mmc snap-in. When you try to open Local Users and Groups (lusrmgr.msc) console, the following error appears:

The computer xxx is a domain controller. This snip-in cannot be used on a domain controller. Domain accounts are managed with the Active Directory Users and Computers snap-in.

The computer xxx is a domain controller. This snip-in cannot be used on a domain controller. Domain accounts are managed with the Active Directory Users and Computers snap-in.

As you can see, there are no local groups on the domain controller. Instead of the local group Remote Desktop Users, the DC uses the built-in domain group Remote Desktop Users (located in the Builtin container). You can manage this group from the ADUC console or from the command prompt on the DC.

Display the members of the domain group Remote Desktop Users on the domain controller using the command:

net localgroup "Remote Desktop Users"

As you can see, it is empty. Add a domain user it-pro to it (in our example, it-pro is a regular domain user without administrative privileges):

net localgroup "Remote Desktop Users" /add corp\it-pro

Make sure that the user is added to this group:

net localgroup "Remote Desktop Users"

net localgroup "Remote Desktop Users"

You can also verify that the user is now a member of the Remote Desktop Users domain group using the ADUC (dsa.msc) snap-in.

domain builtin group Remote Desktop UsersHowever, even after that, a user still cannot connect to the DC via Remote Desktop with the error:

To sign in remotely, you need the right to sign in through Remote Desktop Services. By default members of the Administrators group have this right. If the group you’re in does not have the right, or if the right has been removed from the Administrators group, you need to be granted the right manually.

you need remote desktop services rights

Group Policy: Allow Log on through Remote Desktop Services

To allow a domain user or group a remote RDP connection to Windows, you must grant it the SeRemoteInteractiveLogonRight privileges. By default, only members of the Administrators group have this right. You can grant this permission using the Allow log on through Remote Desktop Services policy.

In Windows 2003 and older this policy is called Allow log on through terminal services.

To allow remote connection to the domain controllers for members of the Remote Desktop Users group you need to change the settings of this policy on your domain controller:

  1. Launch the Local Group Policy Editor (gpedit.msc);
  2. Go to the GPO section Computer Configuration -> Windows settings -> Security Settings -> Local policies -> User Rights Assignment;
  3. Find the policy Allow log on through Remote Desktop Services;
    After the server is promoted to the DC, only the Administrators group (these are Domain Admins) remains in this local policy.
  4. Edit the policy, add the domain group Remote Desktop Users (like this: domainname\Remote Desktop Users), or directly the domain user, or a group (domain\CA_Server_Admins) to it;group policy: Allow log on through Remote Desktop Services
  5. Update the Local Group Policy settings on the DC using the command: gpupdate /force

Note that the group that you added to the Allow log on through Remote Desktop Services policy should not be present in the “Deny log on through Remote Desktop Services” policy , because it has a higher priority (check the article Restricting Network Access under local accounts). In addition, if you are restricting the list of computers on which users can log on, you need to add the DC name to the properties of the AD account (LogonWorkstations user attribute).

Note. To allow a user to log on to the DC locally (via the server console), you must add the account or group to the policy “Allow log on locally”. By default, this permission is allowed for the following domain groups:

  • Backup Operators
  • Administrators
  • Print Operators
  • Server Operators
  • Account Operators

It is better to create a new security group in the domain, for example, AllowLogonDC and add user accounts to it that need remote access to the DC. If you want to allow access to all AD domain controllers at once, instead of editing of the Local Policy on each DC, it’s better to add a the user group to the Default Domain Controllers Policy using the GPMC.msc console (change the policy settings in the same section: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment -> Allow log on through Remote Desktop Services).

Warning. If you change the Default Domain Controllers Policy, don’t forget to add the domain/enterprise administrator groups to the policy Allow log on through Remote Desktop Services, otherwise they will lose remote access to the DCs.

default domain controller policy: allow logon over rdp

Now the users (groups) you added to the policy will be able to connect to the AD domain controllers via RDP.

If you need to grant non-administrator users the permissions to start/stop certain services on a DC, use the following guide.

