I have a small test network set up. There are two Windows 10 machines plus a single Windows Server 2019 Domain Controller. I have joined one of the Windows 10 machines to the domain. The DC is set up with two users I have created.
The first user 'AKAdmin' is in the administrators group and can make a Remote Desktop connection from the non-domain Win10 machine to the domain connected Win10 machine.
The second user 'AKUser' is in the 'Remote Desktop Users' and 'Users' group but cannot make a Remote Desktop connection from the non-domain Win10 machine to the domain connected Win10 machine.
I have created a group and pulled the Win10 domain connected machine in then created a Group Policy Object - Windows settings ->
Security Settings -> Local policies -> User Rights Assignment > Allow log on through terminal services and added the Remote Desktop Users group in the GPO settings. I have then linked that GPO to the Group with the domain connected Win10 machine in.
However, when I try to log into the domain connected Win10 machine using the AKUser account I get asked ot log in (enter username and password) but then cannot connect with the error - 'The connection was denied because the user account is not authorized for remote login'
I'm confused! Please help :-) !
If the remote machines are not so many, we suggest that you could manually add group "Domain\Domain Users" into the "Remote Desktop Users" group locally in those machines.
If there are many remote machines, except the GPO you have already set, you can also do following settings:
Create an OU and add the remote desktop machines in this OU > create a GPO linked to this OU - Computer Configuration > Preference > Control Panel Settings > Local Users and Groups > New > Local Group >Action: create, Group Name: Remote Desktop Users (built-in), Members: Domain\Domain Users (or the users need remote access)
Or Create an OU and add the remote desktop machines in this OU > create a GPO linked to this OU - Policies > Windows Settings > Security Settings > Restricted Groups > Add Group > Remote Desktop Users> Add members "Domain\Domain Users" to the group.
Hope the settings work.