How to allow non-administrator users to use RDP on a domain

How to Login Remote Desktop?

Desktop / October 22, 2016

clip_image001Hello AskPerf readers. I am Edwin Rocky and this time I am back with some interesting information about the “Allow Logon through Terminal Services” group policy and “Remote Desktop users” group.

I am sure many of you are already familiar this GPO and this group. But still there has been some confusion around whether you should be using the GPO for allowing the user to RDP to the server or should be using the Remote desktop users group or both. And at times, even what to choose between them and what is the best recommended practice.

Hence I wanted to provide a short simple explanation about this group policy and the user group and how they are interrelated.

To start with, there are two types of user rights; Logon rights & Privileges. In simpler terms these are:

1) Remote Logon: rights to machine

2) Logon: privileges for access to the RDP-TCP Listener

clip_image002These play the vital part in allowing an RDP session to the server.

When a user is able to validate the above two conditions successfully, only then is the user provided with a successful RDP connection to the server.

The Remote Logon is governed by the “Allow Logon through Terminal Services” group policy. This is under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.

By default, the Administrators and Remote Desktop Users groups are given remote logon rights. So, users who are a part of these groups will be authorized to logon remotely to the server.

Now, if you have a user account which is not a part of the Administrators or the Remote Desktop Users groups and you go ahead and add him to the GPO for “Allow Logon through Terminal Services”, they will still not be able to create a successful RDP connection to the server. The reason being that adding a user to this GPO only authorizes him for a Remote Logon to the server but does not give him the permissions to connect to the RDP-Listener.

clip_image006Now comes into play the Logon privileges for the RDP-Listener. Once the user is authorized for remote logon his privileges to connect to the RDP-Listener is verified. If the user has permissions on the listener then the connection is successful. These permissions can be verified from RDP-TCP Listener properties.

When you look at the Permissions on the RDP-TCP Listener, you will see the below groups as shown below.

So that would explain how adding a user to “Remote Desktop Users” group allows them to create a successful connection to the server. Adding the user to the Remote Desktop users group gives them the “Remote Logon” Rights to machine as the Remote Desktop Users group is already a part of the GPO “Allow Logon through Terminal Services”.