# Unable to logon to AD - "allow log on through terminal services right"



## pingulino (May 22, 2012)

We have a new AD with one domain controller running Win Server 2012.
Users who are not administrators are not allowed to log in via AD, message says they need "allow log on through terminal services right".
Users who belong to administrators groups can logon.

I have read lots about this, every answer is the same: Change the "Allow Logon Through Terminal Services" GPO, located under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\. 
Fine - only in Server2012 there is no such setting.
I have looked through all the policies but I can't for the life of me find any settings for Terminal Services.

I did change the "Allow logon through remote desktop services" and added Remote Desktop Users - only effect was that administrator no longer could logon... (Added admins to RDP-group to solve that.)

I do not want every user to be administrator, is there some other way to fix this?

Complete error message at logon:

```
To log on to this remote computer, you must be granted the allow log on through terminal services right.  By default, members of the remote desktop users group have this right.  If you are not a member of the remote desktop users group or another group that  has this right, or if the remote desktop user group does not have this right, you must be granted this right manually"
```


----------



## gurutech (Apr 23, 2004)

Have you tried putting everyone into the "Remote Desktop Users" group?


----------



## pingulino (May 22, 2012)

Oh yes, I did - that's the normal way to do it.
Maybe I wasn't completely clear, here are my exact steps.
1) Create user ("ActiveDirectory Users & Computers")
2) Added user to Administrator & Domain Administrators groups.
This user could now login to AD on his laptop.
3) Removed user from the 2 Admin groups, added "Remote Desktop Users" group.
User can not logon to AD.


----------

