In this article, we will see how to add or remove Remote Desktop users in Windows 10. This will allow them to make connections to the target computer over the Remote Desktop protocol. By default, only members of the Administrators group [e.g. administrative accounts] have access to RDP. Here we go.
Before we continue, here are some details about how RDP works. While any edition of Windows 10 can act as Remote Desktop Client, to host a remote session, you need to be running Windows 10 Pro or Enterprise. You can connect to a Windows 10 Remote Desktop host from another PC running Windows 10, or from an earlier Windows version like Windows 7 or Windows 8, or Linux. Windows 10 comes with both client and server software out-of-the-box, so you don't need any extra software installed.
First of all, enable the Remote Desktop feature as described here:
//winaero.com/blog/enable-rdp-windows-10/
Now, you can configure user permissions.
- Press Win + R hotkeys on the keyboard. The Run dialog will appear on the screen, type the following into the text box and press Enter:SystemPropertiesAdvanced
- Advanced System Properties will open.
- Go to the Remote tab. There, click on the button Select Users.
- The following dialog will open. Click on the Add button.
- The Select Users dialog will appear. There, type the desired user name to add or click on the Advanced button to select the user from the list. To populate the list, click on the Find now button in Advanced mode.
- Select the desired user in the list and click OK.
- Click OK once again to add the user.
You are done.
Alternative ways to add Remote Desktop users in Windows 10
There are two more ways to add or remove Remote Desktop users in Windows 10.
You can use Local Users and Groups snap-in
You can use Local Users and Groups snap-in if your Windows edition comes with this app.
- Press Win + R shortcut keys on your keyboard and type the following in the run box:lusrmgr.mscThis will open the Local Users and Groups app.
- Click on Groups on the left.
- Double-click "Remote Desktop Users" in the list of groups.
- Click the Add button to add one or more users.
You are done.
You can the net.exe console tool
- Open an elevated command prompt.
- Type the following command:net localgroup "Remote Desktop Users" "UserName" /add
Replace the "UserName" portion with the actual user account name you want to add to Remote Desktop users.
net localgroup "Remote Desktop Users" "Alice" /add
In my case, the command looks as follows: - To remove a user from the "Remote Desktop Users", substitute the /add argument in the command above with the /delete switch, as follows:net localgroup "Remote Desktop Users" "Alice" /delete
See the following screenshot.
Articles of interest:
Support us
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!
Remote Desktop is a feature that you can use to connect to devices remotely. With this feature, you can control other’s devices as if you had local access. RDP is designed to support different types of network topologies and multiple LAN protocols. In this article we’ll show how to grant RDP access to domain controllers for non-admin user accounts without granting unnecessary rights. Kindly visit these related guides: How to change a password on a Remote Desktop session, how to install and configure VPN on a Windows Server 2016, 2019, and 2022 and How to allow saved credentials for RDP connection [dangerous]!
By default, only the members of Domain Admins group have the remote RDP access to the domain controllers. It is also worth noting that the RDP feature isn't unavailable on Windows 10 Home, but on Windows 10 Pro and Enterprise editions. If you do not have a real need to connect to your DC via RDP, please use the Remote Server Administration Tools. See this guides on how install RSAT on Windows Server, and how to install RSAT on Windows 10 via Windows features.Note: In an Active Directory environment, [the Domain Controller] uses the built-in domain group Remote Desktop Users [located in the Builtin container]. You can manage this group from the ADUC console or from the command prompt to manage your Domain Controller. See this guide for this error “The connection was denied because the user is not authorized for remote Login“, and how to enable Remote Desktop Connection on Windows 11 for non-administrators or selected users. To enable access for non-admins, please follow the steps below. Here is a link to all troubleshooting guides relating to RDP.
Add the user to the Remote Desktop User Group
This can be achieved in a couple of ways. I wil be showing both very shortly. First via the Active Directory Users and Computer [ADUC] and this can also be launched via the dsa.msc. I will recommend you see this guide in order to learn something new “This computer is a domain controller: The snap-in cannot be used on a domain controller, domain accounts are managed by ADUC snap-in“.
