Monday, May 7, 2012

Allow Logon Through Terminal Services vs. Remote Desktop Users group: Which and why?

I always end up forgetting which permissions I need to grant users and where to do so when setting up terminal services... so I go googling, and end up finding the answer eventually... but I figured it's about time I left a note for myself (and others!) about which permissions you need to grant users, where they are, and why.

For starters, this article does a great job of explaining:
http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx

I'll do a quick summary of the contents, though, and borrow the images in case that site goes missing at some point. All credit goes to the original poster, of course. :P

First, there's the "Allow Logon Through Terminal Services" GPO, located under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\. This policy is what controls granting access to the particular machine. When you assign this GPO to a particular machine and add a group to it, that group automatically gains rights to log on to this computer, access local resources, etc. By default, Administrators and Remote Desktop Users are assigned to this policy.

Second, there's the Remote Desktop Users group. This group, as you saw above, is already a member of the "Allow Logon Through Terminal Services" security setting on most servers by default (except for domain controllers, I believe the default domain controller policy overrides this setting allowing only Domain Admins... but I could be wrong here.). The other thing this group does is grant access to connect to the RDP-TCP service on the server. You can see/change which users and groups have access to the RDP-TCP listener by opening the Terminal Services Configuration snap in and checking the Security tab, as shown below:
clip_image001


Finally, here's a quick recap of the typical error messages you see, and what that generally means:

1) "To log on to this remote computer, you must have Terminal Server User Access permissions on this computer..." or "The Requested session access is denied": This error means that the user that tried to connect has been assigned to the GPO correctly for "Allow Logon Through Terminal Services", but the user is not a member of the Remote Desktop Users group, or otherwise does not have permissions to the RDP-TCP listener on that machine. Go check the Terminal Services Configuration snap in.

2) "To log on to this remote computer, you must be granted the Allow Logon Through Terminal Services right..." or "The connection was denied because the user account is not authorized for remote logon." This error is pretty strait forward... the user is not assigned to the "Allow Logon Through Terminal Services" GPO.

12 comments:

  1. Thank you! It was the RDP-TCP listener that the user/group was missing from in my case. These types of articles are a godsend! Thanks again.

    ReplyDelete
  2. Thanks, glad it helped someone else out there!

    ReplyDelete
    Replies
    1. There is no "Allow Logon to Terminal Services" right in the GPO on Windows Server 2011 Standard. There is however, a "Log on through Remote Desktop Services" right, and I gave that right to the remote desktop users group. Then added my user to that group, and still get the "you must be granted the Allow Logon through Terminal Services" right error.

      Delete
    2. I am assuming you are talking about SBS 2011 when you say Server 2011... and in that case, yes, you are correct. With SBS it is always best to use the built in wizards on the SBS console. In your case, you would want to go to the users tab, double click the user in question, and grant remote access to the workstation or server they need through the 'computers' tab.

      Note, it's a bad idea to give users remote access to an SBS server, as it's a domain controller etc etc... so they would need some special exceptions to get on the server itself. There are many articles out there about this... but if you need help, let me know and I can try to put together an article for you!

      Delete
    3. I have the same error as Carl, but even worth as I am the admin of the domain and I went through your blog but nothing helps .. I still obtain "To log on to this remote computer, you must be granted the Allow Logon Through Terminal Services right..."

      Thanks.

      Delete
    4. Hi, follow this steps:
      - logon to host server, start, run
      - gpedit.msc
      - Local computer policy
      -computer configuration
      - windows settings
      - security settings
      - Local policies
      - User right management
      -- Allow logon through RDS
      - double click
      - add required users, group, etc

      Bingo lol

      Delete
  3. How does this work on a Windows 7 Pro Laptop that is being set up for remote access by PocketCloud and the user setting is a non-administrator level account?

    ReplyDelete
    Replies
    1. I cannot say I have any experience with PocketCloud... so not much info to provide there. That aside, there shouldn't be any issues granting remote access to a terminal server for a non-administrator account... that's what terminal services is designed for, after all.

      Delete
  4. How does this work on Windows 2008 R2?

    ReplyDelete
  5. Greetings! Do you use actively online social media websites?

    ReplyDelete
  6. Hi every one I love to read this blog . I get many things when i read this blog . If you guys have and other blogs as like it then please share it with me . Thanks for sharing such a wonderful blog .

    ReplyDelete
  7. This community has lots of combined issues experienced around almost all the technological innovation.


    Windows Thin Client & Citrix Thin Client

    ReplyDelete