Remote Desktop is a feature that you can use to connect to devices remotely. With this feature, you can control other’s devices as if you had local access. RDP is designed to support different types of network topologies and multiple LAN protocols. In this article we’ll show how to grant RDP access to domain controllers for non-admin user accounts without granting unnecessary rights. Kindly visit these related guides: How to change a password on a Remote Desktop session, how to install and configure VPN on a Windows Server 2016, 2019, and 2022 and How to allow saved credentials for RDP connection (dangerous)!
By default, only the members of Domain Admins group have the remote RDP access to the domain controllers. It is also worth noting that the RDP feature isn't unavailable on Windows 10 Home, but on Windows 10 Pro and Enterprise editions. If you do not have a real need to connect to your DC via RDP, please use the Remote Server Administration Tools. See this guides on how install RSAT on Windows Server, and how to install RSAT on Windows 10 via Windows features.
Note: In an Active Directory environment, (the Domain Controller) uses the built-in domain group Remote Desktop Users (located in the Builtin container). You can manage this group from the ADUC console or from the command prompt to manage your Domain Controller. See this guide for this error “The connection was denied because the user is not authorized for remote Login“, and how to enable Remote Desktop Connection on Windows 11 for non-administrators or selected users. To enable access for non-admins, please follow the steps below. Here is a link to all troubleshooting guides relating to RDP.
Add the user to the Remote Desktop User Group
This can be achieved in a couple of ways. I wil be showing both very shortly. First via the Active Directory Users and Computer (ADUC) and this can also be launched via the
dsa.msc. I will recommend you see this guide in order to learn something new “This computer is a domain controller: The snap-in cannot be used on a domain controller, domain accounts are managed by ADUC snap-in“.
To add it in the Remote Desktop Users group, launch the Server Manager
– Click on Tools,
– And then on Active Directory Users and Computers
This will open the Active Directory Users and Computers snap-in. Double click on the Remote Desktop users as shown below.
This will open up the Remote Desktop Users Properties window. Navigate to the Members tab and click on
Add to add users.
Enter the user’s name and click on Check names as shown below. As you can see, the object is presented in AD. Click on Ok to close the Remote Desktop Users Properties window. You will have to click on OK again.
This is how you can add users to the Remote Desktop Group on a DC. You may also have to “Allow Log on through Remote Desktop Services” on a DC if not enabled already.
Optional step: How to add users to the Remote Desktop Users via PowerShell or Command Prompt
By default, only the administrative users are allowed to remotely connect to your Windows 10 PC through remote desktop connection (RDP), and on a DC as discussed before, only Domain Administrators are permitted.
Open up the Command Prompt as an Administrator.
This commands also work on PowerShell.
– Type the following command and hit Enter. Replace the “
UserName” with the user account, you want to add to Remote Desktop Users group.
net localgroup "Remote Desktop Users" "UserName" /add
Or have the syntax interchanged as shown below
net localgroup "Remote Desktop Users" /add "UserName"
To verify if the user is added to the
Remote Desktop Users, please run the command below
net localgroup "Remote Desktop Users"
As you can see from the figure below, the User “RDP1” has been added to the Remote Desktop Users group
If you need to remove a user from the Remote Desktop Users group, run this command below, replacing the “UserName” with the username in your enviornment.
net localgroup "Remote Desktop Users" "UserName" /delete
Or via the ADUC snap-in. Click on the user and select Remove.
Allow logon through Remote Desktop Services via the Local Policy
Local Policy, to log on to the DC, you must be granted the “
Remote Desktop Services” rights. By default, members of the Administrators group have this right. If you are not a member of the Administrators group or another group that has this right, or if the Administrators group does not have this right, you must be granted this right manually.
In order to fix the issue, you might want to create a new security group whose members will have the power to establish a Remote Desktop connection. To do this, type in ‘
secpol.msc’ and press Enter.
Navigate to Local Policies, and click on User Rights Assignment.
– From the list of policies, locate
Allow log on through Remote Desktop Services and double-click it.
This will open the
Allow log on through the Remote Desktop Services properties window as shown below.
– Add the User or Group. For me, I will be adding the User just for test purposes). In a live environment, I will probably create a group to handle this.
This will open the Select Users, Computers, Service Account, or Group wizard as shown below. Enter the name and click on Check names.
As you can see, the user has been added to the
Allow log-on through the Remote Desktop Services as shown below. Here is a link to all troubleshooting guides relating to RDP.
– Click on Apply and then OK to finish this step.
Allow logon through Remote Desktop Services via the GPO
You do not need to use these steps. But I just want to demonstrate it to you. The steps are basically the same above but this time, via the Group Policy Management snap-in.
– Launch the Server Manager,
– Click on Tools,
– Click on Group Policy Management as shown below
This will open the Group Policy Management Editor. Yu can edit the “Default Domain Controller” policy.
– Locate the “
Allow log on through Remote Desktop Services”
– User rights setting (Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\).
– Add the new security group (Remote Desktop User Group), or user account close the management console.
Why not just create a new Policy rather instead of modifiying the default policy? Regardless of your implementaion steps, pleae link the GPO to the OU the Group or User belongs.
Note. To allow a user to log on to the DC locally (via the server console), you must add the account or group to the policy “Allow log on locally”. By default, this permission is allowed for the following domain groups:Backup Operators Administrators, Print Operators, Server Operators, and Account Operators.
Next, you will have to restart your system for it to take effect or enter the following command in an elevated command prompt to have the policy applied immediately without waiting for the default 90 mins to elapse. You may want to see these guides: What is GPO and how can it be launched in Windows, and GPUpdate Switches: GPUpdate vs GPUpdate force.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session