FIX: Unable to connect to Remote Desktop after promoting Windows Server to a Domain Controller.
If you are unable to connect to Remote Desktop on a Windows RDS Server after promoting it to a Domain Controller due to the error "The connection was denied because the user account is not authorized for remote login", then continue reding below to fix the problem.
Problem: After promoting a Windows Server running Remote Desktop Services (RDS) to a Domain Controller, users are no longer able to connect via RDP on the Server and receives the error "The user account is not authorized for remote login. Connection denied".
Cause: The error occurs, because after promoting a standard Windows RDS Server to a Domain Controller(DC), the Remote Desktop Users are now managed from the Active Directory. In other words, when you want standard domain users to connect remotely via RDP to a domain controller, users must be members of the "Remote Desktop Users" Active Directory group and must be allowed to log on through remote desktop services. To fix the problem, follow the instructions below.
How to FIX "The Connection was denied because the user account is not authorized for remote login" when trying to connect via RDP on a Active Directory Domain Controller.*
* Note: If you're receive the mentioned error when connecting via RDP on a standard Windows Server (not a Domain Controller), do the following (on the server):
1. Press the Windows + R keys to open the Run command box.
2. Type lusrmgr.msc and press OK to open Local Users and Groups.
3. Then go to Groups, open the Remote Desktop Users on the right, and add the user(s) you want to that group.
4. Now, try connecting remotely to this server via RDP and if you are still having problems, follow the instructions on step-2 below.
Step 1. Add User(s) to Remote Desktop Users group in AD.
1. Open Active Directory Users and Computers.
2. Click the Built in group on the left and then open the Remote Desktop Users group on the right.
3. Select the Members tab and click the Add button.
4. Type the name(s) of the users that you want to give remote access and click OK.
5. When done, click OK and continue to next step.
Step 2. Allow Standard Domain users to Connect Remotely via RDP to a Specific Domain Controller.
By default, only Domain Administrators has the right to log on remotely on a domain controller through remote remote desktops services.
To allow the remote connection to standard domain users (non-Admins), only to a specific DC where you may also have installed the Remote Desktop Services role, make the following changes in Local Group Policy Editor of that DC.*
* Note: If you want to allow Remote Desktop Connection to all Domain Controllers, make the following change in AD Group Policy Management either with a new GPO or by modifying the Default Domain Policy.
1. Open the Local Group Policy Editor. To do that:
1. Simultaneously press the Windows
+ R keys to open run command box.
2. Type gpedit.msc and press Enter.
![image_thumb[2]](https://www.wintips.org/wp-content/uploads/2024/12/image_thumb2-1.png "image_thumb[2]")
2. In Group Policy Editor navigate to: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
3. At the right pane, open the Allow log on through Remote Desktop Services policy.
4. Click Add User or Group.*
* Important: If the "Administrators" group is not added here, add it manually, otherwise you will not be able to log in remotely using a domain admin account.
![image_thumb[7]](https://www.wintips.org/wp-content/uploads/2024/12/image_thumb7-1.png "image_thumb[7]")
5. In objects names field, type "remote desktop users", click Check Names and then OK & OK.
![image_thumb[10]](https://www.wintips.org/wp-content/uploads/2024/12/image_thumb10-1.png "image_thumb[10]")
6. Finally click OK again and close the Policy Editor.
![image_thumb[11]](https://www.wintips.org/wp-content/uploads/2024/12/image_thumb11-1.png "image_thumb[11]")
7. Now, connect via RDP with any domain account/user belongs to Remote Desktop Users Group to verify your configuration and you're done!
That’s it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.
Frequently Asked Questions
Why am I unable to connect to Remote Desktop on a Windows RDS Server after promoting it to a Domain Controller?
The issue occurs because Remote Desktop Users are now managed through Active Directory after the server is promoted to a Domain Controller. Users must be part of the 'Remote Desktop Users' group in Active Directory and be allowed to log on through remote desktop services.
What steps should I take if I receive 'The connection was denied because the user account is not authorized for remote login' error on a Domain Controller?
Ensure users are added to the 'Remote Desktop Users' group in Active Directory. Additionally, allow standard domain users to connect remotely via RDP by modifying the 'Allow log on through Remote Desktop Services' policy in the Local Group Policy Editor or Active Directory Group Policy Management.
How do I add a user to the Remote Desktop Users group in Active Directory?
Open Active Directory Users and Computers. Click on the 'Built-in' group, open the 'Remote Desktop Users' group, select the 'Members' tab, click 'Add', type the user's name, and click 'OK'. Then, click 'OK' to finish.
What should I do if I'm getting the remote login error on a standard Windows Server, not a Domain Controller?
Press Windows + R, type 'lusrmgr.msc', and open Local Users and Groups. Go to Groups, open 'Remote Desktop Users', and add the desired user(s). If issues persist, follow the further instructions related to local policy changes.
- How to Resolve Hyper Backup Error "Failed to Export System Configuration" on Synology NAS. - June 17, 2026
- How to Require MFA for All Users in Microsoft 365 with a Conditional Access Policy. - June 15, 2026
- How to Resolve Error "Something Went Wrong 657rx" in Outlook or Microsoft 365 Apps. - June 10, 2026
