Welcome to Networknet Blog!

Hi there! Welcome to my blog. My name is Ivan. I am a Dutch IT Professional working as Principal IT Consultant. Read more about me..

News, Problem Solutions and Other Interesting Information...

Windows Server: how to permit users to log on remotely to a domain controller?

Posted by Ivan

/ July 27, 2011 / 7 Comments

Active Directory Domain Controller (AD-DS) is an important Windows Infrastructure role. In some circumstances you will have to provide remote access (RDP) to your helpdesk- and/or support personnel to connect to those machines. For me I needed to develop a plan to allow non “Domain Admin” personnel to remotely connect to our branch office DC’s.

How to permit users to log on remotely to a domain controller?

Allowing non admin users to remotely connect to a domain controller requires couple of steps. Creating a security group and changing the “Default Domain Controller” group policy is how achieved that in my configuration.

If you don’t do anything then most probably people will contact you saying their remote desktop connection has been denied. E.g.

CloseRemote Desktop Connection: The connection was denied because the user account is not authorized for remote login.

Start with creating a new windows security group.

Add all required user accounts to the new security group. After you are have added the user accounts, make the new security group member of “Remote Desktop Users” builtin group. Without this step these users won’t be allowed to use the Remote Desktop Protocol on the Windows Server.

Start Group Policy Management Editor and edit “Default Domain Controller” policy. Locate “Allow log on through Remote Desktop Services” User rights setting (Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\). Add the new security group and close the management console.

If you are too quick trying to log on with a supporter account, Domain Controller will shows you the following message.

CloseTo log on this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Administrators group have this right. If you are not a member of Administrators group or another group that has this right, or if the Administrators group does not have this right, you must be granted this right manually.

Make sure to wait that the “Default Domain Controller” policy has been processed or run gpupdate /force. I run the gpupdate command line and tried to log on with a supporter account. The remote desktop connection worked successfully and I was not a domain admin with this supporter account!

Related links

July 12, 2012
Abdul Wahab

Thanks man you helped me
September 11, 2012
Chris

I’m trying the other way around, remote log in from Win Server 2008 R2 to Win 7, as a domain administrator, and I get the “…Allow log on through Terminal Services…” window. Domain admin is a member of the local Administrators group, and I also added it to the Remote Desktop Users group.
September 13, 2012
Jeevan

Hi,

Your answer is correct, but when allowing domain users for RDP they are also getting admin rights so that they can create modify and delete any data on the server which should not happen.

Please do revert…
September 14, 2012
Chris

Hi Jeevan, I don’t understand your reply. Please elaborate?

This is a controlled environment, not an enterprise setup, only I use this setup. I just want to know how to alleviate the restriction.
May 25, 2014
屋頂農場

When someone writes an paragraph he/she retains the thought
of a user in his/her brain that how a user can be aware of it.
So that’s why this article is outstdanding. Thanks!
November 20, 2014
Tommy

Note – You need to add domain\Adminstrator to the list or the adminstrator won’t get RDP access
February 13, 2019
www.binarytoday.com

The premise of your personal investment strategy is a breeze to
see. Thank you for conveying this with me at this moment.