To Sign in Remotely, You Need the Right to Sign in Through Remote Desktop Service

When connecting to a Windows desktop computer or Windows Server running Remote Desktop Services (RDS) over the RDP, you may encounter an error:

To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Administrators group have this right, or if the right has been removed from the Administrators group, you need to be granted this right manually.

to sign in remotely you need the right to sign in through remote desktop services

The same error occurs if NLA (Network Level Authentication) security option is additionally enabled on the remote computer for the RDP protocol, looks as follows:

Remote Desktop Connection

The connection was denied because the user account is not authorized for remote login.

to sign in remotely you need the right

How can you remotely connect to the desktop of such a computer (the screenshot with an error taken from Windows 10)?

By default, Windows security settings allow remote RDP logins through Remote Desktop Services (TermService) when:

  • The user account is a member of the local group Remote Desktop Users or Administrators;
  • The user group is allowed to connect in the local Group Policy parameter Allow the log on through Remote Desktop Services.

Add User to Remote Desktop Users Group

As you probably know, the permission to remotely login via Remote Desktop is available to members of the local administrators’ group by default. The account under which you connect to the computer must be a member of the local Administrators’ group. You can check it on the computer using the Local Users and Groups MMC console (lusrmgr.msc).

In the Local Users and Groups console, go to the Groups section, select the Administrators group, and check if your account is in this list.

to sign in remotely you need the right to sign in through remote desktop services by default members

A common user (non-administrator) can also connect to a computer via RDP if his account is added to the local group Remote Desktop Users (members in this group are granted the permissions to log on remotely).

Use the lusrmgr.msc snap-in as described above to check if your account is a member of the Remote Desktop Users group.

If you have administrator privileges on this computer, you can add a user account to this group by clicking the Add button. Enter the name of the user or security group and click OK twice to save the changes.

Due to this, the user will have the permission to remotely logon via Remote Desktop, but won’t have local administrator privileges on the computer.

to sing in remotely you need the right to sign in through remote desktop services

You can list the local groups the user is a member of with the command:

net user bjackson | find "Local Group Memberships"

to sign in remotely you need the right to sign in through remote

On this screenshot, you can see that the first user is only a member of the local Users group, and the second is added to two local groups: Administrators and Remote Desktop Users.

If you want to check local group membership for a domain account, add the /DOMAIN parameter:

net user bjackson /DOMAIN| find "Local Group Memberships"

You can get group local membership information from a remote computer OfPCN21 using the Invoke-Command PowerShell:

Invoke-Command -ComputerName OfPCN21 -ScriptBlock{net user bjackson /DOMAIN| find “Local Group Memberships”}

You can add a user to the local group:

After adding the user to the group, the user account will be assigned the SeRemoteInteractiveLogonRight right at login, and will be able to connect via RDP.

Group Policy: Allow Log on Through Remote Desktop Services

You can also allow users to remotely connect to Remote Desktop Services using the local group policy editor:

  1. Run the gpedit.msc console and go to the section Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment;
  2. Find a policy named Allow log on through Remote Desktop Services;
    Tip
    . If this policy contains only the Administrators group, then for some reason your administrator has denied access to the system via RDP for the local Remote Desktop Users group;
  3. Click the Add User and Group button, and add users or groups that you want to allow RDP login;
  4. Save changes and update computer policies using the gpupdate command:
    gpupdate /force

    to sign in remotely you need

Tip. Using this policy, you can grant RDP access to domain controllers to technical staff or users without granting them domain admin privileges in the Active Directory domain. This trick will also work if you have installed the Remote Desktop Services role on the AD domain controller (although this is not recommended) and you want to allow non-admin users to connect to it via RDP/RemoteApp.

Also, in the same section of the GPO editor, make sure your account is not specified in the Deny log on through Remote Desktop Services policy (this policy is also located under the GPO section Computer Configuration > Windows Settings > Security Settings > Local Policy > User Rights Assignments).

If a user is added to both policies at once, either directly or through a group, he won’t be able to remotely connect via RDP because the Deny policy has a higher priority.

you need the right to sign in through remote desktop services

If your computer is joined to the AD domain, these settings may be overwritten by the domain Group Policy Settings. The current GPO settings can be obtained using the rsop.msc snap-in or with the gpresult command.

If you need to check the domain applied GPO settings, open the elevated command prompt and run the command:

GPResult /h c:\gp_report.html /f

Open the gp_report.html using your favorite browser and check the configured options in the Allow and Deny log on through Remote Desktop Services policies.

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

One comment

  1. Thank you very much for this. After many hours of breaking my head it turned out Deny log on through Remote Desktop Services was the culprit in my case.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.