Embedded Files
Are you having trouble accessing your Windows Server 2012 machine using remote desktop, even after adding the user to the Remote Desktop Users group? Remote Desktop appears to accept the login credentials but then you receive the following error message:
“To sign in remotely, you need the right to sign in through Remote Desktop Services. By default members of the Administrators group have this right. If the group you’re in does not have the right, or if the right has been removed from the Administrators group, you need to be granted the right manually.”
With Server 2012 it seems that you now also need to grant the user remote access privileges though the Local Security Policy as well as the Remote Desktop Users group.
To grant this access, search for and open the Local Security Policy program.
Expand Local Policies and select User Rights Assignment. A list of polices will appear on the right hand side. Right click on the policy named “Allow log on through Remote Desktop Services” and select Properties.
You will now have the option to add users or groups to the policy.
There you go, as long as the user is a member of this policy and the Remote Desktop Users group then they should now be able to remotely connect to the server!
Additional Notes:
Windows Computers/Servers (not Domain Controllers)
Open the Local Group Policy Editor (gpedit.msc) on the affected Windows computer/server, or the Group Policy Management Console (gpmc.msc) on the domain controller if editing the GPO for all domain-joined computers/servers.
If editing the GPO for all domain computers in GPMC, select Default Domain Policy. If not, skip this step.
Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
Configure Allow log on locally and Allow log on through Remote Desktop Services rights to include the users/groups that will be logging into any Windows computers/servers (not domain controllers) protected with Duo Windows Logon.
Ensure that Deny logon locally is not applied to the same users/groups. If applied, this policy will override "Allow log on locally" and you will not be able to log in successfully.
Run a gpupdate /force command on the computer, or reboot the computer, to apply the group policy changes.
Domain Controllers
Open the Group Policy Management Console (gpmc.msc) on the domain controller.
Expand your domain and then the Domain Controllers OU.
Right-click the Default Domain Controllers Policy and select Edit.
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
Configure Allow log on locally and Allow log on through Remote Desktop Services rights to include the users/groups that will be logging into any domain controllers protected with Duo Authentication for Windows Logon.
Ensure that Deny logon locally is not applied to the same users/groups.
Run a gpupdate /force command on the appropriate domain controllers to apply the policy changes.
Report abuse