In this article, we will see how to allow or deny a user or group from logging in via the Remote Desktop in Windows 10. This can be configured with a couple of options in Local Security Policy. They have priority above the settings you specify for the Remote Desktop.
Advertisement
Рere are some details about how RDP works. While any edition of Windows 10 can act as Remote Desktop Client, to host a remote session, you need to be running Windows 10 Pro or Enterprise. You can connect to a Windows 10 Remote Desktop host from another PC running Windows 10, or from an earlier Windows version like Windows 7 or Windows 8, or Linux. Windows 10 comes with both client and server software out-of-the-box, so you don't need any extra software installed. On other operating systems you may need to install some client app for RDP, e.g. xfreerdp on Linux.
Normally, you can add or remove Remote Desktop users in Windows 10 using the GUI options in System Properties. Additionally, you can force allow or force deny specific user accounts or groups from using RDP. Here's how it can be done.
If you are running Windows 10 Pro, Enterprise, or Education edition, you can use the Local Security Policy app to enable the UAC prompt for the built-in Administrators. All editions of Windows 10 can use a Registry tweak mentioned below.
To Allow Users or Groups to Logon with Remote Desktop in Windows 10,
- PressWin+Rkeys together on your keyboard and type:secpol.msc
Press Enter.
- Local Security Policy will open. Go toUser Local Policies -> User Rights Assignment.
- On the right, double-click the option Allow log on through Remote Desktop Services.
- In the next dialog, clickAdd User or Group.
- Click on theAdvancedbutton.
- Now, click on theObject Typesbutton.
- Ensure that you have theUsersandGroupsitems checked and click on theOKbutton.
- Click on theFind nowbutton.
- From the list, select the user account or group to allow log on through RDP for it. You can select more than one entry at once by holding the ShiftorCtrlkeys and clicking on the items the list.
- Click on theOKbutton to add the selected items to the Object names box.
- Click on theOK button to add the selected items to the policy list.
You are done.
To undo the change, remove the user account from the list in the Allow log on through Remote Desktop Servicespolicy.
If your Windows edition doesn't include thesecpol.msctool, you can use thentrights.exetool fromWindows 2003 Resource Kit. Many resource kit tools released for previous Windows versions will run successfully on Windows 10. ntrights.exe is one of them.
The ntrights tool
The ntrights tool allows you to edit user account privileges from the command prompt. It is a console tool with the following syntax.
- Grant a right:ntrights +r Right -u UserOrGroup [-m \\Computer] [-e Entry]
- Revoke a right:ntrights -r Right -u UserOrGroup [-m \\Computer] [-e Entry]
The tool supports plenty of privileges which can be assigned to or revoked from a user account or group. Privileges arecase sensitive. To learn more about the supported privileges, typentrights /?.
To add ntrights.exe to Windows 10, read this post: What is the ntrights app and how you can use it. You can place the ntrights.exe file to the C:\Windows\System32 folder to quickly call it.
Allow users or groups to log on remotely via RDP with ntrights
- Open anelevated command prompt.
- Type the following command to grant the right to log on remotely with RDP to a user or group:ntrights -u SomeUserName +r SeRemoteInteractiveLogonRight
Substitute theSomeUserName portion with the actual user name or group name.
- To undo the change, executentrights -u SomeUserName -r SeRemoteInteractiveLogonRight
You are done.
To Deny Users or Groups to Logon with Remote Desktop in Windows 10,
- PressWin+Rkeys together on your keyboard and type:secpol.msc
Press Enter.
- Local Security Policy will open. Go toUser Local Policies -> User Rights Assignment.
- On the right, double-click the option Deny log on through Remote Desktop Services.
- In the next dialog, clickAdd User or Group.
- Click on theAdvancedbutton.
- Now, click on theObject Typesbutton.
- Ensure that you have theUsersandGroupsitems checked and click on theOKbutton.
- Click on theFind nowbutton.
- From the list, select the user account or group to deny log on through RDP for it. You can select more than one entry at once by holding the ShiftorCtrlkeys and clicking on the items the list.
- Click on theOKbutton to add the selected items to the Object names box.
- Click on theOK button to add the selected items to the policy list.
You are done.
To undo the change, remove the user account from the list in the Deny log on through Remote Desktop Servicespolicy.
Deny users or groups from using RDP with ntrights
- Open anelevated command prompt.
- Type the following command to prevent the user from logging on remotely with RDP:ntrights -u SomeUserName +r SeDenyRemoteInteractiveLogonRight
Substitute theSomeUserName portion with the actual user name or group name.
- To undo the change, executentrights -u SomeUserName -r SeDenyRemoteInteractiveLogonRight
You are done.
Support us
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!
Advertisment
Author: Sergey Tkachenko
Sergey Tkachenko is a software developer from Russia who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram, Twitter, and YouTube. View all posts by Sergey Tkachenko