Archived Forums
>Remote Desktop Services [Terminal Services]
Question
-
0
Sign in to vote
Hello,
I have a fairly standard Windows Server 2016 standard here which refuses every user who is not an Administrator login via RDS:
Failure Information:
Failure Reason: The user has not been granted the requested logon type at this machine.
Status: 0xC000015B
Sub Status: 0x0What I did:
- Installed server
- Installed AD
- Installed RDS roles session host and licensing manager only [not the "Remote Desktop Service Installation"]
- Installed licenses.
- Everything worked. Users [non-administrators] in group "domain users" could login [after allowing it obviously]
- Realized, that the remote host management mmc [the one available up to server 2008r2] is not available without the full installation of gateways etc via the installation wizard
- run the"Remote Desktop Service Installation", filled all the fields.
- Added Group "domain users" to the allowed user groups in Server Manager|RDS|Collections|my collection|Properties
- No login possible.
I read the forums and i think I tried everything and wonder if this might be a bug. I welcome advice what to do, maybe I forgot something or how to somehow reset the whole mess without re-installing the server.
PAT
Tuesday, August 1, 2017 2:39 PM
All replies
-
3
Sign in to vote
Hi,
Please run secpol.msc. Under Security Settings\ Local Policies\ User Rights Assignment\ Allow log on through Remote Desktop Services is Remote Desktop Users group listed? If notplease add it and test again.
Thanks.
-TP
- Proposed as answer by Amy Wang_ Wednesday, August 2, 2017 2:37 AM
Tuesday, August 1, 2017 4:08 PM
-
1
Sign in to vote
Ok, the solution was this:
As the server is a DC as well, there get's aDefault Domain Controllers Policy installed by default which sets this policy:
Policies
Windows Settings
Security Settings
Local Policies/User Rights Assignment
Policy Setting
Allow log on locallyAnd in this setting there are only admins. You need to add the group you wish to allow logging in via /RDP/ to the policy allowing users to log in /LOCALLY/. This a] doesn't make sense [I understand why there is such a policy, but it is named misleading] and b] does not one single thing in the RDS admin panel give a hint about a conflicting policy on the server and this is just lazy.
- Marked as answer by perler2 Monday, August 7, 2017 5:09 PM
Monday, August 7, 2017 5:09 PM
-
0
Sign in to vote
Hi,
Adding a note that on Domain Controllers, the Allow Logon through Terminal/Remote DesktopServices GP setting does not include the Remote desktop Users group. This is because it is not considered a best practice to allow users to connect to sessions on a DC. If for some reason you do need to allow RDP access to a Domain Controller, you will have to add the group back in manually.
Best Regards,
Amy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact .Tuesday, August 8, 2017 2:22 AM
-
0
Sign in to vote
hi .. how if this setting its cannot add ... ? cause its cannot click the button of the add .. what the possible problem do u think ?
Monday, August 6, 2018 4:55 AM
15 Replies
· · ·
Serrano
OP
Nov 18, 2015 at 17:15 UTC
Brand Representative for Virsage
Double check the tab in AD Users & Computers under "Remote Desktop Services Profile" make sure it is NOT checked for "Deny this user permissions to log on to Remote Desktop Session Host Server."
1
· · ·
Mace
OP
Nov 18, 2015 at 17:15 UTC
Brand Representative for AJ Tek
Check on the RDS server that the Local Remote Desktop Users group has an entry in there for either your AD Remote Desktop Users group, or something else like Domain Users.
1
· · ·
Datil
OP
Nov 18, 2015 at 17:19 UTC
Also check the local computer if the users are member of the remote desktop group.
2
· · ·
Jalapeno
OP
Nov 18, 2015 at 17:36 UTC
This seems to be at least part of the problem. The local Remote Desktop Users group is empty but I cannot add the AD Remote Desktop Users group to it. I can add other groups like Domain Admins and they can now log in fine but Remote Desktop Users object cannot be found.
0
· · ·
Datil
OP
Nov 18, 2015 at 17:42 UTC
Are your users RDP'ing to a RDP server or their workstations?
Try adding just a single user and not the whole group for now and then test it.
0
· · ·
Jalapeno
OP
Nov 18, 2015 at 17:46 UTC
Users are connecting to their workstations. I can add an individual user and it works fine. It seems that none of the AD built-in security groups are visible to add.
0
· · ·
Datil
OP
Nov 18, 2015 at 17:48 UTC
How many users are we talking about here? It would be easier if you just add them individually.
0
· · ·
Jalapeno
OP
Nov 18, 2015 at 17:50 UTC
Around 50 users. I'd rather not add them manually, especially since I know this should work- in fact it did work up until a few days ago.
