How to grant ‘Allow log on through Terminal Services Right’

By With 74 Comments

To log on to this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Destop Users group have this right. If you are not a member of the Remote Desktop Users group or another group that has this right, or if the Remote Desktop User group does not have ths right, you must be granted this right manually.

We were setting up remote access for a user on a domain controller for some tests. This user was not an admin (but belonged to the Remote Desktop Users) and kept getting the same error message above. Setting this user to domain admin solved the problem, but of course I did not want to make any remote user a domain admin.

It so happens that it is not enough for a user to belongs to the Remote Desktop Users to gain the rights it needs. Here is how you fix this:

  1. Open gpedit.msc (the local group policy editor)
  2. Expand Local Computer Policy –> Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> User Rights Management
  3. Look for the setting on the right called Allow log on through Remote Desktop Services
  4. Double click this policy
  5. Add the user/group you would like to have remote access to the box.

Once this was done, the user was able to connect w/o hassles.

*That* pesky setting


Comments (74)

  1. Peter Saunders May 17, 2010

    Worked a treat – thanks.

  2. Rick June 3, 2010

    Thanks for this! It was driving me nuts trying to figure it out!

  3. Mike June 4, 2010

    Thanks, exactly what I was looking for!

  4. Robert June 26, 2010

    thx, it was my salvation!

  5. Art July 2, 2010

    Thanks a BUNCH ! ! ! ! Exactly what I was looking for….

  6. Mike Breslin July 6, 2010

    Thanks! This really saved me.

  7. Patrick August 11, 2010

    Wow! That’s exactly what I’m looking for!

  8. Zevargo September 24, 2010

    Thank you. Just what I was searching for.

  9. Zevargo September 24, 2010

    Thank you.

  10. Tony October 6, 2010

    Thanks for this info. It helped a lot!

  11. Harry October 26, 2010

    Thanks. That helped.

  12. Troy November 5, 2010

    Thank you, thank you, and thank you!

  13. Richard November 8, 2010

    Must be more to it, I have 7 users and all can access through Remote Desktop except 1
    I did verified this and still have 1 that cannot connect?

  14. Mirbek November 10, 2010

    Thank you so much! I was pulling off my hair until I found this.

  15. Alitet December 15, 2010

    THANX!!! What’s for Remote Desktop Users group then? MS like a lovely wife. You hate her but you can not live without her.

  16. josh December 29, 2010

    Thank you!

  17. Heidi January 26, 2011

    Thnx for this solution!! Really helped me out!

  18. Carl February 10, 2011

    Wow, thanks. Had this issue for a while and finally Googled it again.
    This worked!!
    So many other tops hits misses the boat entirely.
    I appreciate your help.

  19. Warren February 10, 2011

    While you are in the Group Policy editor, why not add the group “Remote Desktop users” to that list, and then just put people into that group when they need to get access to the server remotely?
    I find it easier to add people to a group than to go into gpedit every time.
    Just a thought.

  20. Dan February 12, 2011

    Legend – this has been making my head hurt for days!

  21. Izhar Saharuddin February 13, 2011

    Thank you. You have saved me a lot of time on this.

  22. André February 14, 2011

    Obrigado !

  23. Bill March 11, 2011

    The Remote Desktop Users group controls who can connect. The security policy controls who can login once they are connected. Two different things.

  24. Aadithya March 21, 2011

    This helped me too! Great! Thanks!!!

  25. Marvin March 22, 2011

    YOU ARE AWESOME!!! It worked!

  26. Steve0 March 28, 2011


  27. George April 6, 2011

    Thanks so much for this solution. Fixed the issues right away.

  28. Edwin April 13, 2011

    Thanks! It really saves me.

  29. Stefan in Sweden May 13, 2011


  30. Jeevan May 18, 2011

    Thanks it works.

  31. jalel May 19, 2011

    thank you very much !!!
    but why do we have to use gpo ?
    it has to work when users belong to Remote Desktop Users group !!

  32. Ricardo May 20, 2011

    Excellent! That solved the problem I had. Thanks for offering such a clean and direct solution.

  33. John Jayaseelan May 25, 2011

    Thanks a lot, You saved my day 🙂

  34. Ajay May 30, 2011


  35. Jodie June 7, 2011

    Thanks a lot 🙂

  36. amin June 12, 2011


  37. Ashish Mishra June 19, 2011

    Thx ton this is desired solution.

  38. kejjer June 22, 2011

    Thanks–I have to say I install servers about once month now –but I always struggle with this part and have to google it when dealing with TS on the domain controllers.
    Thanks so much–your page is the best I have found in the last several years.

