Applies to
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the Allow log on through Remote Desktop Services security policy setting.
Reference
The Remote Desktop Protocol or RDP is a key feature in Windows 10 Pro. With that enabled, you can connect to computers on the network, either to troubleshoot issues or to work from that computer. However, if you have a Professional, Enterprise, or Ultimate edition of Windows, you already have the full Windows Remote Desktop installed. Home versions of Windows only have the remote desktop client for letting you connect to machines, but you need one of the pricier editions in order to connect to your PC. Hello, since the new upgrade to windows 10 pro from windows 7 pro I have not been able to rdp to windows 10. I even assigned a new rule into the windows firewall and still nothing. When I went back to windows 7, everything was fine. I'm not new to rdp and everything related to remote desktop is checked.
This policy setting determines which users or groups can access the logon screen of a remote device through a Remote Desktop Services connection. It is possible for a user to establish a Remote Desktop Services connection to a particular server but not be able to log on to the console of that same server.
Constant: SeRemoteInteractiveLogonRight
Possible values
- User-defined list of accounts
- Not Defined
Remote Desktop Windows 10 Pro Not Working
Best practices
- To control who can open a Remote Desktop Services connection and log on to the device, add users to or remove users from the Remote Desktop Users group.
Location
Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment
Default values
By default, members of the Administrators group have this right on domain controllers, workstations, and servers. The Remote Desktops Users group also has this right on workstations and servers.The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
Server type or GPO | Default value |
---|---|
Default Domain Policy | Not Defined |
Default Domain Controller Policy | Not Defined |
Domain Controller Local Security Policy | Administrators |
Stand-Alone Server Default Settings | Administrators Remote Desktop Users |
Domain Controller Effective Default Settings | Administrators |
Member Server Effective Default Settings | Administrators Remote Desktop Users |
Client Computer Effective Default Settings | Administrators Remote Desktop Users |
Policy management
This section describes different features and tools available to help you manage this policy.
Group Policy
To use Remote Desktop Services to successfully log on to a remote device, the user or group must be a member of the Remote Desktop Users or Administrators group and be granted the Allow log on through Remote Desktop Services right. It is possible for a user to establish an Remote Desktop Services session to a particular server, but not be able to log on to the console of that same server.
To exclude users or groups, you can assign the Deny log on through Remote Desktop Services user right to those users or groups. However, be careful when you use this method because you could create conflicts for legitimate users or groups that have been allowed access through the Allow log on through Remote Desktop Services user right.
For more information, see Deny log on through Remote Desktop Services.
A restart of the device is not required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
Group Policy settings are applied through GPOs in the following order, which will overwrite settings on the local computer at the next Group Policy update:
- Local policy settings
- Site policy settings
- Domain policy settings
- OU policy settings
Rdp Without Windows 10 Pro
Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
Vulnerability
Any account with the Allow log on through Remote Desktop Services user right can log on to the remote console of the device. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges.
Countermeasure
For domain controllers, assign the Allow log on through Remote Desktop Services user right only to the Administrators group. For other server roles and devices, add the Remote Desktop Users group. For servers that have the Remote Desktop (RD) Session Host role service enabled and do not run in Application Server mode, ensure that only authorized IT personnel who must manage the computers remotely belong to these groups.
Caution: For RD Session Host servers that run in Application Server mode, ensure that only users who require access to the server have accounts that belong to the Remote Desktop Users group because this built-in group has this logon right by default.
Alternatively, you can assign the Deny log on through Remote Desktop Services user right to groups such as Account Operators, Server Operators, and Guests. However, be careful when you use this method because you could block access to legitimate administrators who also belong to a group that has the Deny log on through Remote Desktop Services user right.
Potential impact
Removal of the Allow log on through Remote Desktop Services user right from other groups (or membership changes in these default groups) could limit the abilities of users who perform specific administrative roles in your environment. You should confirm that delegated activities are not adversely affected.
Related topics
Setting up a remote desktop allows you to access your computer wherever you are and control it as if you were directly in front of the keyboard. By using the built-in Remote Desktop Connection app in Windows 10, you can troubleshoot issues, access files, and so much more. Here’s how to set up a remote desktop in Windows 10 and how to remotely access another computer over the internet.
How to Set Up Remote Desktop Windows 10
To set up a remote desktop in Windows 10, go to Settings > System > Remote Desktop. Then turn on the slider for Enable Remote Desktop. Next, search Settings for Allow an app through Windows firewall and enable the Remote Desktop app for Private and Public.
Remote Desktop Connection On Windows 10 Pro
Note: You can only run the Remote Desktop Connection app if you are using Windows 10 Professional or Enterprise. If you are using Windows 10 Home edition, check out our guide on how to use Quick Assist to remotely control a computer.
