The “Allow Logon through Terminal Services” policy is a Microsoft Group Policy Object (GPO) that defines how the Remote Desktop Protocol (RDP) behaves when connecting users remotely to a machine. System Administrators use this policy to grant users the rights necessary for RDP sessions. In this article, we’ll cover how this GPO plays a role in establishing RDP connections.
There are two types of user rights in relation to remote desktop users: Logon Rights and Privileges.
The Logon Rights, or remote logon give users rights to the physical machine. The privileges give users access to the RDP-TCP Listener. Both of these rights are necessary to establish an RDP connection to the server.
The Remote Logon is specifically governed by the “Allow Logon through Terminal Services” GPO. This can be found under:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Users who are assigned to either the Administrators or Remote Desktop Users groups are automatically given these Remote Logon rights as well as the necessary privileges.
One problem you may run into is trying to establish an RDP connection with a user who’s not part of either the Administrators or Remote Desktop Users groups. Even if they are added to the “Allow Logon through Terminal Services” policy group, they won’t be able to connect to the RDP. Adding users to this group will give them the correct Logon Rights but not the privileges to connect to the RDP Listener.
Privileges for the RDP-Listener can be granted using the Tsconfig.msc console snap-in but you can’t alter RDP-Listener permissions using the GOP. Therefore, the best method for granting users the necessary privileges to establish an RDP connection is always to add them to the Remote Desktop Users group so they have both Remote Logon and RDP-Listener privileges automatically.
This article was updated in March 2021 by Kyle Guercio.
Marcin Policht obtained his Master of Computer Science degree about 20 years ago and has been since then working in the Information Technology field, handling variety of responsibilities, but focusing primarily on the areas of identity and access management, virtualization, system management, and, more recently private, hybrid, and public cloud services. He has authored the first book dedicated to Windows Management Instrumentation and co-written several others dealing with subjects ranging from core operating system features to high-availability solutions. His articles have been published on such Web sites as ServerWatch.com and DatabaseJournal.com. For his contributions to the Microsoft technical community, he has been awarded the title of Microsoft MVP over the last ten years.
ServerWatch is a top resource on servers. Explore the latest news, reviews and guides for server administrators now.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
