FIX: Unable to connect to Remote Desktop after promoting Windows Server to a Domain Controller.

If you are unable to connect to Remote Desktop on a Windows RDS Server after promoting it to a Domain Controller due to the error "The connection was denied because the user account is not authorized for remote login", then continue reding below to fix the problem.

Problem: After promoting a Windows Server running Remote Desktop Services (RDS) to a Domain Controller, users are no longer able to connect via RDP on the Server and receives the error "The user account is not authorized for remote login. Connection denied".

Cause: The error occurs, because after promoting a standard Windows RDS Server to a Domain Controller(DC), the Remote Desktop Users are now managed from the Active Directory. In other words, when you want standard domain users to connect remotely via RDP to a domain controller, users must be members of the "Remote Desktop Users" Active Directory group and must be allowed to log on through remote desktop services. To fix the problem, follow the instructions below.

How to FIX "The Connection was denied because the user account is not authorized for remote login" when trying to connect via RDP on a Active Directory Domain Controller.*

* Note: If you're receive the mentioned error when connecting via RDP on a standard Windows Server (not a Domain Controller), do the following (on the server):

1. Press the Windows + R keys to open the Run command box.
2. Type lusrmgr.msc and press OK to open Local Users and Groups.
3. Then go to Groups, open the Remote Desktop Users on the right, and add the user(s) you want to that group.
4. Now, try connecting remotely to this server via RDP and if you are still having problems, follow the instructions on step-2 below.

Step 1. Add User(s) to Remote Desktop Users group in AD.

1. Open Active Directory Users and Computers.

2. Click the Built in group on the left and then open the Remote Desktop Users group on the right.

3. Select the Members tab and click the Add button.

4. Type the name(s) of the users that you want to give remote access and click OK.

5. When done, click OK and continue to next step.

Step 2. Allow Standard Domain users to Connect Remotely via RDP to a Specific Domain Controller.

By default, only Domain Administrators has the right to log on remotely on a domain controller through remote remote desktops services.

To allow the remote connection to standard domain users (non-Admins), only to a specific DC where you may also have installed the Remote Desktop Services role, make the following changes in Local Group Policy Editor of that DC.*

* Note: If you want to allow Remote Desktop Connection to all Domain Controllers, make the following change in AD Group Policy Management either with a new GPO or by modifying the Default Domain Policy.

1. Open the Local Group Policy Editor. To do that:

1. Simultaneously press the Windows + R keys to open run command box.
2. Type gpedit.msc and press Enter.

2. In Group Policy Editor navigate to: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

3. At the right pane, open the Allow log on through Remote Desktop Services policy.

4. Click Add User or Group.*

* Important: If the "Administrators" group is not added here, add it manually, otherwise you will not be able to log in remotely using a domain admin account.

5. In objects names field, type "remote desktop users", click Check Names and then OK & OK.

6. Finally click OK again and close the Policy Editor.

7. Now, connect via RDP with any domain account/user belongs to Remote Desktop Users Group to verify your configuration and you're done!

That’s it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.

If this article was useful for you, please consider supporting us by making a donation. Even $1 can a make a huge difference for us in our effort to continue to help others while keeping this site free:

• Author
• Recent Posts

Konstantinos Tsoukalas

Konstantinos is the founder and administrator of Wintips.org. Since 1995 he works and provides IT support as a computer and network expert to individuals and large companies. He is specialized in solving problems related to Windows or other Microsoft products (Windows Server, Office, Microsoft 365, etc.).

Latest posts by Konstantinos Tsoukalas (see all)

• FIX: Device encryption is temporarily suspended and does not resume after the computer restarts (Windows 11). - May 5, 2026
• How to Install Chrome or any 'Line of Business' app on Intune Enrolled Windows Devices. - April 29, 2026
• How to Create a DDM Update Policy for iOS Devices in Intune. - April 23, 2026