How to grant ‘Allow log on through Terminal Services Right’

By With 65 Comments

To log on to this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Destop Users group have this right. If you are not a member of the Remote Desktop Users group or another group that has this right, or if the Remote Desktop User group does not have ths right, you must be granted this right manually.

We were setting up remote access for a user on a domain controller for some tests. This user was not an admin (but belonged to the Remote Desktop Users) and kept getting the same error message above. Setting this user to domain admin solved the problem, but of course I did not want to make any remote user a domain admin.

It so happens that it is not enough for a user to belongs to the Remote Desktop Users to gain the rights it needs. Here is how you fix this:

  1. Open gpedit.msc (the local group policy editor)
  2. Expand Local Computer Policy –> Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> User Rights Management
  3. Look for the setting on the right called Allow log on through Remote Desktop Services
  4. Double click this policy
  5. Add the user/group you would like to have remote access to the box.

Once this was done, the user was able to connect w/o hassles.

*That* pesky setting

 

Comments (65)

  1. Peter Saunders/ Reply May 17, 2010

    Worked a treat – thanks.

  2. Rick/ Reply June 3, 2010

    Thanks for this! It was driving me nuts trying to figure it out!

  3. Mike/ Reply June 4, 2010

    Thanks, exactly what I was looking for!

  4. Robert/ Reply June 26, 2010

    thx, it was my salvation!

  5. Art/ Reply July 2, 2010

    Thanks a BUNCH ! ! ! ! Exactly what I was looking for….

  6. Mike Breslin/ Reply July 6, 2010

    Thanks! This really saved me.

  7. Patrick/ Reply August 11, 2010

    Wow! That’s exactly what I’m looking for!

  8. Zevargo/ Reply September 24, 2010

    Thank you. Just what I was searching for.

  9. Zevargo/ Reply September 24, 2010

    Thank you.

  10. Tony/ Reply October 6, 2010

    Thanks for this info. It helped a lot!

  11. Harry/ Reply October 26, 2010

    Thanks. That helped.

  12. Troy/ Reply November 5, 2010

    Thank you, thank you, and thank you!

  13. Richard/ Reply November 8, 2010

    Must be more to it, I have 7 users and all can access through Remote Desktop except 1
    I did verified this and still have 1 that cannot connect?

  14. Mirbek/ Reply November 10, 2010

    Thank you so much! I was pulling off my hair until I found this.

  15. Alitet/ Reply December 15, 2010

    THANX!!! What’s for Remote Desktop Users group then? MS like a lovely wife. You hate her but you can not live without her.

  16. josh/ Reply December 29, 2010

    Thank you!

  17. Heidi/ Reply January 26, 2011

    Thnx for this solution!! Really helped me out!

  18. Carl/ Reply February 10, 2011

    Wow, thanks. Had this issue for a while and finally Googled it again.
    This worked!!
    So many other tops hits misses the boat entirely.
    I appreciate your help.

  19. Warren/ Reply February 10, 2011

    While you are in the Group Policy editor, why not add the group “Remote Desktop users” to that list, and then just put people into that group when they need to get access to the server remotely?
    I find it easier to add people to a group than to go into gpedit every time.
    Just a thought.

  20. Dan/ Reply February 12, 2011

    Legend – this has been making my head hurt for days!

  21. Izhar Saharuddin/ Reply February 13, 2011

    Thank you. You have saved me a lot of time on this.

  22. André/ Reply February 14, 2011

    Obrigado !

  23. Bill/ Reply March 11, 2011

    The Remote Desktop Users group controls who can connect. The security policy controls who can login once they are connected. Two different things.

  24. Aadithya/ Reply March 21, 2011

    This helped me too! Great! Thanks!!!

  25. Marvin/ Reply March 22, 2011

    YOU ARE AWESOME!!! It worked!

  26. Steve0/ Reply March 28, 2011

    Thanks!

  27. George/ Reply April 6, 2011

    Thanks so much for this solution. Fixed the issues right away.

  28. Edwin/ Reply April 13, 2011

    Thanks! It really saves me.

  29. Stefan in Sweden/ Reply May 13, 2011

    Thanks

  30. Jeevan/ Reply May 18, 2011

    Thanks it works.

  31. jalel/ Reply May 19, 2011

    thank you very much !!!
    but why do we have to use gpo ?
    it has to work when users belong to Remote Desktop Users group !!

  32. Ricardo/ Reply May 20, 2011

    Excellent! That solved the problem I had. Thanks for offering such a clean and direct solution.

