Allow RDP access to non-administrator users on Windows Server

By default, RDP access to the desktops of Windows Server member servers or Active Directory domain controllers is limited to users added to the local administrators Or domain administrator Group. In this post, we will show you how to grant RDP access to Windows Server hosts or domain controllers without assigning local admin rights to non-admin users.

By default, Windows security settings allow a remote user to make an RDP connection via Remote Desktop Services (TermService) if:

  • user is a member of local administrators Or remote desktop user Group;
  • local Allow log on through Remote Desktop Services The policy allows the user to connect.

To sign in remotely, you need the right to sign in through Remote Desktop Services

User receives error when trying to connect remotely to Windows Server Desktop:

To sign in remotely, you need the right to sign in Remote Desktop Services. By default only members of the Administrators group have this right. If the group you’re in doesn’t have this right, or if the right has been removed from Administrators group, you need to be granted this right manually.

To sign in remotely, you need the right to sign in to Remote Desktop Services

If Network Level Authentication (NLA) is enabled in the RDP settings on the remote host, another error occurs when connecting:

The connection was denied because the user account is not authorized for remote login.

The connection was refused because the user account was not authorized

In this case, you just need to add the user to the local remote desktop user The group allows them to connect to the Windows Server via RDP:

  1. Open the Local Users and Groups MMC snap-in (lusrmgr.msc) and navigate to the Groups section;
  2. double click remote desktop user Group;
  3. Click the Add button and enter the name of the user (or group) you want to grant RDP access to;Add user to local Remote Desktop Users group
  4. Users can then connect to the Windows host via RDP.

It is also possible to add a user to an RDP access group from the command line:

net localgroup "Remote Desktop Users" /add woshub\testuser

or using PowerShell (learn more about how to manage local users and local groups with PowerShell).

Add-LocalGroupMember -Group "Remote Desktop Users" -Member testuser

List the users in the Remote Desktop Users group:

Get-LocalGroupMember -Group 'Remote Desktop Users'

powershell - List Remote Desktop Users group membership

Similarly, you can provide RDP access to users with Windows 10 or 11 workstations (Don’t forget to enable RDP on these devices.).

By default, Windows Server allows two concurrent Remote Desktop sessions. This means that two users can work simultaneously in their Remote Desktop session. If you need more concurrent RDP connections, you will need to purchase and activate licenses (RDP CALs) and install the Remote Desktop Services role on an RDS license server (be it a standalone RDSH server or a complete RDS farm with multiple hosts) could).

You can use an RDS store to provide remote desktop access to an RDS farm. open Server Manager , Remote Desktop Services –, Work , Edit deployment properties,

open the archive and user Group The section will list the security groups allowed to connect to the RDSH hosts in that collection.

RDS Collection - Grant access to RDSH

Allow RDP access to domain controller for non-admin user

If you need to provide a regular (non-administrator) user remote access to the desktop of a domain controller, the method described above will not work.

After you promote the server role to an Active Directory domain controller, you cannot manage local users and groups from the Computer Management MMC snap-in. when you try to open local users and groups to console (lusrmgr.msc), the following error appears:

The computer xxx is a domain controller. This snip-in cannot be used on a domain controller. Domain accounts are managed with the Active Directory Users and Computers snap-in.

Computer xxx is a domain controller.  This snip-in cannot be used on a domain controller.  Domain accounts are managed with the Active Directory Users and Computers snap-in.

As you can see, there are no local groups on the domain controller. instead of local group remote desktop userDC uses built-in domain group remote desktop user (Located in built-in Container). You can manage this group from the ADUC console or from the DC command prompt.

domain created group remote desktop users

However, using this group to provide Remote Desktop access is not recommended as it will give the user access to all DCs in the domain. In this case, it is better to allow using Allow log on through Remote Desktop Services Policy.

Many may rightly ask why non-administrators need remote access to the DC desktop. Indeed, in small and medium-sized infrastructures, where the entire infrastructure is managed by multiple administrators with domain admin permissions, this is unlikely to be necessary. In most cases, delegating some administrative permissions in Active Directory or using PowerShell Just Enough Administration (JEA) is sufficient.

However, in large corporate networks with a large number of employees, it is often necessary to provide RDP access to a DC (usually a branch DC or RODC) to various groups of server administrators, on-duty administrators, or other technical staff. There are also situations where third-party services managed by non-domain administrators are deployed on DCs, and these services need to be maintained.

How to allow logging on through Remote Desktop Services?

To allow a domain user or group to connect remotely to Windows via RDP, you must grant them SeRemoteInteractiveLogonRight privilege. You can give this permission by using Allow log on through Remote Desktop Services Policy.

policy is called Allow logon through Terminal Services In Windows Server 2003 and earlier.

You need to change the setting of this policy on your domain controller to allow remote connections to domain controllers for members of the Remote Desktop Users group:

  1. Open the Local Group Policy Editor (gpedit.msc,
  2. Go to GPO section Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment,
  3. find policy Allow log on through Remote Desktop Services,

    Once a server is promoted to a DC, the only groups that remain in this local policy are administrators group (these are domain administrators).

  4. Edit policy and add domain users or groups directly (domain\CA_Server_Admins) This;Group Policy: Allow log on through Remote Desktop Services
  5. Update the local Group Policy settings on the DC using the command: : gpupdate /force

Note that the group you have added Allow log on through Remote Desktop Services should not be present in the policy”Deny logon through Remote Desktop Servicespolicy because it has a higher priority (check the article Block remote access under Local User Accounts). In addition, if you want to restrict the list of computers users can log on to, you must add the server name to the user account properties in AD (LogonWorkstations user attribute).

Comment, For users to be allowed to log on to the DC locally (via the server console), their account or group must also be “added to”allow to log on locally” Policy. By default, the following built-in domain groups have this permission:

  • backup operators
  • administrators
  • print operators
  • server operators
  • account manager

If you don’t do this, you’ll receive an error message when you try to connect to Remote Desktop: The sign-in method you’re trying to use is not allowed.

To make things easier, you can create a new security group in the domain, eg AllowDLogin, Next, add the accounts that need to be allowed to access the policy remotely to the DC. If you need to allow access to all AD domain controllers at once rather than editing the local policy on each DC it would be better to add the Users group to Default Domain Controller Policy Using the Group Policy Management Console (GPMC.msc, Edit Policy Item Allow log on through Remote Desktop Services Under the Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment section.

Warning, If you change the default domain controller policy, don’t forget to add the Domain/Enterprise Administrators group to the policy Allow log on through Remote Desktop ServicesOtherwise, they will lose remote access to the DC.

Default Domain Controller Policy: Allow logon over RDP

The users you added to the policy will now be able to connect to the AD domain controller’s desktop via RDP.

The requested RDP session access is denied

In some cases, when you use RDP to connect to a Windows Server domain member host or domain controller, you may receive the following error:

The requested session access is denied.

requested rdp session access is denied

The following problems may occur if you connect to a DC using a non-administrator account:

  • You are trying to connect to the server console ( mstsc /admin Method). This connection mode is only allowed for administrators. Attempt to connect to server with mstsc.exe client in normal RDP mode (without /admin Option);
  • It is possible that there are already two active RDP sessions on the host (by default, no more than two concurrent RDP sessions can connect to a Windows server without the RDS role). You can get a list of active sessions and logged-on users on a remote computer using the command:
    qwinsta /server:dc01
    You cannot end sessions of other users without administrator permissions. You must wait for the administrators to release or end the session;
  • Restricted Admin Mode or Windows Defender Remote Credential Guard is enabled on the Windows Server host

Leave a Comment