• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 751
  • Last Modified:

Members of domain admin group cant log into servers/ lacking permissions for EMC

Hi guys,

We have a new starter trainee Sys Admin and after giving him membership of the domain admins group he is still getting Allow Log In Through Terminal Services Right.

Would members of the domain admins group not have this automatically?

4 Solutions
Have you ensured that the Domain Admins  security group is apart of the local machine administrators?
liminalAuthor Commented:
Yes :)

THats the strange thing no?

I have also moved the account to an OU so that no GPOs apply.

As long its the group is a member of Administrators it should fine no?
liminalAuthor Commented:
It shouldn't need to be a member of Remote Desktop Users as well?
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Can he log in through the console?

Also Allow Logon to terminal server. There is a check box on the Terminal Services Profile tab of their account. Use Active Directory Users and Computers to make sure the box is checked.
If you run an RSOP.MSC command and browse to Computer Configuration\Windows Settings\ Security Settings\Local Policies\User Rights Assignment. Are both Administrators and Remote Desktop Users given remote login rights? This is the default setting.
SandeshdubeySenior Server EngineerCommented:
By default, the Administrators and Remote Desktop Users groups are given remote logon rights. So, users who are a part of these groups will be authorized to logon remotely to the server.
Now, if you have a user account which is not a part of the Administrators or the Remote Desktop Users groups and you go ahead and add him to the GPO for “Allow Logon through Terminal Services”, they will still not be able to create a successful RDP connection to the server. The reason being that adding a user to this GPO only authorizes him for a Remote Logon to the server but does not give him the permissions to connect to the RDP-Listener.
Adding a user to “Remote Desktop Users” group allows them to create a successful connection to the server. Adding the user to the Remote Desktop users group gives them the “Remote Logon” Rights to machine as the Remote Desktop Users group is already a part of the GPO “Allow Logon through Terminal Services”.
Refer below link for more details:

Note.Ensure that remote desktop group is not removed from policy else you need to maually add the users.Check deny logon to terminal permission in GPO.You can run rsop to check the GPO setting.

Why are you allowing normal user to login to DCs.I would not recommend the same unless and until there is strong business requirement.Can you let us know the reason so that we can assist you in better way.
liminalAuthor Commented:
Just to add its a 2008 R2 function level.

And this user is a member of Domain admins.

I have checked the ROSP on that machine and can see nothing about remote login under where you specified.
liminalAuthor Commented:
Thanks everyone for their input. I think I have found the problem.

Please logon to your server as administrator, Start--Run--secpol.msc.  In the left pane navigate to Security Settings\Local Policies\User Rights Assignment, in the right pane double-click on Allow log on through Remote Desktop Services, click add users or groups, enter Remote Desktop Users, click OK to save.
After performing the above please test that you can connect using Remote Desktop Connection as a standard user that is a member of RDU group.
liminalAuthor Commented:
My answer was right.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now