user rights assignment remote desktop

Set and Check User Rights Assignment via Powershell

You can add, remove, and check user rights assignment (remotely / locally) with the following powershell scripts..

Posted by : blakedrumm on Jan 5, 2022

Local Computer

Remote computer, output types.

This post was last updated on August 29th, 2022

I stumbled across this gem ( weloytty/Grant-LogonAsService.ps1 ) that allows you to grant Logon as a Service Right for a User. I modified the script you can now run the Powershell script against multiple machines, users, and user rights.

Set User Rights

How to get it.

All of the User Rights that can be set:

Note You may edit line 437 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Here are a few examples:

Add Users Single Users Example 1 Add User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -AddRight -UserRight SeInteractiveLogonRight Example 2 Add User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Add User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Add User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -AddRight -Username S-1-5-11 -UserRight SeBatchLogonRight Add Multiple Users / Rights / Computers Example 5 Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -AddRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Remove Users Single Users Example 1 Remove User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -RemoveRight -UserRight SeInteractiveLogonRight Example 2 Remove User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Remove User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Remove User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -RemoveRight -Username S-1-5-11 -UserRight SeBatchLogonRight Remove Multiple Users / Rights / Computers Example 5 Remove User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -RemoveRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Check User Rights

In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.

Note You may edit line 467 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Get Local User Account Rights and output to text in console:

Get Remote SQL Server User Account Rights:

Get Local Machine and SQL Server User Account Rights:

Output Local User Rights on Local Machine as CSV in ‘C:\Temp’:

Output to Text in ‘C:\Temp’:

PassThru object to allow manipulation / filtering:

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs.

Email : [email protected]

Website : https://blakedrumm.com

My name is Blake Drumm, I am working on the Azure Monitoring Enterprise Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager and Azure Automation products, keep checking back for new posts. My goal is to post atleast once a month if possible.

• operationsManager
• troubleshooting
• certificates
• containerapps

• IT Administration Forum
• PowerShell Forum
• Community Forum
• PowerShell Group
• Earning as 4sysops member
• Member Ranks
• Member Leaderboard – This Month
• Member Leaderboard – This Year
• Member Leaderboard – All-time
• Author Leaderboard – 30 Days
• Author Leaderboard – 365 Days
• Cloud Computing
• Write for 4sysops

Allow non-admins to access Remote Desktop

4sysops - The online community for SysAdmins and DevOps

RDP access restricted to admins

Adding members to the local group with powershell, restricted groups, group policy preferences, remote desktop users group in active directory.

• Recent Posts

• Set the default search engine in Chrome, Edge, and Firefox with Group Policy - Wed, Sep 25 2024
• Recover data from corrupted BitLocker drives with repair-bde and key packages - Fri, Sep 6 2024
• Determine effective password policy for AD users with PowerShell - Wed, Sep 4 2024

The Remote Desktop feature is disabled by default and needs to be enabled . On Windows 10 or 11 workstations, a single user can connect via RDP, while on Windows Server, two simultaneous sessions are allowed.

In both cases, access is restricted by default to administrators only. If a standard user attempts to establish a Remote Desktop connection, they will receive the following error message:

"The connection was denied because the user account is not authorized for remote login."

By default standard users cannot establish RDP connections

Authorize users when enabling Remote Desktop

If you choose to activate Remote Desktop using alternative methods, such as Group Policies, or if you need to grant RDP connection permissions later on, you will need to manage membership in this local group through different means.

For individual computers, you can use MMC-based computer management or PowerShell.

PowerShell offers several cmdlets for managing local groups . For instance, you can add an AD group, such as RDPUser, to the local Remote Desktop Users group using the following command:

Add-LocalGroupMember -Name "Remote Desktop Users" -Member contoso\RDPUser

Adding users to remote desktop users via GPO

In centrally managed environments, the preferred way to manage members of the local Remote Desktop Users group is through Group Policy. There are two options for this.

Restricted groups allow you to control which members should be part of a local group and which groups they should be added to. You can find this setting under Computer Configuration > Policies > Windows Settings > Security Settings .

From there, select the Add Group command from the context menu. It opens a dialog box in which you can enter the name of a local group. To do so, click the Browse button.

It's important to note that Microsoft has translated group names on localized systems. Therefore, you should search for the respective terms in the local language. In linguistically mixed environments, it doesn't matter which of the two names you choose; the assignment is based on the SID and will work on all systems, regardless.

Create a new restricted group for Remote Desktop users

After that, two Add buttons are available. The first lets you specify which members should belong to the group.

Add members to the local Remote Desktop Users group

This group policy aligns group members on the target PCs with the entries in the GPO. As a result, any users not listed in the GPO will be automatically removed from the groups.

Alternatively, you can use the Local Users and Groups setting under Computer Configuration > Preferences > Control Panel Settings for this task.

Select New > Local Group to manage the members of user groups. You can use the corresponding checkboxes to remove all existing users and groups so that the Remote Desktop group includes only members explicitly assigned to it by the GPO.

Assign members to the local Remote Desktop Users group using GPP

The default Update action keeps the list of members in the desired state so you can leave it as is.

The methods described above pertain to membership in the local Remote Desktop Users group. However, there is also a group with the same name in Active Directory. Wouldn't it be easier to simply include the desired accounts in this AD group to grant them access to Remote Desktop on every PC in an OU?

This AD group refers only to domain controllers, and its members do not gain RDP access to member servers or workstations.

