How to Allow Remote Desktop (RDP) for Standard Users on a Domain Controller or Windows Server.

In this tutorial you will learn how to allow Non-Admin users to connect via Remote Desktop (RDP) to a domain controller or Windows Server 2016/2019.

By default, for security reasons, only administrators or domain administrators have the right to remote desktop access a Windows server or Domain Controller (DC). However, there are cases where it is necessary for regular users to be able to connect via Remote Desktop to a server or domain controller, if, for example, Remote Desktop Services (RDS), or formerly known as "Terminal Services", is running on it.

For a standard user to be able to RDP access a Windows server or DC, the following must occur:

• The user must be a member of the Remote Desktop Users group on the target server.
• The "Remote Desktop Users" group must be allowed to log on through Remote Desktop Services.

If any of the above are not present, then a user attempting to RDP to a Windows server or domain controller will receive one of the following errors.

• The user account is not authorized for remote login. Connection denied.
• To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Administrators group have this right. If the group you’re in doesn’t have this right, or if the right has been removed from Administrators group, you need to be granted this right manually.

How to Grant Standard Users RDP Access to a Specific Windows Server or Domain Controller.

Step 1. Add User(s) to Remote Desktop Users group on the Target Server.

The first step to enable remote the RDP access for standard user(s) on a DC or Server, is to add the user(s) on the "Remote Desktop Users" group of that Server/DC. So, according the type of the target server, proceed as follows:

Case A. If the target server is a Standard Windows Server (not a Domain Controller), do the following:

1. Press the Windows + R keys to open the Run command box.

2. Type lusrmgr.msc and press OK to open Local Users and Groups.

3. Then go to Groups, open the Remote Desktop Users on the right, and then add the user(s) you want to have RDP access.

4. When done, close Local Users and Groups and continue to step-2.

Case B. If the target server is an Active Directory Domain Controller (DC), do the following:

1. Open Active Directory Users and Computers from 'Tools' menu in Server Manager.

2. Click the Built in group on the left and then open the Remote Desktop Users group on the right.

3. Select the Members tab and click the Add button, to add the domain users you want to have remote desktop access to that DC.

4. Type the name(s) of the users you want to give remote access and click OK.

5. After adding the RDP user(s) click OK and continue to next step.

Step 2. Allow Log on through Remote Desktop Services only to target Server/DC.

After adding the user(s) in Remote Desktop Users group, proceed and allow the log on through Remote Desktop Services in the Local Group Policy Editor of that Server or DC as instructed below.*

* Note: If you want to allow the RDP for non-administrator users on all domain controllers or Windows servers in the domain, make the following change in AD Group Policy Management, either with a new GPO or by modifying the Default Domain Policy (this is not recommended, however).

1. Open the Local Group Policy Editor on the target Server. To do that:

1. Simultaneously press the Windows + R keys to open run command box.
2. Type gpedit.msc and press Enter.

2. In Group Policy Editor navigate to: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

3. At the right pane, open the Allow log on through Remote Desktop Services policy.

4. Click Add User or Group.

5. In objects names field, type "remote desktop users", click Check Names and then OK & OK.

6. Finally click OK again and close the Policy Editor.*

* Important: If the "Administrators" group is not added here, add it manually, otherwise you will not be able to log in remotely using an administrator account.

7. Close the Group Policy Editor and restart the Server.

8. Then, try to connect via RDP to the remote server and you're done!

That’s it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.

If this article was useful for you, please consider supporting us by making a donation. Even $1 can a make a huge difference for us in our effort to continue to help others while keeping this site free:

• Author
• Recent Posts

Konstantinos Tsoukalas

Konstantinos is the founder and administrator of Wintips.org. Since 1995 he works and provides IT support as a computer and network expert to individuals and large companies. He is specialized in solving problems related to Windows or other Microsoft products (Windows Server, Office, Microsoft 365, etc.).

Latest posts by Konstantinos Tsoukalas (see all)

• FIX: Device encryption is temporarily suspended and does not resume after the computer restarts (Windows 11). - May 5, 2026
• How to Install Chrome or any 'Line of Business' app on Intune Enrolled Windows Devices. - April 29, 2026
• How to Create a DDM Update Policy for iOS Devices in Intune. - April 23, 2026