Get answers from your peers along with millions of IT pros who visit Spiceworks. Join Now
Hi,
I want to provide someone with access to a server using Remote Desktop but I don't want to make them an administrator.
He is a member of the Remote Desktop Users group and is listed under Remote Desktop Users in System>Remote>
But when he attempts to log on using his credentials he gets an error:-
To Sign in remotely you need the rights to sign in Through Remote Desktop Services. By default members of the Administrators group have this right..........
Best Answer
Ghost Chili OP Semicolon
This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. Aug 14, 2014 at 18:41 UTC
On the domain controller, run secpol.msc.
Then: Security Settings \ Local Policies \ User Rights Assignment \ Allow Log on through Remote Desktop Services --> Add the [domain] Remote Desktop Users group
On domain controllers, only Administrators have this right by default; on member servers thelocal group Remote Desktop Users and Administrators have this right by default.
So contrary to what one would assume to be 'common sense,' in order for a member of the Remote Desktop Users group to RDP to a domain controller, the group must first be granted this right.
View this "Best Answer" in the replies below » Popular Topics in Windows Server
- Are you smarter than most IT pros?
- Hacked 2016 Server
- Concerned about event viewer error 17836
- Upgrade 2012 r2 to 2019 - Can't keep files
Spiceworks Help Desk
The help desk software for IT. Free.
Track users' IT needs, easily, and with only the features you need. Learn More »
10 Replies · · ·
Datil OP Gregory H Hall
This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. Aug 14, 2014 at 16:31 UTC
DataGuys is an IT service provider.
Add him as a local administrator on the box.
Go to Control Panel, Administrative tools
Computer management
users and groups
add the user to the local administrators group
test the login at that point
set GPO settings to lock him down on that box if necessary.
Report back if you need more. 0 · · ·
Chipotle OP Haslemere Shrimper Aug 14, 2014 at 16:38 UTC
Geoff Baldwin Trading as Beaufort Networks is an IT service provider.
Thanks Gregory. The box is the domain controller. Will this give him domain admin rights? 0 · · ·
Mace OP molan
This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. Aug 14, 2014 at 16:42 UTC
You don't need to make him an administrator.
On the server go to system >> Remote settings >> select users
then just add him to the list of users allowed to RDP to that server 1 · · ·
Datil OP Gregory H Hall
This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. Aug 14, 2014 at 16:47 UTC
DataGuys is an IT service provider.
If it is a DC you will not see the Users and Groups link in Computer Management. Also I thought you wanted him to be able to install and work that box so I recommended the Local Admin setting. If you just want him to use Applications then I would add him to the local remote desktop users group on the box as per Molan... 0 · · ·
Chipotle OP Haslemere Shrimper Aug 14, 2014 at 17:21 UTC
Geoff Baldwin Trading as Beaufort Networks is an IT service provider.
He needs to be able to use an ODBC connector to connect to an SQL database and cannot do so via a VPN. He therefor needs to access the sql server 'locall' and configure the SQL server/database to allow connection via VPN
He is already in the Remote Desktop Users on the server. 0 · · ·
Ghost Chili OP Semicolon
This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. Aug 14, 2014 at 18:37 UTC
Gregory H Hall wrote:
If it is a DC you will not see the Users and Groups link in Computer Management. Also I thought you wanted him to be able to install and work that box so I recommended the Local Admin setting. If you just want him to use Applications then I would add him to the local remote desktop users group on the box as per Molan...
Domain controllers do not have Local users or groups; this includes not having a local admin or a local remote desktop users group. 0 · · ·
Ghost Chili OP Best Answer Semicolon
This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. Aug 14, 2014 at 18:41 UTC
On the domain controller, run secpol.msc.
Then: Security Settings \ Local Policies \ User Rights Assignment \ Allow Log on through Remote Desktop Services --> Add the [domain] Remote Desktop Users group
On domain controllers, only Administrators have this right by default; on member servers thelocal group Remote Desktop Users and Administrators have this right by default.
So contrary to what one would assume to be 'common sense,' in order for a member of the Remote Desktop Users group to RDP to a domain controller, the group must first be granted this right.
0 · · ·
Ghost Chili OP Semicolon
This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. Aug 14, 2014 at 18:47 UTC
Now, what's funny, is that the description of the domain group 'BUILTIN\Remote Desktop Users' has this information listed on TechNet:
The description is...troublesome; however, as the group has no such rights on a domain controller [also as indicated by the right column above]; confirmed by the description of the user right in the security policy:
0 · · ·
Ghost Chili OP Semicolon
This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. Aug 14, 2014 at 18:55 UTC
molan wrote:
You don't need to make him an administrator.
On the server go to system >> Remote settings >> select users
then just add him to the list of users allowed to RDP to that server
I believe this isn't working [as the OP noted] because this must just be a graphical tool to add users to the Remote Desktop Users Group; it doesn't actually grant user rights. 0 · · ·
Chipotle OP Haslemere Shrimper Aug 14, 2014 at 18:57 UTC
Geoff Baldwin Trading as Beaufort Networks is an IT service provider.
Semicolon wrote:
On the domain controller, run secpol.msc.
Then: Security Settings \ Local Policies \ User Rights Assignment \ Allow Log on through Remote Desktop Services --> Add the [domain] Remote Desktop Users group
On domain controllers, only Administrators have this right by default; on member servers thelocal group Remote Desktop Users and Administrators have this right by default.
So contrary to what one would assume to be 'common sense,' in order for a member of the Remote Desktop Users group to RDP to a domain controller, the group must first be granted this right.
PERFECT!!
That got the job done.
Thanks SemiColon 2
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.