Generally, you should not link a GPO like the ones described above with Domain Controllers. Otherwise, users who normally become members of only the local group will also be added to the Remote Desktop Users AD group, which is typically not desired for security reasons.

If you assign accounts to the local RDP group via GPO and link that GPO at the domain level those accounts will also be added to the AD group

But users in the AD group Remote Desktop Users will still not be able to open a Remote Desktop session on a DC because they do not have the permission to connect. They also need the permission Allow log on through Remote Desktop Services setting. This setting can be found under Computer Configuration > Policies > Windows Settings > Local Policies > User Rights Assignment .

By default, only administrative accounts are allowed to establish a Remote Desktop connection. If you want standard users to be able to do this as well, you need to add them to the local Remote Desktop Users group on the target host.

You can do this interactively for individual computers using tools like Computer Management or PowerShell. However, in managed environments, Group Policy is the preferred method.

Group Policy offers two alternatives for this purpose. When linking the GPO, be careful not to affect the Domain Controllers. If this were to happen, the selected accounts would also become members of the AD group Remote Desktop Users , which is typically undesirable.

IT Administration News

• Microsoft officially confirms Windows 11 24H2 is ‘delayed’ with KB5043145 update – Neowin
• You can now chat with Gemini AI on Google Workspace apps
• OpenAI plans tectonic shift from nonprofit to for-profit, giving Altman equity | Ars Technica
• Microsoft will block new Teams app on older Windows 10 and 11 versions – Neowin
• OpenAI leadership shakeup: 3 top execs depart, including CTO – Neowin

Read All IT Administration News

Join our IT community and read articles without ads!

Do you want to write for 4sysops? We are looking for new authors.

Set the default search engine in Chrome, Edge, and Firefox with Group Policy

Send email notifications about expiring Active Directory passwords with a PowerShell script

Microsoft Remote Desktop for Mac not working after upgrade (errors 0x3000064 and 0x3000066)

Audit Group Policy changes in the event log using XML queries and PowerShell

Configure Windows 11 Start menu with Group Policy

Configure Firefox proxy settings with Group Policy

Windows Server 2025: New security features for file services (SMB, NTLM)

Disable Copilot and block ChatGPT in Windows and Edge with Group Policy and Defender

Customizing and deploying the Windows 11 Taskbar with GPO or Intune

New Group Policy settings in Windows 11 23H2

Remote connect to VirtualBox VMs via RDP (VRDP)

XRDP: Linux RDP server with Active Directory integration

Windows 11 taskbar: remove chat icon, customize search field with Group Policy

Manage enhanced security mode in Microsoft Edge using Group Policy

Resultant Set of Policy (RSoP), Group Policy Results, and Group Policy Modeling

Find enabled local Group Policy settings with rsop.msc and PowerShell

Configure password managers in Chrome, Edge, and Firefox using Group Policy

Skip welcome page in Chrome, Edge and Firefox using Group Policy

Location-based printing for Active Directory sites

Migrating GPOs to MDM with Intune’s Group Policy Analytics

Leave a reply click here to cancel the reply.

Please enclose code in pre tags: <pre></pre>

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Receive new post notifications

Subscribe to Newsletter

Follow 4sysops.

Please ask IT administration questions in the forums . Any other messages are welcome.

Log in with your credentials

or      Create an account

Forgot your details?

Create account.

How-To Geek

How to enable and secure remote desktop on windows.

Your changes have been saved

Email is sent

Email has already been sent

Please verify your email address.

You’ve reached your account maximum for followed topics.

Quick Links

Enabling remote desktop, securing remote desktop, security through obscurity: changing the default rdp port.

While there are many alternatives, Microsoft's Remote Desktop is a perfectly viable option for accessing other computers, but it has to be properly secured. After recommended security measures are in place, Remote Desktop is a powerful tool for geeks to use and lets you avoid installing third party apps for this type of functionality.

This guide and the screenshots that accompany it are made for Windows 8.1 or Windows 10. However, you should be able to follow this guide as long as you're using one of these editions of Windows:

• Windows 10 Professional
• Windows 8.1 Pro
• Windows 8.1 Enterprise
• Windows 8 Enterprise
• Windows 8 Pro
• Windows 7 Professional
• Windows 7 Enterprise
• Windows 7 Ultimate
• Windows Vista Business
• Windows Vista Ultimate
• Windows Vista Enterprise
• Windows XP Professional

First, we need to enable Remote Desktop and select which users have remote access to the computer. Hit Windows key + R to bring up a Run prompt, and type "sysdm.cpl."

Another way to get to the same menu is to type "This PC" in your Start menu, right click "This PC" and go to Properties:

Either way will bring up this menu, where you need to click on the Remote tab:

Select "Allow remote connections to this computer" and the option below it, "Allow connections only from computers running Remote Desktop with Network Level Authentication."

It's not a necessity to require Network Level Authentication, but doing so makes your computer more secure by protecting you from Man in the Middle attacks . Systems even as old as Windows XP can connect to hosts with Network Level Authentication, so there's no reason not to use it.

You may get a warning about your power options when you enable Remote Desktop:

If so, make sure you click the link to Power Options and configure your computer so it doesn't fall asleep or hibernate. See our article on managing power settings if you need help.

Next, click "Select Users."

Any accounts in the Administrators group will already have access. If you need to grant Remote Desktop access to any other users, just click "Add" and type in the usernames.

Click "Check Names" to verify the username is typed correctly and then click OK. Click OK on the System Properties window as well.

