Allow log on through Remote Desktop Services
Is this page helpful? Show
Any additional feedback? Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy. Thank you. In this articleApplies to
Describes the best practices, location, values, policy management, and security considerations for the Allow log on through Remote Desktop Services security policy setting. 30 Replies
· · ·
 Poblano OP
If I'm following your question correctly, I think you may need to do thefollowing: 1) Set up a group and add those users to it. (We user a group called "Remote Users." 2) Add your new Remote Users group to the Remote Desktop Users group on your terminal server. Does that make sense? 0
· · ·
Poblano OP
GrayBeard
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Michael, I will try your suggestion but I find it odd that I already have a "remote desktop users" group in AD and even though I can add users to that group I still receive the error message like they don't have permission. I have also added each user individually under the "remote settings" tab on the server. 0
· · ·
Poblano OP
GrayBeard
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
I still receive the error message "you must be granted the All logon through terminal services right" 0
· · ·
Jalapeno OP
Check these:
Computer management - users properties - Terminal Services Profile - Deny logon to Terminal Server. 1
· · ·
Habanero OP
Sean Donnelly
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Check out your Group Policy in this path Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections and Enable "allow users to connect remotely by using Remote Desktop Services". 1
· · ·
Poblano OP
GrayBeard
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
talk nerdy, the secpol.msc allow logon option has the list of three users but the option to add users is greyed out. there seems to be another policy at work here. 0
· · ·
Habanero OP
Sean Donnelly
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
That would most likely be group policy, do you have RSAT installed on your PC that could allow you to access Group Policy Management Console? If on a domain I believe this will take precedence and you need to manage through this way. Otherwise if you do not you can access on your domain controller and do as listed above. 0
· · ·
Poblano OP
GrayBeard
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Sean, I do not see Remote desktop services, only Terminal Services 0
· · ·
Poblano OP
GrayBeard
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
sean, I was able to set the policy to "enable" and did a gpupdate on the server. still receiving the same error regarding the allow logon through terminal services right. 0
· · ·
Habanero OP
Sean Donnelly
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
That should be it if under Windows 2003 domain Computer Configuration, Administrative Templates, Windows Components, Terminal Services, double-click the Allow users to connect remotely using Terminal Services = Enabled 0
· · ·
Jalapeno OP
mrtimyork wrote:
Are you on a domain? 0
· · ·
Habanero OP
Sean Donnelly
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Try to do a gpupdate /force to do a background and foreground refresh and then try using RDC to the server. 0
· · ·
Poblano OP
GrayBeard
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
yes 0
· · ·
Jalapeno OP
OK then you need to make these changes at the domain level. Let me be more specific so we know we are in the right place.
Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> User Rights Management 0
· · ·
Poblano OP
GrayBeard
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
talk nerdy, I am there but "add user or group" is still greyed out. i see two additional users listed her besides the administrator and i need to add two more. 0
· · ·
Jalapeno OP
Are you on the domain controller? 0
· · ·
Jalapeno OP
Run "rsop.msc" on the Terminal Server. Then change the "Allow log through terminal services" settings. 0
· · ·
Ghost Chili OP
Semicolon
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
If the option is greyed out it is most likely because a group policy has been applied to the server whereby remote desktop users is a restricted group for which membership can only be controlled in that group policy. 0
· · ·
Jalapeno OP
Exactly. If you use RSOP.msc the "Precedence" TAB will tell you which policy you need to edit. 1
· · ·
Habanero OP
Sean Donnelly
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Can we check something to see if your policy is being applied on the server? Go into regedit on the affected server and then locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server and then the DWORD value of fDenyTSConnections, to enable it should be set 0 to deny it should be 1, what do you see? 0
· · ·
Jalapeno OP
It should in most cases be "Default Domain Controllers" policy. This may differ if you have created a custom policy or if you have a dedicated Terminal services server, which is probably best practice but not the most common. Most 2008 networks have the Domain controller configured as the primary services provider for just about every service including Terminal services. 0
· · ·
Jalapeno OP
He hasn't gotten that far yet. He is still unable to add the users he needs to the allow logon policy. This is likely due to attempting to edit the policy on the local machine instead of the terminal server or from a custom GPO instead of the default one for that server. 0
· · ·
Ghost Chili OP
Semicolon
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
It should be 0 - because he's actually getting a connection; just unable to login. 0
· · ·
Ghost Chili OP
Semicolon
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
None of the settings referenced above are going to grey out the "add/remove" function from the local Remote Desktop Users group. In your group policy management console, you'll want to review the Group Policy Results for the subject server. Review any configured settings in the following area: Computer Config -> (Policies ->) Windows Settings -> Security Settings-> Restricted Groups You should see an entry somewhere for "Remote Desktop Users," when you find this setting, you will need to add the appropriate Domain account/groups here, or un-configure the setting so that the Local Add/Remove Users/Groups box is available for selection and you can apply these restrictions on a server by server basis. Additionally, on the server you could go into the local policy on the server in question, (gpedit.msc) and manually adjust these settings (I wouldn't recommend it, just because if it's not in the Domain GPO, somebody's going to forget about this setting) Computer Config -> (Policies ->) Windows Settings -> Security Settings-> Local Policies -> User Rights Assignment: "Allow log on through remote desktop (terminal) services," and add the users/groups in this box. 1
This topic has been locked by an administrator and is no longer open for commenting. To continue this discussion, please ask a new question. Allow logon through Remote Desktop ServicesIn most cases the system admins prefer configure Allow logon through remote desktop services using local policy. This is done using Start > Administrator Tools > Local Security Policy > Local Policies > User Rights Assignment. Edit the policy setting “Allow log on through remote desktop services” and add the user group to allow RDP access. Allow log on through Remote Desktop Services – This security setting determines which users or groups have permission to log on as a Remote Desktop Services client. Most of all you can also achieve this by creating a new GPO and applying it to required organizational unit. I prefer using a group policy than editing local policy on domain controllers. ‘Allow log on through Terminal Services Right’ error messageComplete error message: “To log on to this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Destop Users group have this right. If you are not a member of the Remote Desktop Users group or another group that has this right, or if the Remote Desktop User group does not have ths right, you must be granted this right manually.” You’ll find several articles on the internet telling you to make the user a member of the Remote Desktop Users group, but that’s not the whole story. Setting the user to a domain admininstrator will solve the problem, but you may not want to give the user these permissions! Herehowwe fixed the ‘Allow log on through Terminal Services Right’ error message:
Hope this all helps! If there’s anything we’ve missed, then please let us know and help other people log in and use Terminal Services. Note: instructions and screenshots created from a Windows Server 2003 operating system. |
