Debugging Terminal Services Access: Why “Remote Desktop Users” Group Members Fail to Authenticate on Windows Server 2008 R2


4 views

When domain users in the "Remote Desktop Users" group attempt to connect to a Windows Server 2008 R2 terminal server, they're blocked with error message "The user has not been granted the requested logon type at this computer". This occurs even when:

  • The user is properly added to Remote Desktop Users group
  • Group Policy appears correctly configured
  • Terminal Services licensing is properly installed on the DC

The issue stems from multiple authorization layers in Windows Server:

1. Group Membership (Remote Desktop Users)
2. Local Security Policy (User Rights Assignment)
3. Group Policy Settings
4. Terminal Services Configuration

Run this PowerShell command on the terminal server to check effective permissions:

Get-WmiObject -Class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices | 
Select-Object -Property TerminalName, UserAuthenticationRequired

These GPO settings must align (run gpresult /h report.html to verify):

Computer Configuration\Policies\Windows Settings\Security Settings\
Local Policies\User Rights Assignment\Allow log on through Remote Desktop Services

Check this registry value that overrides group membership:

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fDenyTSConnections

Value should be 0 to allow connections.

This batch script helps reset critical TS components:

@echo off
net stop TermService /y
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t REG_DWORD /d 1 /f
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSSettingSet Set UserAuthenticationRequired=0
net start TermService

When GPO isn't applying correctly, check the actual AD permissions:

dsacls "CN=Remote Desktop Users,CN=Builtin,DC=domain,DC=com"

Verify the group has proper "Read" and "MemberOf" permissions.

  1. Confirm user is in correct domain-level Remote Desktop Users group
  2. Verify Local Security Policy on the terminal server
  3. Check for conflicting GPOs with gpresult /h gpreport.html
  4. Test with RDP connection auditing enabled
  5. Examine Windows Event Logs (Event ID 25, 1149 in TerminalServices logs)

In a Windows Server 2008 R2 environment with domain controller and member server configuration, users experience login failures when attempting to connect via Remote Desktop Services (RDS). Despite being members of the 'Remote Desktop Users' group and proper Group Policy settings, users receive the error: "The user has not been granted the requested logon type at this computer."

The environment consists of:

  • Domain Controller (DC) running Terminal Services Licensing
  • Member Server running Terminal Services (Session Host)
  • Users properly added to 'Remote Desktop Users' group in Active Directory
# Check current Local Security Policy settings
secedit /export /cfg c:\temp\secpolicy.inf
# Look for these key entries:
SeRemoteInteractiveLogonRight = *S-1-5-32-555
SeDenyRemoteInteractiveLogonRight =

Essential GPO settings that must be configured:

# Sample PowerShell to verify settings
Get-GPOReport -Name "Terminal Services Policy" -ReportType HTML -Path "C:\temp\TS_Policy.html"

Key policy paths to check:

  • Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on through Remote Desktop Services
  • User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow users to connect remotely using Remote Desktop Services

When basic checks don't resolve the issue:

# Check effective permissions with RSOP
gpresult /H RSOP.html
# Verify user token group membership
whoami /groups
# Check Terminal Services specific permissions
qwinsta /server:servername

For stubborn cases, examine these registry keys:

# Check Terminal Services registry settings
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v UserAuthentication

Sometimes permission inheritance gets broken. Reset with:

# Reset security inheritance (run elevated)
icacls "C:\Windows\System32\config\systemprofile" /reset /t /c
icacls "C:\Users\Default" /reset /t /c

If all else fails, this comprehensive script often resolves the issue:

# PowerShell remediation script
$RDPGroup = "Remote Desktop Users"
$RDPRight = "SeRemoteInteractiveLogonRight"

# Add group to local security policy
$tmp = [System.IO.Path]::GetTempFileName()
secedit /export /cfg $tmp
(Get-Content $tmp) -replace "$RDPRight = .*", "$RDPRight = *S-1-5-32-555" | Set-Content $tmp
secedit /configure /db secedit.sdb /cfg $tmp
Remove-Item $tmp

# Verify via WMI
$RDP = Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace root\cimv2\TerminalServices
$RDP.SetAllowTSConnections(1,1)