Your computer is currently connectable via Remote Desktop (only on your local network if you're behind a router), but there are some more settings we need to configure in order to achieve maximum security.

First, let's address the obvious one. All of the users that you gave Remote Desktop access need to have strong passwords. There are a lot of bots constantly scanning the internet for vulnerable PCs running Remote Desktop, so don't underestimate the importance of a strong password. Use more than eight characters (12+ is recommended) with numbers, lowercase and uppercase letters, and special characters.

Go to the Start menu or open a Run prompt (Windows Key + R) and type "secpol.msc" to open the Local Security Policy menu.

Once there, expand "Local Policies" and click on "User Rights Assignment."

Double-click on the "Allow log on through Remote Desktop Services" policy listed on the right.

It's our recommendation to remove both of the groups already listed in this window, Administrators and Remote Desktop Users. After that, click "Add User or Group" and manually add the users you'd like to grant Remote Desktop access to. This isn't an essential step, but it gives you more power over which accounts get to use Remote Desktop. If, in the future, you make a new Administrator account for some reason and forget to put a strong password on it, you're opening your computer up to hackers around the world if you never bothered removing the "Administrators" group from this screen.

Close the Local Security Policy window and open the Local Group Policy Editor by typing "gpedit.msc" into either a Run prompt or the Start menu.

When the Local Group Policy Editor opens, expand Computer Policy > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host, and then click on Security.

Double-click on any settings in this menu to change their values. The ones we recommend changing are:

Set client connection encryption level - Set this to High Level so your Remote Desktop sessions are secured with 128-bit encryption.

Require secure RPC communication - Set this to Enabled.

Require use of specific security layer for remote (RDP) connections - Set this to SSL (TLS 1.0).

Require user authentication for remote connections by using Network Level Authentication - Set this to Enabled.

Once those changes have been made, you can close the Local Group Policy Editor. The last security recommendation we have is to change the default port that Remote Desktop listens on. This is an optional step and is considered a security through obscurity practice, but the fact is that changing the default port number greatly decreases the amount of malicious connection attempts that your computer will receive. Your password and security settings need to make Remote Desktop invulnerable no matter what port it is listening on, but we might as well decrease the amount of connection attempts if we can.

By default, Remote Desktop listens on port 3389. Pick a five digit number less than 65535 that you'd like to use for your custom Remote Desktop port number. With that number in mind, open up the Registry Editor by typing "regedit" into a Run prompt or the Start menu.

When the Registry Editor opens up, expand HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Terminal Server > WinStations > RDP-Tcp > then double-click on "PortNumber" in the window on the right.

With the PortNumber registry key open, select "Decimal" on the right side of the window and then type your five digit number under "Value data" on the left.

Click OK and then close the Registry Editor.

Since we've changed the default port that Remote Desktop uses, we'll need to configure Windows Firewall to accept incoming connections on that port. Go to the Start screen, search for "Windows Firewall" and click on it.

When Windows Firewall opens, click "Advanced Settings" on the left side of the window. Then right-click on "Inbound Rules" and choose "New Rule."

The "New Inbound Rule Wizard" will pop up, select Port and click next. On the next screen, make sure TCP is selected and then enter the port number you chose earlier, and then click next. Click next two more times because the default values on the next couple pages will be fine. On the last page, select a name for this new rule, such as "Custom RDP port," and then click finish.

Your computer should now be accessible on your local network, just specify either the IP address of the machine or the name of it, followed by a colon and the port number in both cases, like so:

To access your computer from outside your network, you'll more than likely need to forward the port on your router . After that, your PC should be remotely accessible from any device that has a Remote Desktop client.

If you're wondering how you can keep track of who is logging into your PC (and from where), you can open up Event Viewer to see.

Once you have Event Viewer opened, expand Applications and Services Logs > Microsoft > Windows > TerminalServices-LocalSessionManger and then click Operational.

Click on any of the events in the right pane to see login information.

• About the Authors

To Sign In Remotely You Need the Right to Sign In Through Remote Desktop Services

So you’ve deployed a new server, but your staff is complaining that they cannot access it remotely because of the following errors:

To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Administrators group have this right, or if the right has been removed from the Administrators group, you need to be granted this right manually.

If the Network Level Authentication (NLA) is enabled on the remote machine, users will get this error instead:

The connection was denied because the user account is not authorized for remote login.

Both these errors clearly state the problem—The user is not authorized to log in to the Remote Desktop Services.

So who’s authorized to log in through Remote Desktop Services by default?

• The members of the Administrators and Remote Desktop Users groups on servers and workstations.
• The members of the Administrators group on domain controllers.
• If configured, the users or groups added to the Allow the log on through Remote Desktop Services user rights assignment policy in a Group Policy Object (GPO)
• User groups added to the Remote Desktop Services Collection .

This post will show how to allow individual users or group members the privilege to log in remotely on Windows computers.

Adding Users to the Remote Desktop Users Group

Every server, workstation, and domain controller has a built-in group called Remote Desktop Users . The members of this group are allowed to log in to the computer through the Remote Desktop Services .

Using the Local Users and Groups Console on Servers and Workstations

Using the Add-LocalGroupMember PowerShell Cmdlet on Servers and Workstations

• Open an elevated PowerShell session (run as admin).

• Now, let’s put all users and groups to add as members in an array. In this example, I’m adding one group and one user: $rdsMembers = @( 'theitbros\dtaylor', 'theitbros\ca server admins' )

Using the Active Directory Users and Computers on Domain Controllers

• On the domain controller, open the Active Directory Users and Computers console by running the dsa.msc command.