To add it in the Remote Desktop Users group, launch the Server Manager– Click on Tools,
– And then on Active Directory Users and Computers
This will open the Active Directory Users and Computers snap-in. Double click on the Remote Desktop users as shown below.
This will open up the Remote Desktop Users Properties window. Navigate to the Members tab and click on Add to add users.
Enter the user’s name and click on Check names as shown below. As you can see, the object is presented in AD. Click on Ok to close the Remote Desktop Users Properties window. You will have to click on OK again.
This is how you can add users to the Remote Desktop Group on a DC. You may also have to “Allow Log on through Remote Desktop Services” on a DC if not enabled already.
Optional step: How to add users to the Remote Desktop Users via PowerShell or Command Prompt
By default, only the administrative users are allowed to remotely connect to your Windows 10 PC through remote desktop connection [RDP], and on a DC as discussed before, only Domain Administrators are permitted.
Open up the Command Prompt as an Administrator. This commands also work on PowerShell.
– Type the following command and hit Enter. Replace the “UserName” with the user account, you want to add to Remote Desktop Users group.
net localgroup "Remote Desktop Users" "UserName" /add
Or have the syntax interchanged as shown below
net localgroup "Remote Desktop Users" /add "UserName"
To verify if the user is added to the Remote Desktop Users, please run the command below
net localgroup "Remote Desktop Users"
As you can see from the figure below, the User “RDP1” has been added to the Remote Desktop Users group
If you need to remove a user from the Remote Desktop Users group, run this command below, replacing the “UserName” with the username in your enviornment.
net localgroup "Remote Desktop Users" "UserName" /delete
Or via the ADUC snap-in. Click on the user and select Remove.
Allow logon through Remote Desktop Services via the Local Policy
Using the Local Policy, to log on to the DC, you must be granted the “Remote Desktop Services” rights. By default, members of the Administrators group have this right. If you are not a member of the Administrators group or another group that has this right, or if the Administrators group does not have this right, you must be granted this right manually.
In order to fix the issue, you might want to create a new security group whose members will have the power to establish a Remote Desktop connection. To do this, type in ‘secpol.msc’ and press Enter.
Navigate to Local Policies, and click on User Rights Assignment.
– From the list of policies, locate Allow log on through Remote Desktop Services and double-click it.
This will open the Allow log on through the Remote Desktop Services properties window as shown below.
– Add the User or Group. For me, I will be adding the User just for test purposes]. In a live environment, I will probably create a group to handle this.
This will open the Select Users, Computers, Service Account, or Group wizard as shown below. Enter the name and click on Check names.
As you can see, the user has been added to the Allow log-on through the Remote Desktop Services as shown below. Here is a link to all troubleshooting guides relating to RDP.
– Click on Apply and then OK to finish this step.
Allow logon through Remote Desktop Services via the GPO
You do not need to use these steps. But I just want to demonstrate it to you. The steps are basically the same above but this time, via the Group Policy Management snap-in.– Launch the Server Manager, – Click on Tools,
– Click on Group Policy Management as shown below
This will open the Group Policy Management Editor. Yu can edit the “Default Domain Controller” policy.
– Locate the “Allow log on through Remote Desktop Services” – User rights setting [Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\].
– Add the new security group [Remote Desktop User Group], or user account close the management console.
Why not just create a new Policy rather instead of modifiying the default policy? Regardless of your implementaion steps, pleae link the GPO to the OU the Group or User belongs.
Next, you will have to restart your system for it to take effect or enter the following command in an elevated command prompt to have the policy applied immediately without waiting for the default 90 mins to elapse. You may want to see these guides: What is GPO and how can it be launched in Windows, and GPUpdate Switches: GPUpdate vs GPUpdate force.
gpupdate /forceI hope you found this blog post helpful. If you have any questions, please let me know in the comment session