  39. Peter July 2, 2011

    Thanks. this post is a savior!!

  40. mercy July 27, 2011

    Thanks so much, the information saved me and my colleague much time to figure out

  41. sandeep August 7, 2011


  42. barun August 8, 2011

    Thanks it is very help full to me,

  43. Kevin September 2, 2011

    The reason you wouldn’t want to put the Remote Desktop Users group into the policy is because they’re designed to control two different things. If you want an entire group to have remote login access create a new group, put everyone you want in there, and add that group to the policy.

  44. Manny Pacquio September 5, 2011

    U r the man!

  45. Farhan September 11, 2011

    Thanks mate! saved my time as well.. 🙂

  46. geeth September 21, 2011

    Thank you so much. almost you saved my job.

  47. Anil September 26, 2011

    But where we have to follow this steps ?…is it on local client system or on Domain controller. and why does it happens to particular member while even other users having same right and same access…they dont required Domain Admin rights to take a remote of particular server.

  48. MassiveLoop September 28, 2011

    When a server has the Domain Controller role added, by default, the server deactivates the ability for anyone(including Remote DT Users) to access it remotely except of course Admins. That is why this step is needed at the local(server OS) level as opposed to the global user level.
    The reason for the server to default to this is because of the over-privileged access one may obtain to network resources.
    Great post! I know this will help many new small net Admins.
    As a side note, having an all-in-one server is good for practicing and SOHO LANs but once you get to the enterprise level its a good idea to keep your domain controller separate from your terminal server(remote DT). This will reduce the possibility of malicious network wide attacks.

  49. Tim October 1, 2011

    Fantastic info, I search for ages in technet and could not come close to this answer, I thought I was going to go insane. Thanks for the info it works great. i did add the Remote Desktop Users Group and not induvidual users and that method works a treat too.

  50. Peter October 25, 2011

    Way to go! It worked perfectly 🙂

  51. eric December 5, 2011

    Thank you so much, it worked like magic. It was driving me crazy for a while

  52. Charith December 13, 2011

    it’s working thanks…….

  53. Tim Fiandola December 15, 2011

    THANK YOU!!!!

  54. Dan Erbs December 26, 2011

    Thanks ,it worked

  55. Gary Ramos January 2, 2012

    thank you very much for this info

  56. Richard January 8, 2012

    Perfect – thank you!

  57. Dirk January 10, 2012

    Still doesnt work. Trying to get RDS to work- and nothing.

  58. Jon January 31, 2012

    Thanks, tried many other group policy settings, but this one finally fixed the problem!

  59. laxman February 1, 2012

    nice thank you very much for info

  60. Cole February 2, 2012

    Perfect!! Thank you! I was Googling for hours before I found this. 30 seconds to fix 😉

  61. Nige February 15, 2012

    Any thoughts why my option to change who can access to the server is greyed out. Cannot add or remove name or groups

  62. Sherri February 24, 2012

    What if it’s grayed out? I’ve logged on (remotely) with local admin and domain admin and still can’t access it. Do you have to set this while physically at the station?

  63. SeismicMike March 8, 2012

    Thanks for this tutorial. Bookmarked. I know I’ll be back here. I love how Windows says “By default, the Remote Desktop Users group has this right” when it doesn’t. Typical Redmond, I guess =/

  64. G.Ashraf Ali March 13, 2012

    Thanks , this is what i looking for.

  65. Marco April 3, 2012

    It works correctly, thanks a lot

  66. Umair December 12, 2014


  67. Praful Soni January 30, 2015

    What if it’s grayed out? I’ve logged on (remotely) with local admin and domain admin and still can’t access it. Do you have to set this while physically at the station?

  68. Christian February 6, 2015

    All the work I was doing back was done connecting remotely to the machine or using remote management, I doubt that’s the reason why you are seeing it greyed out. Maybe some other policy is affecting what you can see/change?

  69. soni February 6, 2015

    Grayed out means I am not able to click on “add user/group” button (its disabled).

    I logged in using VNC Viewer as local as well as domain administrator but result is same.

  70. Hussain April 29, 2015

    Thanks, wonderful post

  71. mendy July 21, 2015

    worked for me too. thanks!

  72. mrbrown September 16, 2015

    This worked! after only an hour trying to figure it out with other sites. thank you

  73. Jake December 15, 2015

    Thanks Christian, worked like a champ!

  74. negrofeo December 22, 2015

    Muchas gracias por la información la verdad es que fue de gran ayuda.

Leave a Reply