Using the Add-ADGroupMember PowerShell Cmdlet on Domain Controllers

• Open PowerShell on the domain controller.

Related. How to Install and Import PowerShell Active Directory Module?

Granting Allow Log On Through Remote Desktop Services via GPO

For more centralized management, you can also allow users to connect to Remote Desktop Services using the Allow Log On Through Remote Desktop Services policy.

Related post. Managing “Logon As a Service” Permissions Using Group Policy or PowerShell

Configure the Allow Log On Through Remote Desktop Services Policy

• Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Local policies → User Rights Assignment .

Confirm the Policy Results

• Log in to a server or workstation.
• Open a CMD or PowerShell window.

• Run a group policy result HTML report: GPResult /h gp_report.html /f

Allowing Users and Groups to the Remote Desktop Services Collection

If you’re logging in remotely to a Windows Server that’s part of a Remote Desktop Services Collection, you may get the following error, and your log-in fails.

This could happen if your user account or group is not listed in the RDS collection, and here’s how to fix this.

Using the Remote Desktop Services in Server Manager (GUI)

• Open the Server Manager on another server that lets you log in.

Using the PowerShell RemoteDesktop Module

• Open PowerShell and run the following command to retrieve the RDS collection names: # If running on the server with an RDS role Get-RDSessionCollection# If running on the server without an RDS role Get-RDSessionCollection -ConnectionBroker <RDS Server FQDN>
• Next, back up the current users and groups who are allowed to RDP into the RDS collection. $rdsUserGroup = Get-RDSessionCollectionConfiguration -CollectionName <RDS Collection Name> -ConnectionBroker <RDS Server FQDN> -UserGroup $rdsUserGroup.UserGroup
• Next, let’s combine the new and current user and group lists. In this example, we’re adding three new entries. $newRdsUserGroup = $rdsUserGroup.UserGroup + @( "THEITBROS\FL Server Admins", "THEITBROS\LND Server Admins", "THEITBROS\janderson" )
• To add new users and groups who will be allowed to RDP into the RDS collection, run this command. Make sure to replace the collection name and specify the correct users and groups. Set-RDSessionCollectionConfiguration -CollectionName "<RDS Collection Name>" -UserGroup $newRdsUserGroup -ConnectionBroker "<RDS Server FQDN>"

Disabling Enhanced Session Mode on Hyper-V Virtual Machines

Suppose you’re getting the “ To sign in remotely, you need the right to sign in through Remote Desktop Services ” error when connecting to a VM inside the Hyper-V Manager, you can use the previous methods in this post to troubleshoot.

This situation doesn’t happen if you’re connecting to the VM using the native Hyper-V bus. But when the Enhanced Session Mode is enabled, the VM’s connection is made through the Remote Desktop Services instead.

• Connecting via Basic Mode = Using the native Hyper-V bus.
• Connecting via Enhanced Session Mode = Using the Remote Desktop Services.

To disable the Enhanced Session Mode, click View and uncheck the Enhanced Session menu item.

Or click the Basic Session toolbar button.

Our newsletter is full of great content!

Subscribe TheITBros.com newsletter to get the latest content via email.

Cyril Kardashevsky

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

How to Change Time Zones in Outlook?

How to convert vmdk to vhdx (vmware to hyper-v), leave a comment cancel reply.

Save my name, email, and website in this browser for the next time I comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

How to Allow logon through Remote Desktop Services

I was working on a project where I faced an issue related to remote desktop services. I could not login to the domain controller located in a remote site. The domain controller refused to allow me in. The error message was “To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Administrators group have this right “Allow logon through Remote Desktop Services”. If the group you are in doesn’t have this right, or if the right has been removed from the Administrators group, you need to be granted this right manually.” Seems like in my case there was a AD replication issue in the setup. The below procedure allowed me to login to the domain controller.

Allow logon through Remote Desktop Services

Allow log on through Remote Desktop Services – This security setting determines which users or groups have permission to log on as a Remote Desktop Services client.

Most of all you can also achieve this by creating a new GPO and applying it to required organizational unit. I prefer using a group policy than editing local policy on domain controllers.

Need more help?

If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.

Prajwal Desai is a Microsoft MVP in Intune and SCCM. He writes articles on SCCM, Intune, Windows 365, Windows Server, Windows 11, WordPress and other topics, with the goal of providing people with useful information.

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

"Allow log on through Remote Desktop Services" user right has no effect

I am trying to allow members of a domain security group, GlobalRDP , to RDP into certain Windows 10 PCs. I granted the GlobalRDP group the "Allow log on through Remote Desktop Services" right and that policy has been successfully deployed to the target computers.

Despite this, whenever a member of the GlobalRDP group attempts to login via RDP, they receive the following error: "The connection was denied because the user account is not authorized for remote login" . A similar access denied error appears in the RDP log "User is not granted access to this connection' in CUMRDPSecurityStreamCallback::AccessCheck at 5236 err=[0x80070005]" .

What made things weirder is that I also removed the RDP right for Administrators and Remote Desktop Users groups that have this right by default and I was still able to RDP in as member of the local Remote Desktop Users group.

Finally, I changed my GPO to add the GlobalRDP group to the local Remote Desktop Users group of the target PCs, and RDP worked. Despite the fact that this local group still wasn't granted the RDP login right!

