Home > GPO, Security, Windows > Allow users to logon on to Domain Controller

Allow users to logon on to Domain Controller

Once upon the time I was at customer which had all infrastructure servers (and also all domain controllers) in VMWare VM. He decided to have one more domain controller on physical server. Only server he could use was management server, which was full of management tools.

This server was used by all kinds of IT admins and not only by Domain Admins. So after we run dcpromo on management server it became domain controller. Which was great, but not all IT admins (especially those not Domain Admins) could RDP to management server 🙂 This was a problem. After while there was a solution. We’ve created GPO which applied only on specific management server and under:

Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment

we set Allow log on through Remote Desktop Services for specific users’ group. Be aware to also include Domain Admins because if you define only users’s group, Domain Admins will not have RDP access to specific computer.

This blog it not really how to make environment more secure, but at least you know what you doing 🙂


  1. September 28th, 2011 at 07:14 | #1

    Thx for this great information that you are sharing with us!!!

  2. October 3rd, 2011 at 20:36 | #2

    @Блог о путешествиях Glad it helped. I’ll do my best.

  3. February 19th, 2014 at 05:32 | #3

    Way cool! Some extremely valid points! I appreciate you writing this article and the rest of the website is extremely good.

  1. No trackbacks yet.