Guides Windows Terminal Services & Remote Desktop Users

Windows Terminal Services & Remote Desktop Users

The “Allow Logon Through Terminal Services” Policy Explained

The “Allow Logon through Terminal Services” policy is a Microsoft Group Policy Object (GPO) that defines how the Remote Desktop Protocol (RDP) behaves when connecting users remotely to a machine. System Administrators use this policy to grant users the rights necessary for RDP sessions. In this article, we’ll cover how this GPO plays a role in establishing RDP connections.

Logon Rights vs. Privileges

There are two types of user rights in relation to remote desktop users: Logon Rights and Privileges. 

The Logon Rights, or remote logon give users rights to the physical machine. The privileges give users access to the RDP-TCP Listener. Both of these rights are necessary to establish an RDP connection to the server.

The Remote Logon is specifically governed by the “Allow Logon through Terminal Services” GPO. This can be found under:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Users who are assigned to either the Administrators or Remote Desktop Users groups are automatically given these Remote Logon rights as well as the necessary privileges.

Adding Users to the “Remote Desktop Users” Group

One problem you may run into is trying to establish an RDP connection with a user who’s not part of either the Administrators or Remote Desktop Users groups. Even if they are added to the “Allow Logon through Terminal Services” policy group, they won’t be able to connect to the RDP. Adding users to this group will give them the correct Logon Rights but not the privileges to connect to the RDP Listener. 

Privileges for the RDP-Listener can be granted using the Tsconfig.msc console snap-in but you can’t alter RDP-Listener permissions using the GOP. Therefore, the best method for granting users the necessary privileges to establish an RDP connection is always to add them to the Remote Desktop Users group so they have both Remote Logon and RDP-Listener privileges automatically.

This article was updated in March 2021 by Kyle Guercio.

Latest Posts

Related Stories