Here is the setting screen from a Windows 10 workstation:

To address fixes that were offered in similar threads:

The GPO is absolutely applied to the target computers. Looking at Local Security Policy -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Allow log on through Remote Desktop Services shows only the GlobalRDP group and that the policy set via GPO. The group policy results wizard shows the same thing.

Deny log on through Remote Desktop Services is empty (default is empty)

It seems like no matter what I change, only the default groups are granted the RDP login right. Adding the domain global group to the local group on each PC works, but smells weird to me. What did I miss? Why can't I simply manage that privilege using a domain group?

• group-policy

• I'm on 1809 and my RDP user is not an admin, just Domain User and GlobalRDP. –  succulent_headcrab Commented Mar 22, 2019 at 0:45
• Having read the question more carefully, it now sounds to me as if it is working as designed: the GlobalRDP group has the Log on through Remote Desktop Services right and is also a member of Remote Desktop Users. So there's no reason members of GlobalRDP shouldn't be able to log in. –  Harry Johnston Commented Mar 22, 2019 at 2:16
• @HarryJohnston yup, that sounds correct. It seems as if there are 2 different mechanisms at work as noted in your answer. One is obvious and the other is frustratingly opaque. –  succulent_headcrab Commented Mar 22, 2019 at 2:26

2 Answers 2

Permission to establish a remote desktop session and permission to log in when using a remote desktop session are two different things. The user rights assignment settings only affect the latter.

Microsoft do provide documentation on changing the permissions that control who can establish a remote desktop session:

How to add a user to Terminal Services RDP permissions by using WMI

How to modify or query the RDP connection permissions for Terminal Services

However, I strongly recommend that you don't mess with these settings. As Todd's answer already mentioned, adding domain users and/or groups to the Remote Desktop Users local group is the supported method for granting remote desktop access.

(Incidentally, you also need the "Access this computer from the network" right in order to establish a connection.)

• I think this is the right answer since the WMI and the registry example in the linked articles indirectly answer the "why" that was my real question. Maybe it would be helpful if oyu edit your answer to mention the Win32_TSPermissionsSetting class and registry locations that hold the actual RDP connection rights. Thanks very much for clearing that up. –  succulent_headcrab Commented Mar 22, 2019 at 18:40
• I am interested in your closing parenthetical remark. I agree that it is true, but why in the explanation to this policy is it expressly stated that " Remote Desktop Services are not affected by this user right."? –  Mark Commented May 27 at 10:13
• 1 @Mark, I'm not sure, but I suspect that the documentation was originally correct and that at the time it was written the "Access this computer from the network" right wasn't needed to establish a Remote Desktop Connection. It probably become necessary when Microsoft introduced Network Level Authentication. –  Harry Johnston Commented May 29 at 2:16

According to the Microsoft documentation :

To use Remote Desktop Services to successfully log on to a remote device, the user or group must be a member of the Remote Desktop Users or Administrators group and [emphasis added] be granted the Allow log on through Remote Desktop Services right.

Since the Remote Desktop Users group is granted the Allow log on through Remote Desktop Services right, adding a user or group to that group fulfills both requirements, while simply granting the right does not.

As to why both are required, I don't know.

Note that the same page specifies that the recommended best practice is:

To control who can open a Remote Desktop Services connection and log on to the device, add users to or remove users from the Remote Desktop Users group.

• This is something that many people miss. Two conditions must be met in order to log in remotely. –  joeqwerty Commented Mar 21, 2019 at 21:38
• You can read the links in Harry Jonhston's answer to see the why. The login right is assigned in GP while the RD connection right is managed by the Win32_TSPermissionsSetting WMI class which exposes methods to either add an account or restore the defaults (ie "Administrators" and "Remote Desktop Users") –  succulent_headcrab Commented Mar 22, 2019 at 18:36

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged group-policy windows-10 ..

• The Overflow Blog
• Where developers feel AI coding tools are working—and where they’re missing...
• Masked self-attention: How LLMs learn relationships between tokens
• Featured on Meta
• User activation: Learnings and opportunities
• Preventing unauthorized automated access to the network

Hot Network Questions

• Why would elves care what happens to Middle Earth?
• CH in non-set theoretic foundations
• What should you list as location in job application?
• Waiting girl's face
• Is it common in modern classical music for timpani to play chromatic passages?
• Does this work for page turns in a busy violin part?
• Why was Z moved to the end of the alphabet when Zeta was near the beginning?
• Java class subset of C++ std::list with efficient std::list::sort()
• Player sprite becomes smaller during attack animation (Java)
• What causes, and how to avoid, finger numbness?
• Are the model implementations in Hugging Face’s transformers library created by the original model authors or by Hugging Face?
• Is there a fast/clever way to return a logical vector if elements of a vector are in at least one interval?
• If two subgroups intersect in only the identity, do their cosets intersect in at most one element?
• Eigensystem with a desired parametrisation
• Do we have volitional control over our level of skepticism?
• On a glassed landmass, how long would it take for plants to grow?
• How do you tell someone to offer something to everyone in a room by taking it physically to everyone in the room so everyone can have it?
• Do pilots have to produce their pilot license to police when asked?
• Can I breed fish in Minecraft?
• All combinations of ascending/descending digits
• What is the mechanical equivalent of an electronic AND gate?
• Is it actually really easy to state conjectures, which are open and on the first view really hard to prove?
• How do I avoid getting depressed after receiving edits?
• Story from the mid-20th century about a biochemist who finds youth algae

  Windows OS Hub / Windows 10 / Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

In this article, we will look at several ways to manage non-admin user permissions to restart or shutdown Windows workstations or servers. By default, non-privileged users can only reboot and shut down desktop versions of Windows, and cannot restart a Windows Server host (shutdown and restart buttons are not available in the Start Menu). Is it possible to allow a user without local administrator privileges to restart Windows Server?  There is also a reverse task – how to prevent users from restarting a computer with Windows 10 or 11, which is used as an information kiosk, dispatch console, etc.

