How to grant ‘Allow log on through Terminal Services Right’ to non Admin users on a Windows 2008 SBS server

By | October 13, 2011

To log on to this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Destop Users group have this right. If you are not a member of the Remote Desktop Users group or another group that has this right, or if the Remote Desktop User group does not have ths right, you must be granted this right manually.

Not ideal but sometimes you need to use a SBS server as a Terminal Services server to get users working from home. You don’t want to give them Domain Admin rights so they can log on (for obvious reasons!) plus you might need more than one user connect at any one time (so Remote Administration is not an option). Simply adding users to Remote Desktop Users group doesn’t appear to be enough either (even though the Security tab of the RDP-TCP connection suggests it should be.

Here is how you fix this:

  1. Open gpedit.msc (the local group policy editor)
  2. Expand Local Computer Policy –> Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> User Rights Management
  3. Look for the setting on the right called Allow log on through Remote Desktop Services
  4. Double click this policy
  5. Add the user/group you would like to have remote access to the box.