Remote Desktop domain controller

Get answers from your peers        along with millions of IT pros who visit Spiceworks.     Join Now

Hi,

I want to provide someone with access to a server using Remote Desktop but I don't want to make them an administrator.

He is a member of the Remote Desktop Users group and is listed under Remote Desktop Users in System>Remote>

But when he attempts to log on using his credentials he gets an error:-

To Sign in remotely you need the rights to sign in Through Remote Desktop Services. By default members of the Administrators group have this right..........


Best Answer

Remote Desktop domain controller

Ghost Chili OP              Semicolon

Remote Desktop domain controller

This person is a verified professional.                   Verify your account to enable IT peers to see that you are a professional.                Aug 14, 2014 at 18:41 UTC

On the domain controller, run secpol.msc.

Then: Security Settings \ Local Policies \ User Rights Assignment \ Allow Log on through Remote Desktop Services --> Add the (domain) Remote Desktop Users group

On domain controllers, only Administrators have this right by default; on member servers thelocal group Remote Desktop Users and Administrators have this right by default.

So contrary to what one would assume to be 'common sense,' in order for a member of the Remote Desktop Users group to RDP to a domain controller, the group must first be granted this right.
   View this "Best Answer" in the replies below »        Popular Topics in Windows Server

  • Are you smarter than most IT pros?
  • Hacked 2016 Server
  • Concerned about event viewer error 17836
  • Upgrade 2012 r2 to 2019 - Can't keep files
Remote Desktop domain controller

Spiceworks Help Desk

The help desk software for IT. Free.

Track users' IT needs, easily, and with only the features you need.       Learn More »

10 Replies                · · ·

Remote Desktop domain controller

Datil OP                    Gregory H Hall

Remote Desktop domain controller

This person is a verified professional.                   Verify your account to enable IT peers to see that you are a professional.                Aug 14, 2014 at 16:31 UTC

DataGuys is an IT service provider.

Add him as a local administrator on the box.

Go to Control Panel, Administrative tools

Computer management

users and groups

add the user to the local administrators group

test the login at that point

set GPO settings to lock him down on that box if necessary.

Report back if you need more.   0          · · ·

Remote Desktop domain controller

Chipotle OP                    Haslemere Shrimper         Aug 14, 2014 at 16:38 UTC

Geoff Baldwin Trading as Beaufort Networks is an IT service provider.

Thanks Gregory. The box is the domain controller. Will this give him domain admin rights?   0          · · ·

Remote Desktop domain controller

Mace OP                    molan

Remote Desktop domain controller

This person is a verified professional.                   Verify your account to enable IT peers to see that you are a professional.                Aug 14, 2014 at 16:42 UTC

You don't need to make him an administrator.

On the server go to system >> Remote settings >> select users

then just add him to the list of users allowed to RDP to that server   1          · · ·

Remote Desktop domain controller

Datil OP                    Gregory H Hall

Remote Desktop domain controller

This person is a verified professional.                   Verify your account to enable IT peers to see that you are a professional.                Aug 14, 2014 at 16:47 UTC

DataGuys is an IT service provider.

If it is a DC you will not see the Users and Groups link in Computer Management. Also I thought you wanted him to be able to install and work that box so I recommended the Local Admin setting. If you just want him to use Applications then I would add him to the local remote desktop users group on the box as per Molan...   0          · · ·

Remote Desktop domain controller

Chipotle OP                    Haslemere Shrimper         Aug 14, 2014 at 17:21 UTC

Geoff Baldwin Trading as Beaufort Networks is an IT service provider.

He needs to be able to use an ODBC connector to connect to an SQL database and cannot do so via a VPN. He therefor needs to access the sql server 'locall' and configure the SQL server/database to allow connection via VPN

He is already in the Remote Desktop Users on the server.   0          · · ·

Remote Desktop domain controller

Ghost Chili OP                    Semicolon

Remote Desktop domain controller

This person is a verified professional.                   Verify your account to enable IT peers to see that you are a professional.                Aug 14, 2014 at 18:37 UTC

Gregory H Hall wrote:
If it is a DC you will not see the Users and Groups link in Computer Management. Also I thought you wanted him to be able to install and work that box so I recommended the Local Admin setting. If you just want him to use Applications then I would add him to the local remote desktop users group on the box as per Molan...

Domain controllers do not have Local users or groups; this includes not having a local admin or a local remote desktop users group.   0          · · ·

Remote Desktop domain controller

Ghost Chili OP  Best Answer                   Semicolon

Remote Desktop domain controller

This person is a verified professional.                   Verify your account to enable IT peers to see that you are a professional.                Aug 14, 2014 at 18:41 UTC

On the domain controller, run secpol.msc.

Then: Security Settings \ Local Policies \ User Rights Assignment \ Allow Log on through Remote Desktop Services --> Add the (domain) Remote Desktop Users group

On domain controllers, only Administrators have this right by default; on member servers thelocal group Remote Desktop Users and Administrators have this right by default.

So contrary to what one would assume to be 'common sense,' in order for a member of the Remote Desktop Users group to RDP to a domain controller, the group must first be granted this right.
  0          · · ·

Remote Desktop domain controller

Ghost Chili OP                    Semicolon

Remote Desktop domain controller

This person is a verified professional.                   Verify your account to enable IT peers to see that you are a professional.                Aug 14, 2014 at 18:47 UTC

Now, what's funny, is that the description of the domain group 'BUILTIN\Remote Desktop Users' has this information listed on TechNet:

Remote Desktop domain controller

The description is...troublesome; however, as the group has no such rights on a domain controller (also as indicated by the right column above); confirmed by the description of the user right in the security policy:

Remote Desktop domain controller

0          · · ·

Remote Desktop domain controller

Ghost Chili OP                    Semicolon

Remote Desktop domain controller

This person is a verified professional.                   Verify your account to enable IT peers to see that you are a professional.                Aug 14, 2014 at 18:55 UTC

molan wrote:
You don't need to make him an administrator.
On the server go to system >> Remote settings >> select users
then just add him to the list of users allowed to RDP to that server

I believe this isn't working (as the OP noted) because this must just be a graphical tool to add users to the Remote Desktop Users Group; it doesn't actually grant user rights.   0          · · ·

Remote Desktop domain controller

Chipotle OP                    Haslemere Shrimper         Aug 14, 2014 at 18:57 UTC

Geoff Baldwin Trading as Beaufort Networks is an IT service provider.

Semicolon wrote:
On the domain controller, run secpol.msc.
Then: Security Settings \ Local Policies \ User Rights Assignment \ Allow Log on through Remote Desktop Services --> Add the (domain) Remote Desktop Users group
On domain controllers, only Administrators have this right by default; on member servers thelocal group Remote Desktop Users and Administrators have this right by default.
So contrary to what one would assume to be 'common sense,' in order for a member of the Remote Desktop Users group to RDP to a domain controller, the group must first be granted this right.

PERFECT!!

That got the job done.

Thanks SemiColon   2

This topic has been locked by an administrator and is no longer open for commenting.

To continue this discussion, please ask a new question.

Video liên quan