How to Allow or Prevent Shutdown/Reboot Options in Windows via GPO

Allow remote shutdown/restart without admin permissions, disable (hide) shutdown or restart options from windows, how to find out who restarted/shutdown a windows server.

You can set the permissions to restart or shutdown Windows using the Shut down the system parameter in the GPO section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. This GPO option allows you to specify which locally logged-on users can shut down an operating system.

Please note that the default restart/shutdown permissions for desktop versions of Windows 10/11 and Windows Server editions are different.

Open the Local Group Policy Editor ( gpedit.msc ) and navigate to the section specified above. As you can see, the members of local groups Administrators , Users and Backup Operators have the permission to shutdown/reboot a computer running Windows 10 or 11 .

On Windows Server 2022/2019/2016 , only Administrators or Backup Operators can shut down or restart the server. It is reasonable, since in most cases a non-admin user must not have the privileges to shutdown a server (even accidentally). Just imagine an RDS farm host that is often shuts down since users accidentally click on the “Shutdown” button in the Start menu…

On Active Directory domain controllers, the rights to shut down Windows are delegated to:

• Administrators
• Backup Operators
• Server Operators
• Print Operators

If the user does not have permission to restart/shutdown the operating system, then an error will appear when running the following command:

shutdown –r –t 0

If you want to allow a specific user (without administrator rights) to restart your Windows Server, you need to add their account to this policy and update the GPO settings on the computer .

You can manually grant permissions to shut down the computer locally using the legacy ntrights tool from the Windows Server 2003 Resource Kit:

ntrights +r SeShutdownPrivilege -u woshub\j.smith

To prevent a user from shutting down or restarting Windows:

ntrights -r SeShutdownPrivilege -u woshub\j.smith

Or, vice versa, you can prevent users of workstations running the desktop Windows 10/11 edition from restarting the computer that performs some kind of server function. In this case, just remove Users group from the local policy Shut down the system .

In the same way, you can prevent (or allow) shutdown/reboot operations for non-admin users on all computers in a specific Organizational Unit (OU) of an Active Directory domain using a domain GPO.

• Create the grpAllowRestartComputers user group in AD, to whom you want to grant the permissions to restart computers. You can create a new group using the ADUC snap-in ( dsa.msc ) or the New-ADGroup PowerShell cmdlet.  Add users to the group;

• Set the GPO name ( gpoAllowReboot ) and edit it;
• Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> User Rights Assignment;

• Update the GPO settings on the target computers and check the resulting GPO settings with the rsop.msc snap-in. Users in your group can now shut down or reboot this host;

You can allow some non-admin users to restart your Windows Server remotely using the shutdown command without granting them local administrator privileges, permission to log on through Remote Desktop (RDP) , or local logon permissions ( if this sign-in method is not allowed )

To do it, add a user account to the Force shutdown from a remote system Group Policy option in the same GPO section ( User Rights Assignment ).

By default, only administrators can shutdown/restart the server remotely. Add a user account to the policy.

ntrights +r SeRemoteShutdownPrivilege -u woshub\j.smith

After that, the user will get the SeRemoteShutdown privilege and will be able to restart the server remotely using the command:

shutdown -m \\hamb-rds01 -r -f -t 0

Or using the Restart-Computer PowerShell cmdlet:

Restart-Computer –ComputerName hamb-rds01 –Force

If WinRM (Windows Remote Management) is enabled on the remote computer, you can use WSman instead of WMI to connect:

Restart-Computer -ComputerName hamb-rds01 -Protocol WSMan

If the user does not have permission to connect to the WMI namespace, an error will appear:

You can use Group Policy to hide the Shutdown, Restart, Sleep and Hibernate options from the sign-in screen and Start Menu. This GPO option is called Remove and Prevent Access to the Shut Down, Restart, Sleep, and Hibernate commands and is located under User Configuration -> Administrative Templates -> Start Menu and Taskbar

After you enable this policy, a user will be able only to disconnect the current session or use the logoff command. The Shutdown, Sleep and Restart buttons will become unavailable.

You can use some registry tweaks to hide only a specific item from the Power/Shutdown menu in Windows. For example, you want to hide only the “Shut down” option in the Start menu, but keep “Restart”.

• Open the Registry Editor ( regedit.exe );
• Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown ;

REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown" /v "value" /t REG_DWORD /d 1 /f

Or using PowerShell:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown" -Name "value" -Value 1

Also, you can hide other options in the Start Menu and Windows sign-in screen:

• Hide only thr Restart option in Windows: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart " /v "value" /t REG_DWORD /d 1 /f
• Hide Hibernate option from Start Menu in Windows: R EG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideHibernate" /v "value" /t REG_DWORD /d 1 /f
• Hide Sleep from the Start Menu: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSleep" /v "value" /t REG_DWORD /d 1 /f
• To completely disable the Power button and remove the “Shut down or sign out” option from WinX menu: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HidePowerButton" /v "value" /t REG_DWORD /d 1 /f

Please note that in Windows Server 2019/2022, after assigning restart permission to a user, an error may appear:

In this case, you need to enable the UAC parameter “User Account Control: Run all administrators in Admin Approval Mode” in the GPO:

If you have granted permission to reboot a computer for a non-admin user, you may want to know who restarted a Windows Server : a user or one of the administrators.

