Link to home
Start Free TrialLog in
Avatar of tolinrome
tolinromeFlag for United States of America

asked on

Allow log on through Terminal Services right

A user cannot RDP into a server. From what I understand, the user should be able to logon to the server since he is in the builtin security group called "Remote Desktop Users", correct?
I checked the GPO's "Default Domain Policy" and there is no "Allow logon Policy" specified and I went on the "Default Domain Controllers Poicy" and the "Allow  log on locally" policy has a few builtin groups but not the "Remote Desktop Users".

The user is getting the error "To log on to this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote Desktop Users group or another group that has this right, or if the Remote Desktop Users group does not have this right, you must be granted this right manually"

How can I make sure that I have a security group (builtin or not) that can give users the ability to RDP into servers?

I then created a new GPO and applied it to the servers OU and assigned it the "Allow log on through Remote Desktop Services" and added the security group that the user is in and he still gets the same error message.

Can some please explain to me in detail the meaning and difference between all these groups and terms and what needs to be applied manually and what happens builtin (automatically):

- Remote Desktop Users Group (Builtin)
- Allow logon through terminal services
- Remote Desktop Users Group (in the Groups on the server locally)
- Allow log on through Remote Desktop Services (Policy)

And anything else I may need to understand about this.
Thank you!!!
Avatar of Lazarus
Lazarus
Flag of United States of America image

Try using the TermServerUsers instead. That should work for you
Avatar of percheu
percheu

On the target server, open the Group Policy Management console (gpedit.msc). Navigate to the “Default Domain Controllers Policy” or the policy of the specific machine you wish Terminal Services users to be able to log on to. Right-click on it and choose Edit… then go to:

Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment

In the right-hand pane, locate the entry “Allow Log on through Terminal Services” and double-click on it.

Click “Add User or Group..”

Enter “Everyone” (without the quotes) into the text box and click “Check Names”

After the name is underlined, click OK

Click OK

For more security, you might prefer to replace “Everyone” with “Administrators” and “Remote Desktop Users”, but if it doesn’t work with Everyone, your problem lies elsewhere.
Avatar of tolinrome

ASKER

Thanks but can someone please explain what I asked in my question? Percheu - what you suggested is what I already did with the remote desktop users group and I even added the security group to the Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment on the GPO I created and assigned it to the OU where the servers are.
- What does the builtin Server Operators group do?
- Remote Desktop Users Group (Builtin)
- Allow logon through terminal services
- Remote Desktop Users Group (in the Groups on the server locally)
- Allow log on through Remote Desktop Services (Policy)

How do all of these work in conjunction with each other. Just trying to figure out how to apply permissions.
anyone?
Avatar of yo_bee
Have you looked at this setting.

User generated image
Add the users/groups to this setting and you should be able to logon
ASKER CERTIFIED SOLUTION
Avatar of DrDave242
DrDave242
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for explaining and not just answering.