How to sign in through Remote Desktop Services
Show
If you attempt to remote desktop to a Windows server, you may receive the following message which prevents you from logging in. Note: This fix applies where group policy is enabled and you login to a domain environment. To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Administrators group have this right. If the group you’re in doesn’t have this right, or if the right has been removed from the Administrators group, you need to be granted this right manually.
Applies to Describes the best practices, location, values, policy management, and security considerations for the Allow log on through Remote Desktop Services security policy setting. ReferenceThis policy setting determines which users or groups can access the logon screen of a remote device through a Remote Desktop Services connection. It is possible for a user to establish a Remote Desktop Services connection to a particular server but not be able to log on to the console of that same server. Constant: SeRemoteInteractiveLogonRight Possible values
Best practices
LocationComputer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Default valuesBy default, members of the Administrators group have this right on domain controllers, workstations, and servers. The Remote Desktops Users group also has this right on workstations and servers. The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
Policy managementThis section describes different features and tools available to help you manage this policy. Group PolicyTo use Remote Desktop Services to successfully log on to a remote device, the user or group must be a member of the Remote Desktop Users or Administrators group and be granted the Allow log on through Remote Desktop Services right. It is possible for a user to establish an Remote Desktop Services session to a particular server, but not be able to log on to the console of that same server. To exclude users or groups, you can assign the Deny log on through Remote Desktop Services user right to those users or groups. However, be careful when you use this method because you could create conflicts for legitimate users or groups that have been allowed access through the Allow log on through Remote Desktop Services user right. For more information, see Deny log on through Remote Desktop Services. A restart of the device is not required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. Group Policy settings are applied through GPOs in the following order, which will overwrite settings on the local computer at the next Group Policy update:
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. VulnerabilityAny account with the Allow log on through Remote Desktop Services user right can log on to the remote console of the device. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges. CountermeasureFor domain controllers, assign the Allow log on through Remote Desktop Services user right only to the Administrators group. For other server roles and devices, add the Remote Desktop Users group. For servers that have the Remote Desktop (RD) Session Host role service enabled and do not run in Application Server mode, ensure that only authorized IT personnel who must manage the computers remotely belong to these groups.
Alternatively, you can assign the Deny log on through Remote Desktop Services user right to groups such as Account Operators, Server Operators, and Guests. However, be careful when you use this method because you could block access to legitimate administrators who also belong to a group that has the Deny log on through Remote Desktop Services user right. Potential impactRemoval of the Allow log on through Remote Desktop Services user right from other groups (or membership changes in these default groups) could limit the abilities of users who perform specific administrative roles in your environment. You should confirm that delegated activities are not adversely affected.
This tutorial contains instructions to fix the error "To sign in remotely, you need the right to sign in through Remote Desktop Services", when trying to connect from Windows Remote Desktop (RDP) Client machines on a Windows Server 2016 which is running Remote Desktop Services. Problem in details: Remote Desktop Client users cannot connect remotely (through RDP) to Terminal Server 2016 and receive the error: “To sign in remotely, you need the right to sign in through Remote Desktop Services. By default members of the Administrators group have this right. If the group you’re in does not have the right, or if the right has been removed from the Administrators group, you need to be granted the right manually.” How to FIX: To sign in remotely, you need the right to sign in through Remote Desktop Services.To resolve the "To sign in remotely, you need the right to sign in through Remote Desktop Services" apply the following actions on Remote Desktop Services (RDS) Server 2016 : Step 1. Add Remote Desktop Users to the Remote Desktop Users Group.1. Open Server Manager. * Note: If the RD Session Host Server is not installed on the Domain Controller, use the 'Local Users and Groups' snap-in or the 'Remote' tab in the 'System Properties', to add the remote desktop users. 3. Double click at your domain on the left and then select Builtin. 5. At Members tab, click Add. 6. Type the AD users that you want to give Remote access to the RDS Server and click OK. 7. After selecting the remote desktop users, click OK again to close the window. 8. Continue to step-2 below. Step 2. Allow the log on through remote desktop Services.1. Open Group Policy Editor. To do that:
2. In Group Policy Editor navigate to: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. 3. At the right Pane: double click at Allow log on through Remote Desktop Services. 4. Click Add User or Group. 5. Type remote and then click Check Names. 6. Select the Remote Desktop Users and click OK. 7. Click OK at 'Select users, computers…' window. 8. Finally click OK again and close Group Policy Editor. 9. Now try to connect from the remote desktop client. The remote sign-in problem should solved now. * * Notes: 2. (Thanks to 'Jeff Flora' for his comment/solution): If after updating the Group Policy settings, the problem is not resolved, apply the following modification at Group Policy Editor:
That’s it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others. If this article was useful for you, please consider supporting us by making a donation. Even $1 can a make a huge difference for us in our effort to continue to help others while keeping this site free:
If you want to stay constantly protected from malware threats, existing and future ones, we recommend that you install Malwarebytes Anti-Malware PRO by clicking below (we do earn a commision from sales generated from this link, but at no additional cost to you. We have experience with this software and we recommend it because it is helpful and useful): |