"Allow log on through Remote Desktop Services" user right has no effect

I am trying to allow members of a domain security group, GlobalRDP, to RDP into certain Windows 10 PCs. I granted the GlobalRDP group the "Allow log on through Remote Desktop Services" right and that policy has been successfully deployed to the target computers.

Despite this, whenever a member of the GlobalRDP group attempts to login via RDP, they receive the following error: "The connection was denied because the user account is not authorized for remote login". A similar access denied error appears in the RDP log "User is not granted access to this connection' in CUMRDPSecurityStreamCallback::AccessCheck at 5236 err=[0x80070005]".

What made things weirder is that I also removed the RDP right for Administrators and Remote Desktop Users groups that have this right by default and I was still able to RDP in as member of the local Remote Desktop Users group.

Finally, I changed my GPO to add the GlobalRDP group to the local Remote Desktop Users group of the target PCs, and RDP worked. Despite the fact that this local group still wasn't granted the RDP login right!

Here is the setting screen from a Windows 10 workstation:

Allow log on through Remote Desktop Services user right

To address fixes that were offered in similar threads:

  • The GPO is absolutely applied to the target computers. Looking at Local Security Policy -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Allow log on through Remote Desktop Services shows only the GlobalRDP group and that the policy set via GPO. The group policy results wizard shows the same thing.

  • Deny log on through Remote Desktop Services is empty (default is empty)

It seems like no matter what I change, only the default groups are granted the RDP login right. Adding the domain global group to the local group on each PC works, but smells weird to me. What did I miss? Why can't I simply manage that privilege using a domain group?


Solution 1:

Permission to establish a remote desktop session and permission to log in when using a remote desktop session are two different things. The user rights assignment settings only affect the latter.

Microsoft do provide documentation on changing the permissions that control who can establish a remote desktop session:

  • How to add a user to Terminal Services RDP permissions by using WMI

  • How to modify or query the RDP connection permissions for Terminal Services

However, I strongly recommend that you don't mess with these settings. As Todd's answer already mentioned, adding domain users and/or groups to the Remote Desktop Users local group is the supported method for granting remote desktop access.

(Incidentally, you also need the "Access this computer from the network" right in order to establish a connection.)

Solution 2:

According to the Microsoft documentation:

To use Remote Desktop Services to successfully log on to a remote device, the user or group must be a member of the Remote Desktop Users or Administrators group and [emphasis added] be granted the Allow log on through Remote Desktop Services right.

Since the Remote Desktop Users group is granted the Allow log on through Remote Desktop Services right, adding a user or group to that group fulfills both requirements, while simply granting the right does not.

As to why both are required, I don't know.

Note that the same page specifies that the recommended best practice is:

To control who can open a Remote Desktop Services connection and log on to the device, add users to or remove users from the Remote Desktop Users group.