How to grant ‘Allow log on through Terminal Services Right’
Warning
This blog post is included for archival purposes and may contain outdated information. While it provides historical insights, we strongly recommend that you double-check the details before relying on any of the information outlined here.
To log on to this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Destop Users group have this right. If you are not a member of the Remote Desktop Users group or another group that has this right, or if the Remote Desktop User group does not have ths right, you must be granted this right manually.
We were setting up remote access for a user on a domain controller for some tests. This user was not an admin (but belonged to the Remote Desktop Users) and kept getting the same error message above. Setting this user to domain admin solved the problem, but of course I did not want to make any remote user a domain admin.
It so happens that it is not enough for a user to belongs to the Remote Desktop Users to gain the rights it needs. Here is how you fix this:
Open gpedit.msc (the local group policy editor)
Expand Local Computer Policy –> Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> User Rights Management
Look for the setting on the right called Allow log on through Remote Desktop Services
Double click this policy
Add the user/group you would like to have remote access to the box.
Once this was done, the user was able to connect w/o hassles.
Christian is a seasoned computer engineer with a rich career spanning collaborations with industry leaders such as Artinsoft (now Mobilize.net), Microsoft, HP, and Intel. As a technical evangelist and trainer, Christian honed his expertise in Costa Rica and Seattle, delivering impactful solutions and sharing his knowledge.
Now based in Sydney, Australia, Christian channels his passion into web development, leading a talented team to tackle diverse projects with innovation and precision. His commitment to crafting exceptional digital experiences reflects his deep-rooted enthusiasm for technology and problem-solving.
Comments
negrofeo says:
Muchas gracias por la información la verdad es que fue de gran ayuda.
Jake says:
Thanks Christian, worked like a champ!
mrbrown says:
This worked! after only an hour trying to figure it out with other sites. thank you
mendy says:
worked for me too. thanks!
Hussain says:
Thanks, wonderful post
Praful Soni says:
What if it’s grayed out? I’ve logged on (remotely) with local admin and domain admin and still can’t access it. Do you have to set this while physically at the station?
Christian says:
All the work I was doing back was done connecting remotely to the machine or using remote management, I doubt that’s the reason why you are seeing it greyed out. Maybe some other policy is affecting what you can see/change?
soni says:
Grayed out means I am not able to click on “add user/group” button (its disabled).
I logged in using VNC Viewer as local as well as domain administrator but result is same.
Umair says:
Great!
Marco says:
It works correctly, thanks a lot
G.Ashraf Ali says:
Thanks , this is what i looking for.
SeismicMike says:
Thanks for this tutorial. Bookmarked. I know I’ll be back here. I love how Windows says “By default, the Remote Desktop Users group has this right” when it doesn’t. Typical Redmond, I guess =/
Sherri says:
What if it’s grayed out? I’ve logged on (remotely) with local admin and domain admin and still can’t access it. Do you have to set this while physically at the station?
Nige says:
Any thoughts why my option to change who can access to the server is greyed out. Cannot add or remove name or groups
Cole says:
Perfect!! Thank you! I was Googling for hours before I found this. 30 seconds to fix 😉
laxman says:
nice thank you very much for info
Jon says:
Thanks, tried many other group policy settings, but this one finally fixed the problem!
Dirk says:
Still doesnt work. Trying to get RDS to work- and nothing.
Richard says:
Perfect – thank you!
Gary Ramos says:
thank you very much for this info
Dan Erbs says:
Thanks ,it worked
Tim Fiandola says:
THANK YOU!!!!
Charith says:
it’s working thanks…….
eric says:
Thank you so much, it worked like magic. It was driving me crazy for a while
Peter says:
Way to go! It worked perfectly 🙂
Tim says:
Fantastic info, I search for ages in technet and could not come close to this answer, I thought I was going to go insane. Thanks for the info it works great. i did add the Remote Desktop Users Group and not induvidual users and that method works a treat too.
MassiveLoop says:
When a server has the Domain Controller role added, by default, the server deactivates the ability for anyone(including Remote DT Users) to access it remotely except of course Admins. That is why this step is needed at the local(server OS) level as opposed to the global user level.
The reason for the server to default to this is because of the over-privileged access one may obtain to network resources.
Great post! I know this will help many new small net Admins.
As a side note, having an all-in-one server is good for practicing and SOHO LANs but once you get to the enterprise level its a good idea to keep your domain controller separate from your terminal server(remote DT). This will reduce the possibility of malicious network wide attacks.
Anil says:
But where we have to follow this steps ?…is it on local client system or on Domain controller. and why does it happens to particular member while even other users having same right and same access…they dont required Domain Admin rights to take a remote of particular server.
geeth says:
Thank you so much. almost you saved my job.
Farhan says:
Thanks mate! saved my time as well.. 🙂
Manny Pacquio says:
U r the man!
