locked
Allow Remote desktop for a domain user RRS feed

  • Question

  • Hi,

    I want to allow Remote Desktop Access for multiple users in windows server 2012 domain.

    All users are member of Domain Users and Remote Desktop Users groups in Active Directory.

    Remote desktop has been enabled on the all other servers in the same domain, and "Allow log on through Remote Desktop Services " is enabled for Administrator and Remote Desktop Users group.

    However users are still not able to connect and they are getting the following error:

    "The connection was denied because the user account is not authorized for remote login"

    If I add them the local Remote Desktop Service of every machine in the domain, the access will be granted. 

    What I should configure to allow RDP for all users without adding them to the local Remote Desktop Users groups.

    Regards,

    Tarek

    Thursday, October 20, 2016 6:07 PM

Answers

  • Hi TarekF,

    For my understanding adding a user or group to builtin Remote Desktop Users group in Active Directory will give him access to all servers in the domain without adding this group again to the local Remote Desktop Users of every server.

    >>>I have tested for this. If I add user to the group, I cannot see the user in local Remote Desktop Users group.

    As I mentioned the users are members of Remote Desktop Users builtin domain group, and the this group is already added to all log on thought Remote Desktop Services GPO of the remote server (this setting is by Default).

    >>>As mentioned above, to allow those users could logon the computers remotely, if the computer is domain member, you just need the user to the local Remote Desktop Users group like below.

    If the computer is a domain controller, you need add the user to local remote desktop users group and give the user logon through remote desktop service in GPO.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Jay Gu Monday, November 7, 2016 11:37 AM
    • Marked as answer by Jay Gu Thursday, November 10, 2016 1:20 AM
    Tuesday, November 1, 2016 2:50 AM

All replies

  • Hi Tarek,

    Remote desktop has been enabled on the all other servers in the same domain, and "Allow log on through Remote Desktop Services " is enabled for Administrator and Remote Desktop Users group.

    However users are still not able to connect and they are getting the following error:

    "The connection was denied because the user account is not authorized for remote login"

    If I add them the local Remote Desktop Service of every machine in the domain, the access will be granted. 

    What I should configure to allow RDP for all users without adding them to the local Remote Desktop Users groups.

    >>>The error may occur when user is part of the Remote Desktop users group but that group is not present in the GPO for “Allow Logon through Terminal Services”.

    I suggest you configure GPO with Administrator and those specific users for the setting allow logon through remote desktop services.

    To allow domain users logon remotely domain member, we need delegate domain users with remote logon and logon right.

    In other word, we need add the user to remote desktop users group and delegate with allow logon through remote desktop service.

    For more information, please refer to the article below.

    “Allow Logon through Terminal Services” group policy and “Remote Desktop Users” group

    https://blogs.technet.microsoft.com/askperf/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group/

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Jay Gu Friday, October 21, 2016 1:26 AM
    • Unproposed as answer by TarekF Friday, October 21, 2016 3:57 PM
    Friday, October 21, 2016 1:26 AM
  • Hi Jay,

    Thank you for your reply.

    As I mentioned the users are members of Remote Desktop Users builtin domain group, and the this group is already added to all log on thought Remote Desktop Services GPO of the remote server (this setting is by Default).

    However,I am still facing the same issue.

    For my understanding adding a user or group to builtin Remote Desktop Users group in Active Directory will give him access to all servers in the domain without adding this group again to the local Remote Desktop Users of every server.

    Regards,

    Tarek 



    • Edited by TarekF Friday, October 21, 2016 11:34 AM
    Friday, October 21, 2016 10:33 AM
  • Hi TarekF,

    For my understanding adding a user or group to builtin Remote Desktop Users group in Active Directory will give him access to all servers in the domain without adding this group again to the local Remote Desktop Users of every server.

    >>>I have tested for this. If I add user to the group, I cannot see the user in local Remote Desktop Users group.

    As I mentioned the users are members of Remote Desktop Users builtin domain group, and the this group is already added to all log on thought Remote Desktop Services GPO of the remote server (this setting is by Default).

    >>>As mentioned above, to allow those users could logon the computers remotely, if the computer is domain member, you just need the user to the local Remote Desktop Users group like below.

    If the computer is a domain controller, you need add the user to local remote desktop users group and give the user logon through remote desktop service in GPO.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Jay Gu Monday, November 7, 2016 11:37 AM
    • Marked as answer by Jay Gu Thursday, November 10, 2016 1:20 AM
    Tuesday, November 1, 2016 2:50 AM
  • Hi,

    Are there any updates?

    If the replies have resolved your problem, please mark it as answer as it would be helpful to anyone who encounters the similar issue.

    Thank you.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 7, 2016 11:37 AM
  • No i tried cant add

    Wednesday, March 28, 2018 5:09 PM
  • Greetings Karthick. Did you ever get issue resolved? I have same identical issue. Running ADS on domain controller. Added member server i wish to RDC too. Only way I've found is to add users to RDC group in domain, then grant RDC locally on member server. Have read many articles on how to configure RDC, but nothing to help with this. 
    Tuesday, October 16, 2018 2:50 AM
  • Actually there is a confusion here. If you need to allow regular users to acces DOMAIN CONTROLLER via RDP, use "remote Desktop Users" group and above gpo reference.  If you need the user to access another device (server, workstation) on your network,  you must create a different group and add this domain group "to the LOCAL Remote Desktop Users group on your device". This can be done via GPO:  Computer Confguration -> Preferences->Control Panel Settings -> Local Users and Groups 
    Tuesday, December 3, 2019 1:13 PM
  • Its works for me..
    Friday, July 24, 2020 5:57 PM