On domain controllers only domain administrator users are allowed to initiate a remote desktop connection and connect successfully. In order to allow normal domain users to connect through RDP perform the below:
run local group policy editor on each domain controller
Go under Windows Settings -> Security Settings -> User Rights Assignment
edit allow log on through Remote Desktop services policy and add a user or group.
The last step is to add the above user or group to remote desktop users group on Active Directory Users and Computers -> Builtin -> Remote Desktop Users
Hello,
thanks a lot for this post. I just follow it to give access to a DC to our support team. I still have an issue. Support teams are not domain admins, they just have delegation on AD but when they connect to the DC servers with your parameters, they are not allowed to open any MMC, ADUC etc… Do you have an idea on how i could go throught this? Thanks a lot
Indeed as long as they do not have privileged permissions on domain controllers they cannot execute those programs. You could try to add them in build in groups inside the domain controllers. Alternatively you could create a custom group and allow in this group execution of such programs if possible. However am not sure if this is possible.
Ok, thanks for your quick answer, I will try to find a way 🙂 . Just curiosity but what was your purpose to connect non admin user on DC if they can do nothing on it when connected? I’m searching because our remote users have lag issue when using RSAT tools . Best Regards
I really cannot remember the case as it has been a long time since I was a systems admin, but I can only remember that it was a request for a client. Indeed users cannot perform actions when connected.