Remote Desktop Services group

Allow log on through Remote Desktop Services

• Article
• 10/28/2021
• 3 minutes to read
• 7 contributors

Is this page helpful?

Yes No

Any additional feedback?

Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy.

Submit

Thank you.

In this article

Applies to

• Windows10

Describes the best practices, location, values, policy management, and security considerations for the Allow log on through Remote Desktop Services security policy setting.

Allow log on through Remote Desktop Services

• Article
• 08/31/2016
• 4 minutes to read

In this article

Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8

This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for this policy.

Enable directory services group authorization for Remote Desktop

You can manage Remote Desktop authorization by using groups on a directory server. To enable group-based authorization for Remote Desktop access, create the groups in your directory services master directory domain. You must have access to your organization’s users and groups server.

1. In Remote Desktop Execute commands remotely.

2. Have the client computers join a Network Account Server [also known as “bind to a directory server”] by doing the following steps. [You might need to authenticate as a user with administrative privileges on the computer to change its network account server settings.]

   You might need to have to authenticate as a local user administrator to change the network account server settings.

   1. Choose Apple menu > System Preferences, then click Users & Groups.

   2. Select Login Options.

   3. Click Join, enter the domain name of the directory server, then click OK.

See alsoBasic network guidelines with Remote DesktopWireless network guidelines for use with Remote DesktopNAT router guidelines with Remote DesktopTCP and UDP port reference in Remote Desktop

What is Remote Desktop Group Policy

Almost all users who are interested in building safe connections between computers on the internet might have heard about RDP or VPN. RDP stands for the Remote Desktop Protocol. It is a network of communications protocol developed by Microsoft, to allow users to connect to another computer.

With RDP, one can connect to any computer that runs Windows. With RDP, you can connect to the remote PC, view the same display and interact as if you are working on that machine locally.

Some instances where you may need to use RDP include;

• When traveling or when on vacation and you need to access your work computer
• When you can’t go to your office due to certain reasons and you still need to fulfill your daily tasks
• When you are a system admin and you need to perform administrative duties on your PC such as computer troubleshooting, tune-up, ID protection setting, printer set-up, software installation, email setup, virus and spyware removal, among others.
• When you need to give a demo and you need to access data from a private device
• When you want to personalize your remote desktop on experiences such as resolution, connection setting, screen setting, toolbar, start menu, icons among others.

How to Enable Remote Desktop Remotely on Windows 10

The easiest way to enable Remote Desktop on the Windows operating system family is to use a Graphical User Interface [GUI]. To do this, you need to;

Open the “System” control panel, go to “Remote Setting” and enable the “Allow remote connection to this computer” option in the Remote Desktop section.

However, performing the above process will need local access to the computer on which you want to enable the RD.

By default, remote desktop is disabled in both desktop versions of Windows and in Windows Server.

How to Enable Remote Desktop Remotely Using PowerShell

Suppose you want to remotely enable RDP on Windows Server 2012 R2/2016/2019. Here is the procedure to achieve the same;

1. On your computer, open the PowerShell console and run the following commands to connect to your remote server.Enter-PSSession -ComputerName server.domain.local -Credential domain\administrator.
2. You will have established a remote session with a computer and now you can execute PowerShell commands on it. To enable Remote Desktop, you need to change registry parameter fDenyTSConnections from 1 to 0 on the remote machine. Run the command;Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
3. When RDP is enabled this way [as opposed to GUI method] the rule that allows remote RDP connections is not enabled in the Windows Firewall rules.
4. To allow incoming RDP connections in Windows Firewall, run the command;Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
5. If for some reason the firewall rule is deleted, you can create it manually using the following commands.netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
6. In case you need to allow secure RDP authentication [NLA – Network Level Authentication] run the command;Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1
7. Now from your computer, you can check the TCP 3389 port on the remote host to see if it has become available. To do so, run the command below’Test-NetConnection 192.168.1.11 -CommonTCPPort RDP.
8. If successful, you should get results similar to what is shown below’

The above results mean RDP on the remote host is enables and you can establish a remote desktop connection using mstsc client.

How to Enable/Disable Remote Desktop Using Group Policy

You can enable or disable remote desktop using group policy. To do so, perform the following steps

1. Search gpedit.msc in the Start menu. In the program list, click gpedit.msc as shown below;
2. After Local Group Policy Editor opens, expand Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Connections.
3. On the right-side panel. Double-click on Allow users to connect remotely using Remote Desktop Services. See below;
4. Select Enabled and click Apply if you want to enable Remote Desktop. Select Disabled and click Apply if you need to disable it.

Now you will have enabled or disabled remote desktop using group policy

Network Level Authentication NLA on the remote RDP server

Network Level Authentication is a method used to enhance RD Session Host server security by requiring that a user be authenticated to RD session Host Server before a session can be created.

If you want to restrict who can access your PC, you can choose to allow access only with Network Level Authentication [NLA]. NLA is an authentication tool used in RDP Server. When a user tries to establish a connection to a device that is NLA enabled, NLA will delegate the user’s credentials from the client-side Security Support Provider to the server for authentication, before creating a session.

The advantages of Network Level Authentication is;

• It requires fewer remote computer resources initially.
• It can provide better security by reducing the risk of denial of service attacks.

To configure Network Level Authentication for a connection, follow the steps below.

1. On the RD Session Host Server, open Remote Desktop Session Host Configuration. To do so, click Start>>Adminstrative Tools1>>Remote Desktop Services>> Remote Desktop Session Host Configuration.
2. Under Connections, right-click the name of the connection and then click Properties.
3. On the General tab, select Allow the connection only from computers running Remote Desktop with Network Level Authentication checkbox
4. Click OK

Note, under step 3, if the “Allow connections only from computers running a remote desktop with network-level authentication” checkbox is not enabled, the “Require user authentication for remote connections by using network-level authentication” Group Policy setting has to be enabled, and has been applied to the RD Session Host Server.

Allow log on through Terminal Services

From ThinManager Knowledge Base

Jump to: navigation, search

Overview

By default, Windows Server does not allow login through remote desktop services by Non-Admin users. This can present problems when deploying ThinManager and configuring thin clients to use a regular user account.

Symptoms

When trying to login through remote desktop services to a server with a Non-Admin account, you will be prompted with the following error:

To log on to this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote Desktop Users group or another group that has this right, or if the Remote Desktop Users group does not have this right, or if the Remote Desktop Users group does not have this right, you must be granted this right manually.

Unable to Login

Overview

The MS-ISAC observes specific malware variants consistently reaching The Top 10 Malware list. These specific malware variants have traits allowing them to be highly effective against State, Local, Tribal, and Territorial [SLTT] government networks, consistently infecting more systems than other types of malware. An examination of the characteristics of these malware variants revealed that they often abuse legitimate tools or parts of applications on a system or network. One such legitimate tool is Remote Desktop Protocol [RPD].