0
· · ·
Datil
OP
Best Answer
Nov 18, 2015 at 18:04 UTC
Tyson3790 wrote:
Around 50 users. I'd rather not add them manually, especially since I know this should work- in fact it did work up until a few days ago.
You're right.
check this out: //social.technet.microsoft.com/Forums/windowsserver/en-US/d53a59f4-ff06-4f9b-bfdf-8dc6708844da...
What do you think changed before it stopped working?
1
· · ·
Jalapeno
OP
Nov 18, 2015 at 18:29 UTC
-Aldrin- wrote:
Tyson3790 wrote:
Around 50 users. I'd rather not add them manually, especially since I know this should work- in fact it did work up until a few days ago.
You're right.
check this out: //social.technet.microsoft.com/Forums/windowsserver/en-US/d53a59f4-ff06-4f9b-bfdf-8dc6708844da...
What do you think changed before it stopped working?
If I understand this right, the built-in Remote Desktop Users group is for DC's only and cannot be applied to workstations. I created a new security group called RDP Users and added my remote users to that, then added the RDP Users group to the "Allow log on through Remote Desktop Services" GPO and everything works.
I don't know what changed but obviously it wasn't set up originally the way I thought it was. Thanks for the help.
0
· · ·
Datil
OP
Nov 18, 2015 at 18:45 UTC
Tyson3790 wrote:
-Aldrin- wrote:
Tyson3790 wrote:
Around 50 users. I'd rather not add them manually, especially since I know this should work- in fact it did work up until a few days ago.
You're right.
check this out: //social.technet.microsoft.com/Forums/windowsserver/en-US/d53a59f4-ff06-4f9b-bfdf-8dc6708844da...
What do you think changed before it stopped working?
If I understand this right, the built-in Remote Desktop Users group is for DC's only and cannot be applied to workstations. I created a new security group called RDP Users and added my remote users to that, then added the RDP Users group to the "Allow log on through Remote Desktop Services" GPO and everything works.
I don't know what changed but obviously it wasn't set up originally the way I thought it was. Thanks for the help.
Glad I was able to help!
0
· · ·
Serrano
OP
Nov 24, 2015 at 15:04 UTC
Just wanted to confirm you found the right solution. "Remote Desktop Users" can be consider like a dynamic group rather than an actual security group. You need to create your own security group [call it MyRemoters or such]. Then you add MyRemoters to Remote Desktop Users. Once you do that, you can work with MyRemoters via Group Policy and other tools without issue.
0
· · ·
Jalapeno
OP
Nov 24, 2015 at 15:16 UTC
FreakyFerret wrote:
Just wanted to confirm you found the right solution. "Remote Desktop Users" can be consider like a dynamic group rather than an actual security group. You need to create your own security group [call it MyRemoters or such]. Then you add MyRemoters to Remote Desktop Users. Once you do that, you can work with MyRemoters via Group Policy and other tools without issue.
I did create my own security group [RDP Users] but I didn't even add that group to the built-in Remote Desktop Users group. I just added the RDP Users group to the "Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services" GPO.
0
· · ·
Serrano
OP
Nov 24, 2015 at 15:59 UTC
Hi Tyson,
Well, it was about 3 years ago I last set this up, so I might be a bit rusty on the details. One thing I remember for certain was having to create a new security group to get remote desktop services working. I could not use the built-in one. If you got it working though, sounds like you got it right. :]
0
· · ·
Jalapeno
OP
Dec 22, 2015 at 17:50 UTC
Update:
I just realized I left out a step in my last comment. I hadn't noticed that this was a requirement because my test machines already had this set up.
In addition to adding the RDP Users group to the "Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services" GPO...
You then have to also add the RDP Users group to the local Remote Desktop Users security group on each computer by using the following GPO: Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups
Add New Local Group
Action: Update
Group Name: Remote Desktop Users
Members: Domain\RDP Users
Now ANY user that is a member of the RDP Users group can remotely login to any computer on which these two GPO's are applied.
2
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.
FIX: To sign in remotely, you need the right to sign in through Remote Desktop Services – Server 2016 [Solved]
This tutorial contains instructions to fix the error "To sign in remotely, you need the right to sign in through Remote Desktop Services", when trying to connect from Windows Remote Desktop [RDP] Client machines on a Windows Server 2016 which is running Remote Desktop Services.
Problem in details: Remote Desktop Client users cannot connect remotely [through RDP] to Terminal Server 2016 and receive the error: “To sign in remotely, you need the right to sign in through Remote Desktop Services. By default members of the Administrators group have this right. If the group you’re in does not have the right, or if the right has been removed from the Administrators group, you need to be granted the right manually.”