I have several Windows Server 2022 hosts that I need to manage the user rights assignment through automation.
When I manually grant a domain user SeRemoteInteractiveLogonRight rights, they cannot log on using remote desktop, they receive an error stating they are not authorized. If I grant them membership in the local Remote Desktop Users group, they can log on successfully.
The Remote Desktop Users group is granted the SeRemoteInteractiveLogonRight right, but no other rights.
What other permission has that group been granted that I would also need to grant to individual users to enable the ability?
Best Answer
SeRemoteInteractiveLogonRight is a Privilege (you can grant this privilege with the following policy: Allow log on through Remote Desktop Services). As the documentation says:
Great! However, as you saw it, the users still receives an error message unless they are members of Remote Desktop Users. That's documented too:
Well, this is because there are (at least) two layers:
The order is relevant here: The user connects to Remote Desktop Services first, and if this is allowed, then Windows will check that the user's token holds the SeRemoteInteractiveLogonRight before opening the user's session.
You can see the Remote Desktop Service security descriptor in the Win32_TSPermissionsSetting WMI class (
StringSecurityDescriptor
for RDP-Tcp). For example, you can give the StringSecurityDescriptor to the Powershell cmdletConvertFrom-SddlString
to see its content in a prettier format :The output will show you that the Remote Desktop Users group is allowed by default:
Basically, granting
SeRemoteInteractiveLogonRight
will not add the user/group to the Remote Desktop security descriptor, so, Remote Desktop Services denies the logon before Windows even had to check if the SeRemoteInteractiveLogonRight was granted.You can manually add users or groups in the Remote Desktop Services security descriptor with the AddAccount method: the SDDL will be modified and you'll see your account/group in it. If you granted the
SeRemoteInteractiveLogonRight
privilege, then you should be able to log on (unless other restrictions are effective on this computer or user, of course).Now, what happens if you add a user in the Remote Desktop Service security descriptor, without granting
SeRemoteInteractiveLogonRight
? Well, Remote Desktop Services will accept the connection, but you'll see an error when Windows tries to open your session, and as you can see, this is not an error thrown by the RDP client, the graphics channel is opened and the error is shown by the remote computer:And that's what the security auditing logs tells us in this case (if you are auditing):
You'll not see this event if the user is not allowed to connect according to the Remote Desktop Service security descriptor because the logon operation fails before Windows had a chance to check privileges.
I strongly recommend you to use the
Remote Desktop Users
group, because this group is present by default in the Remote Desktop service security descriptor, and is allowed to use theSeRemoteInteractiveLogonRight
privilege (unless the server is a DC). You should not need to fiddle with the RDS security descriptor.