Difficulty creating a normal user on a single-forest domain who can remote desktop to a Windows 10 machine

Question

Difficulty creating a normal user on a single-forest domain who can remote desktop to a Windows 10 machine

Hi,

I have a small test network set up. There are two Windows 10 machines plus a single Windows Server 2019 Domain Controller. I have joined one of the Windows 10 machines to the domain. The DC is set up with two users I have created.

The first user 'AKAdmin' is in the administrators group and can make a Remote Desktop connection from the non-domain Win10 machine to the domain connected Win10 machine.

The second user 'AKUser' is in the 'Remote Desktop Users' and 'Users' group but cannot make a Remote Desktop connection from the non-domain Win10 machine to the domain connected Win10 machine.

I have created a group and pulled the Win10 domain connected machine in then created a Group Policy Object - Windows settings ->
Security Settings -> Local policies -> User Rights Assignment > Allow log on through terminal services and added the Remote Desktop Users group in the GPO settings. I have then linked that GPO to the Group with the domain connected Win10 machine in.

However, when I try to log into the domain connected Win10 machine using the AKUser account I get asked ot log in (enter username and password) but then cannot connect with the error - 'The connection was denied because the user account is not authorized for remote login'

I'm confused! Please help :-) !

TC

Answer 1

Eleven Yu (Shanghai Wicresoft Co,.Ltd.) 10,621 Microsoft Vendor

Hi,

It seems your setting is complicated. You do not need to create a group or GPO for the remote desktop users.

You can just put the user "AKuser" into the local remote desktop users group of the domain-joined windows 10 machine.

Edit local users and groups > Groups > Remote Desktop Users

Please try and see if it works.

Best Regards,

----------

If the answer is helpful, please click "Accept Answer" to help other community members find the helpful reply quickly. Thanks.

Tim C (ICS Security) 41 Reputation points

2022-09-08T10:37:36.063+00:00

I will try that, however does that not imply that for every user that has a domain account, I need to go to every local machine and add them manually? I will ultimately have over 400 users of this domain, with a mix of required remote desktop accesses needed.
Eleven Yu (Shanghai Wicresoft Co,.Ltd.) 10,621 Reputation points Microsoft Vendor

2022-09-09T03:38:16.81+00:00

If the remote machines are not so many, we suggest that you could manually add group "Domain\Domain Users" into the "Remote Desktop Users" group locally in those machines.

If there are many remote machines, except the GPO you have already set, you can also do following settings:

Create an OU and add the remote desktop machines in this OU > create a GPO linked to this OU - Computer Configuration > Preference > Control Panel Settings > Local Users and Groups > New > Local Group >Action: create, Group Name: Remote Desktop Users (built-in), Members: Domain\Domain Users (or the users need remote access)

Or Create an OU and add the remote desktop machines in this OU > create a GPO linked to this OU - Policies > Windows Settings > Security Settings > Restricted Groups > Add Group > Remote Desktop Users> Add members "Domain\Domain Users" to the group.

Hope the settings work.

Difficulty creating a normal user on a single-forest domain who can remote desktop to a Windows 10 machine

0 additional answers

Activity