banner



Home  ›  How To Allow Logon Through Remote Desktop Services

How To Allow Logon Through Remote Desktop Services

Written By Wednesday, April 13, 2022 Add Comment Edit

Get-go published on TECHNET on Sep 09, 2011

Hullo AskPerf readers. I am Edwin Rocky and this time I am back with some interesting data about the "Allow Logon through Final Services" grouping policy and "Remote Desktop users" grouping.

I am sure many of you are already familiar this GPO and this group. Just notwithstanding in that location has been some confusion around whether you should be using the GPO for allowing the user to RDP to the server or should be using the Remote desktop users grouping or both. And at times, even what to cull between them and what is the all-time recommended practise.

Hence I wanted to provide a short simple explanation about this grouping policy and the user group and how they are interrelated.

To start with, there are two types of user rights; Logon rights & Privileges. In simpler terms these are:

ane) Remote Logon: rights to machine

2) Logon : privileges for access to the RDP-TCP Listener

These play the vital role in assuasive an RDP session to the server.

When a user is able to validate the above 2 weather successfully, just and then is the user provided with a successful RDP connectedness to the server.

The Remote Logon is governed by the "Allow Logon through Last Services" group policy. This is under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.

By default, the Administrators and Remote Desktop Users groups are given remote logon rights. Then, users who are a office of these groups volition be authorized to logon remotely to the server.

Now, if you have a user account which is not a part of the Administrators or the Remote Desktop Users groups and you lot go ahead and add him to the GPO for "Permit Logon through Final Services", they will still not be able to create a successful RDP connection to the server. The reason being that adding a user to this GPO merely authorizes him for a Remote Logon to the server just does not give him the permissions to connect to the RDP-Listener.

Now comes into play the Logon privileges for the RDP-Listener. Once the user is authorized for remote logon his privileges to connect to the RDP-Listener is verified. If the user has permissions on the listener then the connection is successful. These permissions can be verified from RDP-TCP Listener backdrop.

When y'all await at the Permissions on the RDP-TCP Listener, yous will encounter the beneath groups every bit shown below.

So that would explain how adding a user to "Remote Desktop Users" group allows them to create a successful connexion to the server. Adding the user to the Remote Desktop users group gives them the "Remote Logon" Rights to machine every bit the Remote Desktop U sers group is already a part of the GPO "Allow Logon through Terminal Services".

"Logon" Privileges to RDP-Listener as this group is already added to the ACL list of the listener.

Permissions for the RDP-TCP listener can exist set using the Tsconfig.msc console snap-in. You cannot modify the permissions on the RDP listener using group policy. This is why the all-time practice is always to add together users or groups to the Remote Desktop Users group and not use your ain group.

So to summarize, the GPO does authorize the user for a remote logon to the machine, but unless the user has permissions to the RDP-Listener he volition not be able to RDP to the server. Hence it's ever a best practice to use the Remote Desktop users grouping to add the users to allow them to have RDP access to the server.

Domain controllers are an exception to this rule; the "Allow Logon through Concluding Services" does not include the Remote desktop Users grouping. This is because it is not considered a all-time exercise to let users to connect to sessions on a DC. If for some reason you do need to allow RDP access to a Domain Controller, you will have to add the grouping back in manually.

Depending on the missing rights or privileges, y'all might get various errors messages. Below are few common error messages that you lot may encounter.

When a user account is added to GPO and not a part of Remote Desktop grouping

When the user account is not given the Logon Remotely rights past GPO

When the user account is a part of the GPO but not in the Remote Desktop users group.

When user is part of the Remote Desktop users group but that grouping is not present in the GPO for "Let Logon through Final Services".

A few links that might be of involvement in regards to this topic:

Default permissions for a local user account: http://msdn.microsoft.com/en-us/library/cc771990.aspx

Let Logon through Last Services: http://technet.microsoft.com/en-us/library/cc758613(WS.10).aspx

Accessing Terminal Services Using New User Rights Options: http://support.microsoft.com/kb/278433

Description of Logon Rights and Privileges: http://technet.microsoft.com/en-united states of america/library/bb457125.aspx

Hope this explains the relation between this group and GPO and likewise how to use them equally required. Till adjacent fourth dimension…

Edwin Rocky.

Source: https://techcommunity.microsoft.com/t5/ask-the-performance-team/8220-allow-logon-through-terminal-services-8221-group-policy-and/ba-p/374961

Posted by: bowlingdersir.blogspot.com

0 Response to "How To Allow Logon Through Remote Desktop Services"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel