0

I've been having a problem recently where i have a VM machine that is running windows server 2012 which is connected to a DC running the same OS, on the DC i have ADUC running with all of my users configured and added into the remote desktop users group but for some reason whenever i log into the VM using the DOMAINNAME/user prefix i get the "the connection was denied because the user account is not authorised for remote log-in"

the only way of resolving this is to log into the VM as a admin and using the following command:

"net localgroup "Remote Desktop Users" "UserName" /add"

surely creating the user through AD and adding them into the Remote Desktop user group would authenticate them to log into the VM?

ensignonline
  • 1
  • 2
    `surely creating the user through AD and adding them into the Remote Desktop user group would authenticate them to log into the VM?` No. It needs to be the local group. – Greg Askew Mar 24 '20 at 13:51

2 Answers2

0

Best practice is to use groups instead of adding many users directly onto the server.

Create a new AD Group. Add desired users (you can also select 'all authenticated users' to catch everyone) to that group. Add that new AD group as a member of the local Remote Desktop Users group on the server(s) you want.

If you have numerous servers, you can also make a GPO that adds that AD group to the local Remote Desktop Users group of all member servers.

PSn00b
  • 59
  • 2
0

The Remote Desktop Users group in Active Directory doesn't actually do anything, it's there only due to a technical reason (*).

In order to RDP into a machine, the user needs to be a member of the local Remote Desktop Users group on the target machine.

Or, to be more exact, the user needs the Allow log on through Remote Desktop Services right, which by default is granted to the Administrators and Remote Desktop Users local groups.

You can use a GPO to either 1) put domain users or groups in the Remote Desktop Users local group on multiple machines, or 2) directly grant the Allow log on through Remote Desktop Services right to domain users or groups.

And yes, you can create a GPO that grants the Allow log on through Remote Desktop Services right to the domain Remote Desktop Users group; that would actually accomplish what you thought to be true by default.

(*) The reason is, when you create a domain, all local users and groups on the machine which becomes the first domain controller are transformed into Active Directory users and groups; but this doesn't grant them any actual permission.

Massimo
  • 70,200
  • 57
  • 200
  • 323