Use the Event Viewer ( eventvwr.msc ) to search for shutdown logs in Windows. Go to Windows Logs -> System and filter the current log by the Event ID 1074 .

As you can see, there are server restart events in the log in chronological order. The event description includes the restart time, the reason, and the user account that restarted the host.

You can get information about recent Windows shutdown events using the same Event ID 1076 :

Use the following simple PowerShell script to list the last ten computer restart and shutdown events. This list contains the names of the users and processes from which the reboot was initiated.

Get-EventLog -LogName System | where {$_.EventId -eq 1074} |select-object -first 10 | ForEach-Object { $rv = New-Object PSObject | Select-Object Date, User, Action, process, Reason, ReasonCode if ($_.ReplacementStrings[4]) { $rv.Date = $_.TimeGenerated $rv.User = $_.ReplacementStrings[6] $rv.Process = $_.ReplacementStrings[0] $rv.Action = $_.ReplacementStrings[4] $rv.Reason = $_.ReplacementStrings[2] $rv } } | Select-Object Date, Action, Reason, User, Process |ft

Fix: Can’t Extend Volume in Windows

Fix: windows needs your current credentials pop-up message, related reading, disable and completely remove widgets from taskbar in..., configure kiosk mode on windows 11 (single or..., how to cast/mirror android screen to windows pc, get started with docker on windows (wsl2) without..., adding multiple alternate dns names for a windows....

So sad that there’s no option to disable only shutdown. I have a need to allow user to restart their machines but not shutdown.

FYI you can hide shutdown from the start menu using HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown

Thanks, but even so an advanced user would know to turn it off using other ways.

Thank you MT.. this helped..

On Windows 11, this did work, however, a user who is blocked from restarting/shutting down in this way, can still press Control-Alt-Delete and has the restart/shutdown option in the lower right hand corner. Is there a way to remove that, too?

I just actually tried it from a “non-privileged” account. The good news is that although the options appear, they don’t actually work. 🙃

Leave a Comment Cancel Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Current ye@r *

Leave this field empty

FIX: To sign in remotely, you need the right to sign in through Remote Desktop Services – Server 2016 (Solved)

This tutorial contains instructions to fix the error "To sign in remotely, you need the right to sign in through Remote Desktop Services", when trying to connect from Windows Remote Desktop (RDP) Client machines on a Windows Server 2016 which is running Remote Desktop Services.

Problem in details: Remote Desktop Client users cannot connect remotely (through RDP) to Terminal Server 2016 and receive the error: “ To sign in remotely, you need the right to sign in through Remote Desktop Services. By default members of the Administrators group have this right. If the group you’re in does not have the right, or if the right has been removed from the Administrators group, you need to be granted the right manually.”

How to FIX: To sign in remotely, you need the right to sign in through Remote Desktop Services.

To resolve the "To sign in remotely, you need the right to sign in through Remote Desktop Services" apply the following actions on Remote Desktop Services (RDS) Server 2016 :

Step 1. Add Remote Desktop Users to the Remote Desktop Users Group.

1. Open Server Manager . 2. From Tools menu, select Active Directory Users and Computers . *

* Note:  If the RD Session Host Server is not installed on the Domain Controller, use the 'Local Users and Groups' snap-in or the 'Remote' tab in the 'System Properties', to add the remote desktop users.

3. Double click at your domain on the left and then select Builtin. 4. Open Remote Desktop Users on the right pane.

5. At Members tab, click Add .

6. Type the AD users that you want to give Remote access to the RDS Server and click OK .

7. After selecting the remote desktop users, click OK again to close the window.

8. Continue to step-2 below.

Step 2. Allow the log on through remote desktop Services.

1. Open Group Policy Editor. To do that:

1. Simultaneously press the Windows + R keys to open run command box. 2. Type gpedit.msc and press Enter .

2. In Group Policy Editor navigate to: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment .

3. At the right Pane: double click at Allow log on through Remote Desktop Services.

4. Click Add User or Group .

5. Type remote and then click Check Names .

6. Select the Remote Desktop Users and click OK .

7. Click OK at 'Select users, computers…' window.

8. Finally click OK again and close Group Policy Editor.

9. Now try to connect from the remote desktop client. The remote sign-in problem should solved now. *

* Notes:   1. If you still have sign in problems then restart the RDS server or just open command prompt as administrator and type the following command to apply the new group policy settings (without restart) :

• gpupdate /force

2. (Thanks to 'Jeff Flora' for his comment/solution): If after updating the Group Policy settings, the problem is not resolved, apply the following modification at Group Policy Editor:

a. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. b. Open the Deny log on through Remote Desktop Services policy and remove the Users group. c. Close the Policy Editor and run the gpupdate /force command.

That’s it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.

We're hiring

We're looking for part-time or full-time technical writers to join our team! It's about a remote position that qualified tech writers from anywhere in the world can apply. Click here for more details.

• Recent Posts

• FIX: The source and destination file names are the same when you open files in OneDrive from SharePoint. - September 25, 2024
• How to Setup Windows 11 with a Local Account. - September 23, 2024
• FIX: Can't Select Windows Edition during installation. - September 18, 2024

Konstantinos Tsoukalas

Related posts.