The Requested RDP Session Access is Denied

In some cases, when connecting via RDP to a domain controller, an error may appear:

The requested session access is denied.

the requested rdp session access is denied

If you are connecting to the DC under a non-admin user account, this could be due to two problems:

  • You are trying to connect to the server console (using the mstsc /admin mode). This connection mode is only allowed for administrators. Try to connect to the server using mstsc.exe client in normal RDP mode (without /admin option);
  • The server may already have two active RDP sessions (by default, you can’t use more than two simultaneously RDP sessions on Windows Server without RDS role). You cannot log off other users without administrator permissions. You need to wait for the administrators to release one of the sessions.

24 comments
4
Facebook Twitter Google + Pinterest
previous post
VMWare Error: Unable to Access a File Since It Is Locked
next post
FAQ on Microsoft SQL Server Licensing

Related Reading

How to Install the PowerShell Active Directory Module...

January 31, 2023

Enable Internet Explorer (IE) Compatibility Mode in Microsoft...

January 27, 2023

Finding Duplicate E-mail (SMTP) Addresses in Exchange

January 27, 2023

How to Disable or Uninstall Internet Explorer (IE)...

January 26, 2023

How to Delete Old User Profiles in Windows?

January 25, 2023

24 comments

Ravi February 1, 2016 - 8:36 am

Hi there.
 
Went through your post.
 
I am having windows 2012 AD with more than 350 active users. What I want to achieve is – I want to create a user group in AD for some users and have it administered by someone else apart from the server administrator  (basically creating/deleting users in that group and resetting their password.) I want this group administrator to access the server through remote desktop but, in AD users & computers only his group should be visible to him and not the entire AD.
 
How to achieve this.
 
Kindly advice.
 
Thanks.

Reply
admin February 3, 2016 - 6:20 am

Hi
Quite a strange requirements

create a user group in AD (basically creating/deleting users in that group and resetting their password.)

Create separate OU in AD, move user to it and delegates the necessary permissions to admin

I want this group administrator to access the server through remote desktop but, in AD users & computers only his group should be visible to him and not the entire AD.

Give him permissions locally on the server, not through AD

Reply
Anon_28 March 4, 2016 - 8:35 am

hi guys,
i have problem on windows 10 home edition, i want using RDP Session but not working, still error “the requested session access is denied”. after login.
help me please!
 

Reply
Benjamin November 9, 2020 - 4:35 pm

Windows 10 Home doesn’t have Remote Desktop Connection.
I would recommend upgrading to the Pro Edition.

Otherwise, There are a few Illegal avenues to attempt.

Reply
Adam Hill October 5, 2016 - 1:17 pm

out of all the articles i researched on how to enable non-admins to RDP into domain controllers (or any other server for that matter) …. this is the ONLY article that actually works. Thank you very much for posting this

Reply
Joe November 2, 2016 - 9:36 am

Thanks for posting this. It’s spot on.

Reply
BHAVIK January 4, 2017 - 7:53 pm

Thanks a lot …

Reply
sachin February 1, 2017 - 6:42 am

i just want to access a domain server, but i don’t have any admin rights the administrator have blocked almost every thing even i cannot install a program or even uninstall a program. please help

Reply
sachin February 1, 2017 - 6:46 am

I have a data but its coded in shell script i just want to read it please suggest.

Reply
Richard February 7, 2017 - 9:03 am

Thank you, this worked a charm.

Reply
Charlton April 19, 2018 - 7:09 pm

Thank you!! BCH address?

Reply
admin April 20, 2018 - 9:30 am

Welcome! You can donate us via PayPal on https://woshub.com/about/

Reply
Gerry Fahy October 2, 2018 - 2:12 pm

This is also valuable for reversing the process – i.e. when you inherit a setup where lots of users can RDP to the DCs – this shows you how to stop this happening!

