HomeSystemsActive DirectoryUnable to access AD server using remote desktop + Add User or Group… is grayed out.

Unable to access AD server using remote desktop + Add User or Group… is grayed out.

In This Article:


Got the following message when attempting to connect as a domain administrator:


"To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Administrators group have this right. If the group you are in doesn’t have this right, or if the right has been removed from the Administrators group, you need to be granted this right manually."

So, I was unable to access the Active Domain Server through remote desktop. I have this AD Server installed as VMware VM as a part of my testing infrastructure, so it was kind of tedious accessing the server from the VMware management console when this is the server I access the most. Of course, the solution also applies to a physical server.


The main problem for this issue is that the user is trying to access might not be part of the Security Policy Setting. So, first let’s try to add this user in Local Security Policy.

From the server (AD server):

- Advertisement -

Administrative Tools --> Local Security Policy (Or run secpol.msc) -->Security Settings --> Local Policies --> User Rights Assignment. Double click in Allow log on through Remote Desktop Services.

image1Domain ControllerAc

From here, add the user o group that you are trying to access remotely to the server.  If the option is available (Not grayed out), simply add the user here and you will be able to access. In my case, I was trying to access using the Administrator account.

 If this option is grayed out, we need to add the policy to the GPO, but first, we need to find out what is the policy associated. Follow these steps:

  1. Run msc
  2. Administrator on (Your domain) --> Computer Configuration --> Windows Setting --> Security Settings --> Local Policies --> User Rights Assignment. Double click in Allow log on through Remote Desktop Services.
  3. Open Precedence check what is the Policy Name, more often than not, this policy will be Default Domain Controller Policy 
  1. Once you got the Policy Name, go to Group Policy Management and edit the Policy in Group Policy Objects
  2. Administrative Tools --> Group Policy Management --> Forest: (Your domain) --> Domains --> (Your domain) --> Group Policy Objects --> Right click on Default Domain Controller Policy (or the policy you found/has in Precedence tab) --> Edit…
  1. In Group Policy Manager Editor, go to:
  2. Default Domain Controller Policy --> Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Local Policies --> User Rights Assignment. Double click in Allow log on through Remote Desktop Services --> Add User or Group… --> Input the user or group you want to add, in my case is the administrator.
  1. After this, from Command Prompt, run gpupdate /force
  2. Now, you should be able to log in to your AD server using remote desktop.
Juan Mulford
Juan Mulford
I have been active in IT for over fourteen years now. I am a solutions architect, working with storage, virtualization, and VDI solutions. For the past ten years, I have been living and working in Taiwan.


  1. when you say run msc, in the below steps i believe something is missing. how do we open the windows that has the precedence tab?

    Run msc??????????
    Administrator on (Your domain) –> Computer Configuration –> Windows Setting –> Security Settings –> Local Policies –> User Rights Assignment. Double click in Allow log on through Remote Desktop Services.
    Open Precedence check what is the Policy Name, more often than not, this policy will be Default Domain Controller Policy

Leave a Reply

- Advertisement -

Popular Articles

Raspberry Pi OS in a Virtual Machine with VMware

Although the Raspberry Pi OS is designed and optimized for the Raspberry Pi module, it is possible to test and use it without its hardware, with VMware. This solution can be useful if you are a developer (or just a curious guy) and don't have a Raspberry Pi module with you
Unable to delete inaccessible datastore

Unable to delete an "inaccessible" datastore

I was switching my storage array, so I migrated the VMs from that old datastore/storage to a new datastore/storage. The old datastore was shared by 3 ESXi hosts, no cluster. After migrating the VMs and unmount/delete the datastore, it was still presented in two of the ESXi hosts and was marked as inaccessible.
This is not a valid source path / URL

This is not a valid source path / URL - SourceTree and Gitlab

I have been working on a project with a friend who set up a repository in Gitlab but even though I was able to view all projects on it, I couldn’t really join the repository. I was using SourceTree and Gitlab.

How to export a Virtual Machine using the VMware OVF Tool

The VMware OVF Tool is implemented by VMware for easily importing and exporting virtual machines in Open Virtualization Format (OVF) standard format. Here, I want to show you how to download and install it, and then how to use it from a Windows machine.
Couldn't load private key - Putty key format too new

Couldn't load private key - Putty key format too new

couldn't load private key - Putty key format too new.” This issue happens when you use PuTTygen to generate or convert to a ppk key. Here is how to fix it. 
- Advertisement -

Recent Comments