remote desktop error

Question

hi

i have a 2008 domain controller in my domain and i config user1 to logon to pc1 and so on (about 300 clients) each user in local, is member of "remote desktop users" group .when i want to remote desktop them by a windows 10 computer system show massage that "you are not allowed to logon this computer..." and when i use another computer to remote the same system or remove logonto restriction, i can remote that system. why this happens and how can i fix it!

thanks every body

Answer 1

Hi,

Could you please clarify more about your issue? Are you log on the remote desktop by RDP? And what account are you using for logon? Also, do you mind telling what log-on-to restriction have you configured?

If your issue occurs only on one windows 10 computer regardless of what account you use, please check whether a Group Policy Object is blocking RDP on this problematic computer.

Open Local Group Policy Editor->Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections->find "Allow users to connect remotely by using Remote Desktop Services" policy

Please ensure this policy is enabled on the local computer. If the setting for this policy is Disabled, Group Policy is blocking RDP connections.

For more information, please refer to below links.

Allow log on through Remote Desktop Services
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services

General Remote Desktop connection troubleshooting
https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/troubleshoot/rdp-error-general-troubleshooting

Or if the issue is related to the account you used for logon, please check the account properties in AD. Is there any configuration for "Log On To" of the account you used for RDP?
If you do not check "All computers", then you will need to add all the computers to the list that you would like to locally and remotely log on to.

Hope the information helps.

Thanks,
Eleven

Answer 2

thanks for reply
1- i restrict users to logon to one pc in the domain! i mean user1 only can logon to pc1 (locally or by RDP) and it work fine when users log on locally or use other versions of windows to remote the system(like win server 2012 or win 7).
2-group policy config has done before and i use remote desktop in other windows.
3- i use "Log On To" configuration to force users to use only one pc . and it works fine.
4- i use username and password of user1 to log on pc1 remotely (no mater what is the pc1 operation system) from:
a. windows 10 , i receive the message that "System administrator has limited computers you can log on....." in this case when i remove the restriction from active directory "logon to" configuration, i able to login.
b. windows server 2012 or 7 i will logon successfully.

Answer 3

Hi,

Thanks for your detailed clarification to let us better understand your problem.

I performed some lab test on Windows 10 and found that if we restrict users access to log onto particular computers it also applies to the machines they RDP from.

I know you have restricted user1 can only log onto PC1. In this case, if we would like to use user1 to log onto pc1 remotely from a Windows 10 PC, we will also need to add this Windows 10 PC to the log-on-to computer list for user1 in AD.

Before Windows 10, such as Windows server 2012 or 7 may still log on successfully without adding the log-on-from PC.

I also found below article and the clarification in it is match with my lab test. Please check it as a reference.
https://www.urtech.ca/2016/01/solved-rdp-the-system-administrator-has-limited-the-computers-you-can-log-on-with-log-on-to/

Thanks,
Eleven

Answer 4

Hi,

Thanks for your update.

May I know if your win 10, win 7 and win server 2012 are all in the same domain with your PC1?

How about if we set log on to as "All computers" for User1? Will the remote control succeed from win 10?

Or will it be ok if we disable Network Level Authentication" for RDP?

Control Panel -> System and Security -> Allow remote access

Under the Remote Desktop group un-tick the checkbox Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended).

Thanks,
Eleven

Answer 5

What are you trying to accomplish?

My experience has been that when you restrict a user to only logon to given workstation, then you also have to define all file servers, web servers, DB servers, etc, that the user needs to access. Mapping a drive to a file server generates a network logon on the server. If user1 can only logon to pc1 then trying to access server1 will fail.

For my previous employer, we only did that in special instances, like when we brought in a contractor to work on a very specific project and wanted to restrict network access.

If you want to logon to pc2 as user99, then RDP from pc2 to pc1 and logon as user1, then defined both pc1 and pc2 in the workstations that user1 is allowed to logon to.

If user1 does not need to access any network resources, then don't use a domain account, defined user1 as a local user on pc1.