Reply
Bill Rosman April 27, 2019 - 6:16 am

Normally with Remote Desktop into Windows Server 2016, if someone tries to log on and both licenses are being used, the user can disconnect of the connected users so he can log on. Is there a way to prevent the new user from knocking off a currently connected user?
much thanks bill

Reply
admin May 14, 2019 - 1:51 pm

Only an administrator can kick off another user RDP session, you can’t disable this feature.

Reply
SARAVANANK May 24, 2019 - 3:38 pm

CAUTION !!!!!, Dont do this setting through the default domain controller policy, you will be screwed. Once you enable the allow logon through remote desktop services, the default permission like domain admin everything wiped out and the only added groups might have rdp access to the domain controllers. It’s one way change no going back.

Reply
Brian Jabovs May 31, 2019 - 4:03 am

THANK YOU!! This post was the answer to my prayers after hours of searching. Thank you, and thank you again.

Reply
TrixM August 15, 2019 - 2:45 am

This is such BAD ADVICE.
There is no reason for ANYONE who is not a domain admin to RDP onto a DC in an enterprise where there are any other admins who are not Domain Admins.
There should be NO third party tools installed on a DC except by the Domain Admin after careful analysis to determine whether they need to be there.
Answer, always, is “no”, except for system monitoring tools.
Some products need to have schema modifications in the domain – e.g. Exchange, Sharepoint, etc. These do not need to be run ON the DC. They need to be run by someone with Schema Admins (and perhaps Enterprise Admins) rights on a domain-joined server in the same site as a DC running the Global Catalog role (preferably the Schema Master).
For other administrators who have been delegated account or computer management rights in the domain, they should use Active Directory Users and Computers (if they need that console) installed preferably on a jump server they can RDP to (or on a workstation, if you must), as well as any other RBAC tools they need for their tasks.
I’m not even going to get into putting management servers on their own networks and configuring firewall rules, but at least don’t let non Domain Admin techs log onto your DCs!
Also, using a GPO to add someone to any of the BUILTIN domain groups is ridiculous. You just add them directly. The point of BUILTIN is that it applies to all DCs (and only DCs, btw).

Reply
mehdi April 13, 2020 - 11:52 am

tnx -tnx -tnx

Reply
jim b April 30, 2020 - 7:43 am

Tried it on my 2019 Standard server. The users are still removed from remote desktop users after policy update. The only way I can users to login is make them administrators.
Probably I shouldn’t be using MS Server. It’s a small business, 10 users, I don’t need or care about DC, AD or any other soul sucking MS infrastructure, I just want a simple Windows file-app-remote desktop server.
I also don’t want the overhead of virtualization for this small shop and the idea of 2 servers is ridiculous.

Is there another trick or an update for 2019?

Reply
admin May 7, 2020 - 3:33 pm

I have not tried to do this on Windows Server 2019. In my opinion everything should work as in previous versions of Windows Server.
Have you edited the local policy “Allow log on through Remote Desktop Services” of your server via gpedit.msc?

Reply
Brecht Belmans May 12, 2020 - 12:58 pm

I have the same problem, and yes I have have checked the local policy “Allow log on through Remote Desktop Services” and “Deny log on through Remote Desktop Services” still no succes.

Reply
Ramesh December 23, 2021 - 6:32 pm

Can’t deny in that way. In my environment, we need permissions to login and check if there are any disk space, performance checks on the DC, so it is required RDP login on a DC. In that case, really this article will help us. But I also have a requirement is that person (non-admin) need to patch the DC but he shouldn’t have access on AD console (dsa.msc). I am looking for a solution.

Reply
MANOJ ANKUSH KADAM July 20, 2022 - 9:50 am

Hi We have 2 AD servers and a remote location has an RODC server. On-site RODC server after link down (MPSL) the admin RODC user is not able to log in on the server.

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023
  • Adding Trusted Root Certificates on Linux

    January 9, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Deploy PowerShell Active Directory Module without Installing RSAT
  • How to Refresh AD Groups Membership without Reboot/Logoff?
  • Managing User Photos in Active Directory Using ThumbnailPhoto Attribute
  • Changing Desktop Background Wallpaper in Windows through GPO
  • How to Disable NTLM Authentication in Windows Domain?
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top