What does "Administrator" have that allows them to RDP into a server?

Question

I am trying to setup an Active Directory so that "Domain Users" can via RDP. If I assign the role "Domain Admin" to the user, they can login via RDP no problem but when I follow many tutorials (this one included) it will not work (says user not added to RDservices). To date I have only gotten this to work by assigning "Domain Admin" to the user which is not something I want to do for every AD user...

So my question is what does the Domain Admin (or local admin) have that I need to add to my AD users?

UPDATE: So turns out my issue was that I didnt apply the GPO to "Domain Computers" and rather only to "Domain Users".

Shoutout to @joeqwerty, he knows his stuff and while my issue was more human error, his advice is sound and correct.

Implicit membership in the Remote Desktop Users local group. — HopelessN00b, May 25 '16 at 18:32
idk why this was downvoted... @HopelessN00b, it must be more than that because I can add "Domain users" to the RD users local group via GPO and it still wouldnt work. — Matthew Peters, May 25 '16 at 18:45
@yagmoth555, not really. I cannot RDP to any of the machines joined to the domain (DC included) unless I assign 'domain admin' to the user. — Matthew Peters, May 25 '16 at 19:21
First, RDP to a DC is not for not admin, its a big security hole. For the question, try editing the local remote desktop group on the machine first — yagmoth555, May 25 '16 at 19:23
@yagmoth555, I understand the security concern. I explicitly do not want to edit the local group locally. I want to (and did with no success) edit the group via GPO on the DC... — Matthew Peters, May 25 '16 at 19:36
Before making any gpo, editing a pc local group, does that work? — yagmoth555, May 25 '16 at 19:37
Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/40289/discussion-between-matthew-peters-and-yagmoth555). — Matthew Peters, May 25 '16 at 19:38

joeqwerty · Answer 1 · 2016-05-25T19:50:55.437

9

There are two components required for users to log on to a server via RDP: User Rights and Permissions.

Rights: Users must have the "Allow logon through Remote Desktop Services" user right.

Permissions: Users must have the "User Access" and "Guest Access" permission set to Allow on the RDP-Tcp protocol.

By default, users or groups in the local Remote Desktop Users group have both the correct user rights and permissions.

You need add the domain users or domain groups that you want to be able to logon via RDP to the local Remote Desktop Users group.

If this is a Domain Controller then the users or groups must be added to the domain Built-in Remote Desktop Users group in order to allow logon via RDP to Domain Controllers.

If you've added your domain users or groups to the local Remote Desktop Users group but haven't rebooted the server, you need to before that change will take affect.

edited May 25 '16 at 19:50

answered May 25 '16 at 19:44

joeqwerty

109,901
6
81
172

It's actually quite curious that you are on here... I was using your response to a thread here (https://www.petri.com/forums/forum/microsoft-networking-services/active-directory/68460-remote-desktop-gpo-allowed-users-still-denied) but still no dice. I do grant the 'right' as described as well as the perm (as shown in the tutorial in my question) – Matthew Peters May 25 '16 at 20:07
Are any of these servers Domain Controllers? Are you adding the users/groups to the local Remote Desktop Users group on the actual servers in question? – joeqwerty May 25 '16 at 20:09
I have two servers -one is the DC and the other vanilla (domain joined). I added a new group and added my user to that group. I then made a GPO on the DC for the domain which is the "Allow logon through Remote Desktop Services" right you described and added my group to that right. I then ran GPUpdate /force but no dice. – Matthew Peters May 25 '16 at 20:13
OK, you've got several things going on. When you added your user account to the group did you log off and log back on? Changes to your group membership require you to log off and back on to reflect those changes. Additionally, if one of the servers is a DC then you need to add your user account or group to the domain Built-In Remote Desktop Users group as DC's don't have local groups. Finally, check the user right on each server to make sure that your GPO changes have actually configured that right on each server. – joeqwerty May 25 '16 at 20:22
Hey just wanted to update. Your advice was good and sound but it turns out that I just forgot to apply the GPO to the domain **Computers** (was just applying to domain users) – Matthew Peters Jul 26 '16 at 01:39
Glad you got it sorted out. – joeqwerty Jul 26 '16 at 01:42
Me too! It was a long process and actually solved it later (triage'd the issue away initially) when a simple GPO to add a desktop shortcut didnt work either -turns out it was the same issue. – Matthew Peters Jul 26 '16 at 01:43

score 0 · Answer 2 · answered May 25 '16 at 19:50

Through Group Policy Management you can create a GPO (or use an existing one) that covers all of the machines required and add the following setting:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignments

Add "Domain Users" to "Allow log on through Remote Desktop Services"

All users will be able to log on remotely once the computers have refreshed their group policies.

What does "Administrator" have that allows them to RDP into a server?

2 Answers2