Kevin says:
The reason you wouldn’t want to put the Remote Desktop Users group into the policy is because they’re designed to control two different things. If you want an entire group to have remote login access create a new group, put everyone you want in there, and add that group to the policy.
barun says:
Thanks it is very help full to me,
sandeep says:
Thanks!
mercy says:
Thanks so much, the information saved me and my colleague much time to figure out
Peter says:
Thanks. this post is a savior!!
kejjer says:
Thanks–I have to say I install servers about once month now –but I always struggle with this part and have to google it when dealing with TS on the domain controllers.
Thanks so much–your page is the best I have found in the last several years.
Ashish Mishra says:
Thx ton this is desired solution.
amin says:
YOU ARE AWESOME
Jodie says:
Thanks a lot 🙂
Ajay says:
Thanks!
John Jayaseelan says:
Thanks a lot, You saved my day 🙂
Ricardo says:
Excellent! That solved the problem I had. Thanks for offering such a clean and direct solution.
jalel says:
thank you very much !!!
but why do we have to use gpo ?
it has to work when users belong to Remote Desktop Users group !!
Jeevan says:
Thanks it works.
Stefan in Sweden says:
Thanks
Edwin says:
Thanks! It really saves me.
George says:
Thanks so much for this solution. Fixed the issues right away.
Steve0 says:
Thanks!
Marvin says:
YOU ARE AWESOME!!! It worked!
Aadithya says:
This helped me too! Great! Thanks!!!
Bill says:
The Remote Desktop Users group controls who can connect. The security policy controls who can login once they are connected. Two different things.
Thank you. You have saved me a lot of time on this.
Dan says:
Legend – this has been making my head hurt for days!
Warren says:
While you are in the Group Policy editor, why not add the group “Remote Desktop users” to that list, and then just put people into that group when they need to get access to the server remotely?
I find it easier to add people to a group than to go into gpedit every time.
Just a thought.
Carl says:
Wow, thanks. Had this issue for a while and finally Googled it again.
This worked!!
So many other tops hits misses the boat entirely.
I appreciate your help.
Heidi says:
Thnx for this solution!! Really helped me out!
josh says:
Thank you!
Alitet says:
THANX!!! What’s for Remote Desktop Users group then? MS like a lovely wife. You hate her but you can not live without her.
Mirbek says:
Thank you so much! I was pulling off my hair until I found this.
Richard says:
Must be more to it, I have 7 users and all can access through Remote Desktop except 1
I did verified this and still have 1 that cannot connect?
Troy says:
Thank you, thank you, and thank you!
Harry says:
Thanks. That helped.
Tony says:
Thanks for this info. It helped a lot!
Zevargo says:
Thank you.
Zevargo says:
Thank you. Just what I was searching for.
Patrick says:
Wow! That’s exactly what I’m looking for!
Mike Breslin says:
Thanks! This really saved me.
Art says:
Thanks a BUNCH ! ! ! ! Exactly what I was looking for….
Robert says:
thx, it was my salvation!
Mike says:
Thanks, exactly what I was looking for!
Rick says:
Thanks for this! It was driving me nuts trying to figure it out!
Peter Saunders says:
Worked a treat – thanks.
Comments are closed
ScorpioTek, based in Sydney, Australia, is a seasoned web development firm with a proven track record of delivering cutting-edge, user-friendly websites for a diverse range of clients.
Thank you for your interest. Please fill out this form to provide us with your contact information. We'll get back to you as soon as possible.
negrofeo says:
Muchas gracias por la información la verdad es que fue de gran ayuda.
Jake says:
Thanks Christian, worked like a champ!
mrbrown says:
This worked! after only an hour trying to figure it out with other sites. thank you
mendy says:
worked for me too. thanks!
Hussain says:
Thanks, wonderful post
Praful Soni says:
What if it’s grayed out? I’ve logged on (remotely) with local admin and domain admin and still can’t access it. Do you have to set this while physically at the station?
Christian says:
All the work I was doing back was done connecting remotely to the machine or using remote management, I doubt that’s the reason why you are seeing it greyed out. Maybe some other policy is affecting what you can see/change?
soni says:
Grayed out means I am not able to click on “add user/group” button (its disabled).
I logged in using VNC Viewer as local as well as domain administrator but result is same.
Umair says:
Great!
Marco says:
It works correctly, thanks a lot
G.Ashraf Ali says:
Thanks , this is what i looking for.
SeismicMike says:
Thanks for this tutorial. Bookmarked. I know I’ll be back here. I love how Windows says “By default, the Remote Desktop Users group has this right” when it doesn’t. Typical Redmond, I guess =/
Sherri says:
What if it’s grayed out? I’ve logged on (remotely) with local admin and domain admin and still can’t access it. Do you have to set this while physically at the station?
Nige says:
Any thoughts why my option to change who can access to the server is greyed out. Cannot add or remove name or groups
Cole says:
Perfect!! Thank you! I was Googling for hours before I found this. 30 seconds to fix 😉
laxman says:
nice thank you very much for info
Jon says:
Thanks, tried many other group policy settings, but this one finally fixed the problem!