  33. John Jayaseelan/ Reply May 25, 2011

    Thanks a lot, You saved my day :)

  34. Ajay/ Reply May 30, 2011

    Thanks!

  35. Jodie/ Reply June 7, 2011

    Thanks a lot :)

  36. amin/ Reply June 12, 2011

    YOU ARE AWESOME

  37. Ashish Mishra/ Reply June 19, 2011

    Thx ton this is desired solution.

  38. kejjer/ Reply June 22, 2011

    Thanks–I have to say I install servers about once month now –but I always struggle with this part and have to google it when dealing with TS on the domain controllers.
    Thanks so much–your page is the best I have found in the last several years.

  39. Peter/ Reply July 2, 2011

    Thanks. this post is a savior!!

  40. mercy/ Reply July 27, 2011

    Thanks so much, the information saved me and my colleague much time to figure out

  41. sandeep/ Reply August 7, 2011

    Thanks!

  42. barun/ Reply August 8, 2011

    Thanks it is very help full to me,

  43. Kevin/ Reply September 2, 2011

    The reason you wouldn’t want to put the Remote Desktop Users group into the policy is because they’re designed to control two different things. If you want an entire group to have remote login access create a new group, put everyone you want in there, and add that group to the policy.

  44. Manny Pacquio/ Reply September 5, 2011

    U r the man!

  45. Farhan/ Reply September 11, 2011

    Thanks mate! saved my time as well.. :)

  46. geeth/ Reply September 21, 2011

    Thank you so much. almost you saved my job.

  47. Anil/ Reply September 26, 2011

    But where we have to follow this steps ?…is it on local client system or on Domain controller. and why does it happens to particular member while even other users having same right and same access…they dont required Domain Admin rights to take a remote of particular server.

  48. MassiveLoop/ Reply September 28, 2011

    When a server has the Domain Controller role added, by default, the server deactivates the ability for anyone(including Remote DT Users) to access it remotely except of course Admins. That is why this step is needed at the local(server OS) level as opposed to the global user level.
    The reason for the server to default to this is because of the over-privileged access one may obtain to network resources.
    Great post! I know this will help many new small net Admins.
    As a side note, having an all-in-one server is good for practicing and SOHO LANs but once you get to the enterprise level its a good idea to keep your domain controller separate from your terminal server(remote DT). This will reduce the possibility of malicious network wide attacks.

  49. Tim/ Reply October 1, 2011

    Fantastic info, I search for ages in technet and could not come close to this answer, I thought I was going to go insane. Thanks for the info it works great. i did add the Remote Desktop Users Group and not induvidual users and that method works a treat too.

  50. Peter/ Reply October 25, 2011

    Way to go! It worked perfectly :)

  51. eric/ Reply December 5, 2011

    Thank you so much, it worked like magic. It was driving me crazy for a while

  52. Charith/ Reply December 13, 2011

    it’s working thanks…….

  53. Tim Fiandola/ Reply December 15, 2011

    THANK YOU!!!!

  54. Dan Erbs/ Reply December 26, 2011

    Thanks ,it worked

  55. Gary Ramos/ Reply January 2, 2012

    thank you very much for this info

  56. Richard/ Reply January 8, 2012

    Perfect – thank you!

  57. Dirk/ Reply January 10, 2012

    Still doesnt work. Trying to get RDS to work- and nothing.

  58. Jon/ Reply January 31, 2012

    Thanks, tried many other group policy settings, but this one finally fixed the problem!

  59. laxman/ Reply February 1, 2012

    nice thank you very much for info

  60. Cole/ Reply February 2, 2012

    Perfect!! Thank you! I was Googling for hours before I found this. 30 seconds to fix ;)

  61. Nige/ Reply February 15, 2012

    Any thoughts why my option to change who can access to the server is greyed out. Cannot add or remove name or groups

  62. Sherri/ Reply February 24, 2012

    What if it’s grayed out? I’ve logged on (remotely) with local admin and domain admin and still can’t access it. Do you have to set this while physically at the station?

  63. SeismicMike/ Reply March 8, 2012

    Thanks for this tutorial. Bookmarked. I know I’ll be back here. I love how Windows says “By default, the Remote Desktop Users group has this right” when it doesn’t. Typical Redmond, I guess =/

  64. G.Ashraf Ali/ Reply March 13, 2012

    Thanks , this is what i looking for.

  65. Marco/ Reply April 3, 2012

    It works correctly, thanks a lot

Add Comment