This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 64%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
I have a Windows 2016 server with Remote Desktop Services setup. Domain admins are able to login via RDP but non admins are not.
Group policy states that "Allow log on through Remote Desktop Services" should allow "Administrators" and "Remote Desktop Users". I pulled up the local group policy and can see this set on my RDP host correctly.
I created a new user who is only a part of "Domain Users" and "Remote Desktop Users". This user fails to login. Looking at event viewer I see the tmpuser with the following events:
Event 4624 - Account was successfully logged on. I can see my account successfully login with username and password.
Event 4627 - Group Membership Information. This event does NOT show the user is part of "Remote Desktop Users"
Event 4776 - Computer attempted to validate the credentials for an account. Error Code: 0xC0000064
I then ran "net user tmpuser /domain" from the RDP host and can see that the user is part of "Remote Desktop Users"
So the user appears to login, it checks group permissions, then appears to fail. The event for group membership doesn't show "Remote Desktop Users" but wondering if that is a red herring and Local Groups are just not shown in event viewer?
Info on local vs global groups in AD = https://community.spiceworks.com/topic/306028-when-to-use-a-domain-local-group-versus-global-group
AD is stored on another server.
Edit. - Thank you for any assistance!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Might take a look at
gpresult /H C:\temp\xxx.html /SCOPE:user
ok so I think I figured it out (ie found someones answer on serverfault). Turns out that "Remote Desktop Users" group in AD is NOT for handling what users can login to your RDP host. You need to specify that locally on your RDP host.
https://serverfault.com/questions/736703/domain-users-unable-to-logon-to-remote-desktop-server