Got the following message when attempting to connect as a domain administrator:
"To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Administrators group have this right. If the group you are in doesn’t have this right, or if the right has been removed from the Administrators group, you need to be granted this right manually."
So, I was unable to access the Active Domain Server through remote desktop. I have this AD Server installed as VMware VM as a part of my testing infrastructure, so it was kind of tedious accessing the server from the VMware management console when this is the server I access the most. Of course, the solution also applies to a physical server.
The main problem for this issue is that the user is trying to access might not be part of the Security Policy Setting. So, first let’s try to add this user in Local Security Policy.
From the server (AD server):
Administrative Tools --> Local Security Policy (Or run secpol.msc) -->Security Settings --> Local Policies --> User Rights Assignment. Double click in Allow log on through Remote Desktop Services.
From here, add the user o group that you are trying to access remotely to the server. If the option is available (Not grayed out), simply add the user here and you will be able to access. In my case, I was trying to access using the Administrator account.
If this option is grayed out, we need to add the policy to the GPO, but first, we need to find out what is the policy associated. Follow these steps:
- Run msc
- Administrator on (Your domain) --> Computer Configuration --> Windows Setting --> Security Settings --> Local Policies --> User Rights Assignment. Double click in Allow log on through Remote Desktop Services.
- Open Precedence check what is the Policy Name, more often than not, this policy will be Default Domain Controller Policy
- Once you got the Policy Name, go to Group Policy Management and edit the Policy in Group Policy Objects
- Administrative Tools --> Group Policy Management --> Forest: (Your domain) --> Domains --> (Your domain) --> Group Policy Objects --> Right click on Default Domain Controller Policy (or the policy you found/has in Precedence tab) --> Edit…
- In Group Policy Manager Editor, go to:
- Default Domain Controller Policy --> Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Local Policies --> User Rights Assignment. Double click in Allow log on through Remote Desktop Services --> Add User or Group… --> Input the user or group you want to add, in my case is the administrator.
- After this, from Command Prompt, run gpupdate /force
- Now, you should be able to log in to your AD server using remote desktop.