Dirk says:
Still doesnt work. Trying to get RDS to work- and nothing.
Richard says:
Perfect – thank you!
Gary Ramos says:
thank you very much for this info
Dan Erbs says:
Thanks ,it worked
Tim Fiandola says:
THANK YOU!!!!
Charith says:
it’s working thanks…….
eric says:
Thank you so much, it worked like magic. It was driving me crazy for a while
Peter says:
Way to go! It worked perfectly 🙂
Tim says:
Fantastic info, I search for ages in technet and could not come close to this answer, I thought I was going to go insane. Thanks for the info it works great. i did add the Remote Desktop Users Group and not induvidual users and that method works a treat too.
MassiveLoop says:
When a server has the Domain Controller role added, by default, the server deactivates the ability for anyone(including Remote DT Users) to access it remotely except of course Admins. That is why this step is needed at the local(server OS) level as opposed to the global user level.
The reason for the server to default to this is because of the over-privileged access one may obtain to network resources.
Great post! I know this will help many new small net Admins.
As a side note, having an all-in-one server is good for practicing and SOHO LANs but once you get to the enterprise level its a good idea to keep your domain controller separate from your terminal server(remote DT). This will reduce the possibility of malicious network wide attacks.
Anil says:
But where we have to follow this steps ?…is it on local client system or on Domain controller. and why does it happens to particular member while even other users having same right and same access…they dont required Domain Admin rights to take a remote of particular server.
geeth says:
Thank you so much. almost you saved my job.
Farhan says:
Thanks mate! saved my time as well.. 🙂
Manny Pacquio says:
U r the man!
Kevin says:
The reason you wouldn’t want to put the Remote Desktop Users group into the policy is because they’re designed to control two different things. If you want an entire group to have remote login access create a new group, put everyone you want in there, and add that group to the policy.
barun says:
Thanks it is very help full to me,
sandeep says:
Thanks!
mercy says:
Thanks so much, the information saved me and my colleague much time to figure out
Peter says:
Thanks. this post is a savior!!
kejjer says:
Thanks–I have to say I install servers about once month now –but I always struggle with this part and have to google it when dealing with TS on the domain controllers.
Thanks so much–your page is the best I have found in the last several years.
Ashish Mishra says:
Thx ton this is desired solution.
amin says:
YOU ARE AWESOME
Jodie says:
Thanks a lot 🙂
Ajay says:
Thanks!
John Jayaseelan says:
Thanks a lot, You saved my day 🙂
Ricardo says:
Excellent! That solved the problem I had. Thanks for offering such a clean and direct solution.
jalel says:
thank you very much !!!
but why do we have to use gpo ?
it has to work when users belong to Remote Desktop Users group !!
Jeevan says:
Thanks it works.
Stefan in Sweden says:
Thanks
Edwin says:
Thanks! It really saves me.
George says:
Thanks so much for this solution. Fixed the issues right away.
Steve0 says:
Thanks!
Marvin says:
YOU ARE AWESOME!!! It worked!
Aadithya says:
This helped me too! Great! Thanks!!!
Bill says:
The Remote Desktop Users group controls who can connect. The security policy controls who can login once they are connected. Two different things.
André says:
Obrigado !
Izhar Saharuddin says:
Thank you. You have saved me a lot of time on this.
Dan says:
Legend – this has been making my head hurt for days!
Warren says:
While you are in the Group Policy editor, why not add the group “Remote Desktop users” to that list, and then just put people into that group when they need to get access to the server remotely?
I find it easier to add people to a group than to go into gpedit every time.
Just a thought.
Carl says:
Wow, thanks. Had this issue for a while and finally Googled it again.
This worked!!
So many other tops hits misses the boat entirely.
I appreciate your help.
Heidi says:
Thnx for this solution!! Really helped me out!
josh says:
Thank you!
Alitet says:
THANX!!! What’s for Remote Desktop Users group then? MS like a lovely wife. You hate her but you can not live without her.
Mirbek says:
Thank you so much! I was pulling off my hair until I found this.
Richard says:
Must be more to it, I have 7 users and all can access through Remote Desktop except 1
I did verified this and still have 1 that cannot connect?
Troy says:
Thank you, thank you, and thank you!
Harry says:
Thanks. That helped.
Tony says:
Thanks for this info. It helped a lot!
Zevargo says:
Thank you.
Zevargo says:
Thank you. Just what I was searching for.
Patrick says:
Wow! That’s exactly what I’m looking for!
Mike Breslin says:
Thanks! This really saved me.
Art says:
Thanks a BUNCH ! ! ! ! Exactly what I was looking for….
Robert says:
thx, it was my salvation!
Mike says:
Thanks, exactly what I was looking for!
Rick says:
Thanks for this! It was driving me nuts trying to figure it out!
Peter Saunders says:
Worked a treat – thanks.