none
Remote Desktop connection premission

    Question

  • Hi,

    i am trying to give the permission for domain users to have remote desktop connection. But i am getting following error message "The Connection was denied because the user account is not authorized for remote login".

    The user account have added to "Remote Desktop users" and "Domain Users" Group. i don't want to give any admin privilege.

    Also i have set the group policy in "Allow log on through remote desktop services" to Remote Desktop Users group.

    so could any body tell me i have missed something?


    SDPS

    Friday, April 19, 2013 9:58 AM

Answers

  • OK.

    The user account have added to "Remote Desktop users" and "Domain Users" Group. i don't want to give any admin privilege. Also i have set the group policy in "Allow log on through remote desktop services" to Remote Desktop Users group.

    'Remote Desktop Users' is a 'Built-in local' 'Security' group and that is local to only individual machines !

    In Active Directory Users and Computers, When normal domain users are added in that group, that will be local to Domain Controllers however, Users who are part of that group still can't  log on to Domain Controllers, since DDCP (Default Domain Controller Policy) doesn't allow normal users to log on through Remote Desktop Services. Only Domain\Administrators are allowed to log on to the domain controllers by default.

    Now, coming to your scenario, the error what you have seen is expected one.

    To allow normal users to log on to the servers, you need to add Domain User IDs in "Local" 'Remote Desktop Users' group on individual Servers/Machines !

    Again, if you would like to automate this process, you have couple of options. You can use either Restricted Groups or Group Policy Preferences to add desired Domain Users in Remote Desktop Users group on machines.

    Creating A Restricted Group

    How to use Group Policy Preferences to Secure Local Administrator Groups  (Replace local administrator with the desired group)

    Hope that helps.


    Regards, Santosh

    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Whenever you see a helpful reply, click on  Vote As Helpful & click on Mark As Answer if a post answers your question. 

    Monday, April 22, 2013 4:40 AM
    Moderator
  • Hi,

    Agree with Santosh. Option is either you create restricted groups for remote desktop and then add user to that group to whom you want to give access. or add them on remote desktop user group on each server.



    Thanks & Regards,

    Abhijit Deshpande

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights


    Monday, April 22, 2013 10:09 AM

All replies

  • i am trying to give the permission for domain users to have remote desktop connection. - On which Server are you trying that ? DC, File Server , anything else ?

    Regards, Santosh

    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Whenever you see a helpful reply, click on Alternate Text Vote As Helpful & click on Alternate Text Mark As Answer if a post answers your question.


    Friday, April 19, 2013 10:23 AM
    Moderator
  • all kind of server (SQL, Web, file, antivirus and etc...).

    user need to access only the application on that server, other then Microsoft application. (kind of read only on the server side)


    SDPS

    Friday, April 19, 2013 2:20 PM
  • OK.

    The user account have added to "Remote Desktop users" and "Domain Users" Group. i don't want to give any admin privilege. Also i have set the group policy in "Allow log on through remote desktop services" to Remote Desktop Users group.

    'Remote Desktop Users' is a 'Built-in local' 'Security' group and that is local to only individual machines !

    In Active Directory Users and Computers, When normal domain users are added in that group, that will be local to Domain Controllers however, Users who are part of that group still can't  log on to Domain Controllers, since DDCP (Default Domain Controller Policy) doesn't allow normal users to log on through Remote Desktop Services. Only Domain\Administrators are allowed to log on to the domain controllers by default.

    Now, coming to your scenario, the error what you have seen is expected one.

    To allow normal users to log on to the servers, you need to add Domain User IDs in "Local" 'Remote Desktop Users' group on individual Servers/Machines !

    Again, if you would like to automate this process, you have couple of options. You can use either Restricted Groups or Group Policy Preferences to add desired Domain Users in Remote Desktop Users group on machines.

    Creating A Restricted Group

    How to use Group Policy Preferences to Secure Local Administrator Groups  (Replace local administrator with the desired group)

    Hope that helps.


    Regards, Santosh

    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Whenever you see a helpful reply, click on  Vote As Helpful & click on Mark As Answer if a post answers your question. 

    Monday, April 22, 2013 4:40 AM
    Moderator
  • Please check your windows firewall disable or not. Also check any third party firewall software enabled or not.
    Monday, April 22, 2013 8:49 AM
  • Please check your windows firewall disable or not. Also check any third party firewall software enabled or not.
    Firewall has no role to play pertaining to OP's (SDPS) question !

    Regards, Santosh

    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Whenever you see a helpful reply, click on Alternate Text Vote As Helpful & click on Alternate Text Mark As Answer if a post answers your question.


    Monday, April 22, 2013 8:58 AM
    Moderator
  • Hi,

    Agree with Santosh. Option is either you create restricted groups for remote desktop and then add user to that group to whom you want to give access. or add them on remote desktop user group on each server.



    Thanks & Regards,

    Abhijit Deshpande

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights


    Monday, April 22, 2013 10:09 AM