How to , Tutotial , Windows , Windows 10 , Windows 11

FIX: The source and destination file names are the same when you open files in OneDrive from SharePoint.

How to , Tutotial , Windows 11

How to Setup Windows 11 with a Local Account.

FIX: Can't Select Windows Edition during installation.

18 comments.

I remain grateful for this piece.

this help me solved my problem… thank you

if using Hyper-V you have to turn on 'enhanced session' for this to work, otherwise permissions are still denied. thanks!

OMG THANKS. Didn't completely solve my issue, but for whoever might be struggling, make sure you modify the GPO as an administrator if you are in a domain. Same steps as the GPE, but in GPMC on the domain controller of your domain.

If this does not work for you, check the default domains controllers policy

Helped me!!! Thanks!!!

Thank you for having the insight to highlight Jeff Flora's bright comment because that was right for what I needed.

Thank you sooo much it worked….

if you use Virtual lab and you get this message "To sign in remotely, you need the right to sign in through Remote Desktop Services" you can: 1: disable the Enhanced Session mode in the virtual machine. 2: edit the group policy "Allow log on locally" it just above the policy in the tutorial.

have a nice day.

Thank you! So much!!! I just spend 6 hours, over two days. I just disable the Enhanced session in Win10 Hyper-v and it worked. Srv2016 and client Wind10

You are a lifesaver bro. Having my apprenticeship exam today and this problem got me stuck for several hours.

Thanks man! Made my day

Very nice, it fixed the issue. Thank you

That worked for me – but I had to restart my machines. Doing a gpupdate /force did not do it on its own.

This did not resolve my problem… However, removing the users group from "Local Policies > User Rights Assignment > Deny log on through Remote Desktop Services" and running "gpupdate /FORCE" allowed me to log in.

A few notes: The user account in question is in the administrator group, and not in the user group. It was also added to the Remote Desktop Users group. Not totally sure why this was necessary for this administrator account I created.

Thanks Jeff!!! that fixed my issue. I've tried to research this for days!

it helped me to resolve the issue for the client.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How to grant remote desktop right to a user in Windows Server 2008?

I create a user and add it to group Remote Desktop Users but I cannot still remote using mstsc . The error message said the user/group doesn't have the right to remote.

My question is how can I grant this right to the group?

• remote-desktop
• permissions
• user-accounts
• windows-server-2008

3 Answers 3

Check in the group policy editor (gpedit.msc) under Computer Config > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Find the entry for "Allow log on through remote desktop services" and "deny log on through remote desktop services", and see if the groups in question are in either of those categories. Deny permissions will usually override allow permissions.

On the Desktop

Right click Computer > Properties > Remote > Select User > Add > Advance > Find Now >

Select any user and click Ok.

Go to Active directory 1. Go to your domain name 2. Click on user name and go to its property 3. Set its property and give its policy 4. Remove EVERYONE policy and click to ADD and add your username give your created policy to that user

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged remote-desktop permissions user-accounts windows-server-2008 ..

• The Overflow Blog
• Where developers feel AI coding tools are working—and where they’re missing...
• Masked self-attention: How LLMs learn relationships between tokens
• Featured on Meta
• User activation: Learnings and opportunities
• Preventing unauthorized automated access to the network

Hot Network Questions

• Do early termination fees hold up in court?
• Eigensystem with a desired parametrisation
• How to fix bottom of stainless steel pot that has been separated from its main body?
• How is the universe able to run physics so smoothly?
• Can I breed fish in Minecraft?
• Azure SQL Database CLR functions are working
• Can I adjust (and get slider-like control over) white balance control in my android phone (with native app or LMC 8.4)?
• How can I draw the intersection of a plane with a dome tent?
• Is the Earth still capable of massive volcanism, like the kind that caused the formation of the Siberian Traps?
• Are logic and mathematics the only fields in which certainty (proof) can be obtained?
• All combinations of ascending/descending digits
• Does legislation on transgender healthcare affect medical researchers?
• Are the model implementations in Hugging Face’s transformers library created by the original model authors or by Hugging Face?
• Is there a name for this Fibonacci formula that uses hyperbolic trigonometry?
• Is it possible to speed up this function?
• Why is my Lenovo ThinkPad running Ubuntu using the e1000e Ethernet driver?
• Were Soviet doctors and nurses actually as callous as "Voices from Chernobyl" portrays in the prologue?
• Easily unload gravel from pickup truck
• What is "illegal, immoral or improper" use in CPOL?
• How similar were the MC6800 and MOS 6502?
• Simulate people leaving a cocktail party
• Purpose of sleeve on sledge hammer handle
• Which NextJS version for Sitecore/JSS X?
• MathOperator gives weird spacing in compositions, products

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

User Rights Assignment

Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8

This reference topic for the IT professional provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in the Windows operating system.

User rights govern the methods by which a user can log on to a system. User rights are applied at the local computer level, and they allow users to perform tasks on a computer or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a computer and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the User Rights Assignment item.

Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment , or on the local computer by using the Local Group Policy Editor (gpedit.msc).

For information about setting security policies, see How to Configure Security Policy Settings .

The following table links to each security policy setting and provides the constant name for each. Setting descriptions contain reference information, best practices for configuring the policy setting, default values, differences between operating system versions, and considerations for policy management and security.

Additional resources