- Click the Windows Start button. This is the button with the Windows logo in the bottom-left corner of your screen. Do this from the host computer (or the computer you will be trying to access remotely).
- Then click Settings. This is the gear-shaped icon just above the power button.
- Next, click System.
- Then click Remote Desktop in the left sidebar. You can find this by scrolling down. It is the icon that looks like greater than and less than signs pointing at each other.
- Next, click the slider next to Enable Remote Desktop. This will cause a new window to pop up.
- Then click Confirm. A pop-up box appears asking you if you would like to enable remote desktop. It also reminds you that doing so will allow you and other users in your User accounts to connect to the PC remotely. Then you will need to change your firewall settings in order to access another computer over the internet.
- Next, type firewall into the search bar of the Settings window. You can do this by clicking the search box that says Find a setting at the top of the left sidebar. Once you type firewall, you will see search results populated under the search bar.
- Then choose Allow an app through Windows firewall. If you don’t see this option, click Show All, and then select it from the list.
- Then click Change settings. Initially, the apps and the checkboxes beside them will be grey or disabled. Once you click Change settings, they will turn black and become enabled.
- Tick the Private and Publiccheckboxes to the right of Remote Desktop. Make sure both that the boxes under the Private and Public columns are checked.
- Finally, click OK.
Once you enable your remote desktop and allow the app to communicate through your firewall, you can access that computer over the internet. Here’s how:
How to Remotely Access Another Computer Over the Internet
There are two ways you can remotely access another computer over the internet – depending on whether you’re on the same network or not. If you are accessing another computer within the same network, you just need to know the PC name. If otherwise, you need to know your public IP and set up port forwarding.
How to Remotely Access Another Computer Over the Internet Within Your Network
Windows 10 Pro Turning On Remote Desktop
To remotely access another computer within your network over the internet, open the Remote Desktop Connection app and enter that computer’s name, and your username and password.
- Click the magnifying glass icon in the bottom-left corner of your screen. Do this from the computer you want to access over the internet.
- Then type About into the search bar and click Open.
- Next, copy your computer’s name. You can find this next to Device name. You can either write this name down, or copy and paste it into a text document, an email, or any other method that you want.
Note: If this name is too complicated, you can click the Rename this PC button below. This lets you choose your own name for your PC.
- Then open the Windows search bar and type remote desktop connection. This is the magnifying glass icon in the bottom-left corner of your screen.Do this from the client computer or the computer that you will use to establish the remote connection.
- Next, click Open.
- Then click Show Options. You can see this in the bottom-left corner of the window.
- Next, enter the computer’s name. This is the name that you copied down in the previous steps.
- Also, enter the username. If this information is filled in already, make sure it is correct. You can find your username by going to Settings > Accounts. Then you will see your username under your profile image.
- Then click Connect.
Note: You can also change additional settings by clicking the Display, Local Resources, Experience, and Advanced tabs.
- Next, enter your computer’s password and click OK. This is the password that you use to sign in to the computer when you are on the lock screen.
Note: You might encounter a prompt asking you if you want to connect even if the identity of the remote computer cannot be identified. Just click on Yes.
- Finally, wait for the remote connection to be configured. After the step above, you will see a green progress bar. Wait for it to complete. Briefly, you will see a black window which turns to blue. Once the remote connection is successfully established, you will see a view of the computer you’re trying to access.
Enable Remote Desktop Windows 10 Home Edition
How to Remotely Access Another Computer Outside Your Network
- Open a web browser. Do this from the host computer or the computer you will be trying to access remotely.
- Then type what is my IP into the address bar.
- Next, copy the public IP address listed. Your public IP address will be a series of numbers separated by periods.
Note: Do not share your public IP address with anyone you don’t trust. They can use this information to hack your computer and steal your personal information, such as bank details.
- Then open TCP port 3389 on your router. If you don’t know how to do this, check out our step-by-step guide on how to port forward.
Note: You should also set a static IP address for the computer you are trying to access. If you want to know how to set a static IP address for your Windows 10 PC, check out our step-by-step guide here.
- Next, open the Remote Desktop Connection app. Do this from the client computer (or the one you will use to remotely control the host computer).
- Enter your public IP address in the Computer field. This will be the public IP address you copied down earlier.
- Then click Connect.
- Enter your credentials. On the Windows Security page, type in the username and password of your remote server.
- Click OK.
Note: You might encounter a prompt asking you if you want to connect even if the identity of the remote computer cannot be identified. Just click on Yes.
- Finally, wait for the remote connection to be configured. After the step above, you will see a green progress bar. Wait for it to complete. Briefly, you will see a black window which turns to blue. Once the remote connection is successfully established, you will see a view of the computer you’re trying to access.
If you’re looking for a less complicated way of accessing your computer remotely, check out our article on how to remotely control a Windows 10 or Mac computer.