{
	"id": "c744aa89-84df-4087-b98a-f6f739736827",
	"created_at": "2026-04-06T02:13:12.999514Z",
	"updated_at": "2026-04-10T03:19:56.274545Z",
	"deleted_at": null,
	"sha1_hash": "f1f5480d6e0bb8564533eef8bee2540b9f248ca1",
	"title": "Allow log on through Remote Desktop Services - Windows 10",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 40386,
	"plain_text": "Allow log on through Remote Desktop Services - Windows 10\r\nBy vinaypamnani-msft\r\nArchived: 2026-04-06 01:52:53 UTC\r\nApplies to\r\nWindows 11\r\nWindows 10\r\nDescribes the best practices, location, values, policy management, and security considerations for the Allow log\r\non through Remote Desktop Services security policy setting.\r\nThis policy setting determines which users or groups can access the sign-in screen of a remote device through a\r\nRemote Desktop Services connection. It's possible for a user to establish a Remote Desktop Services connection to\r\na particular server but not be able to sign in to the console of that same server.\r\nConstant: SeRemoteInteractiveLogonRight\r\nUser-defined list of accounts\r\nNot Defined\r\nTo control who can open a Remote Desktop Services connection and sign in to the device, add users to or\r\nremove users from the Remote Desktop Users group.\r\nComputer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment\r\nBy default, members of the Administrators group have this right on domain controllers, workstations, and servers.\r\nThe Remote Desktops Users group also has this right on workstations and servers. The following table lists the\r\nactual and effective default policy values. Default values are also listed on the policy’s property page.\r\nServer type or GPO Default value\r\nDefault Domain Policy Not Defined\r\nDefault Domain Controller Policy Not Defined\r\nDomain Controller Local Security Policy Administrators\r\nStand-Alone Server Default Settings\r\nAdministrators\r\nRemote Desktop Users\r\nDomain Controller Effective Default Settings Administrators\r\nMember Server Effective Default Settings\r\nAdministrators\r\nRemote Desktop Users\r\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services\r\nPage 1 of 3\n\nServer type or GPO Default value\r\nClient Computer Effective Default Settings\r\nAdministrators\r\nRemote Desktop Users\r\nThis section describes different features and tools available to help you manage this policy.\r\nTo use Remote Desktop Services to successfully sign in to a remote device, the user or group must be a member of\r\nthe Remote Desktop Users or Administrators group and be granted the Allow log on through Remote Desktop\r\nServices right. It's possible for a user to establish a Remote Desktop Services session to a particular server, but not\r\nbe able to sign in to the console of that same server.\r\nTo exclude users or groups, you can assign the Deny log on through Remote Desktop Services user right to\r\nthose users or groups. However, be careful when you use this method because you could create conflicts for\r\nlegitimate users or groups that have been allowed access through the Allow log on through Remote Desktop\r\nServices user right.\r\nFor more information, see Deny log on through Remote Desktop Services.\r\nA restart of the device isn't required for this policy setting to be effective.\r\nAny change to the user rights assignment for an account becomes effective the next time the owner of the account\r\nlogs on.\r\nGroup Policy settings are applied through GPOs in the following order, which will overwrite settings on the local\r\ncomputer at the next Group Policy update:\r\n1. Local policy settings\r\n2. Site policy settings\r\n3. Domain policy settings\r\n4. OU policy settings\r\nThis section describes how an attacker might exploit a feature or its configuration, how to implement the\r\ncountermeasure, and the possible negative consequences of countermeasure implementation.\r\nAny account with the Allow log on through Remote Desktop Services user right can sign in to the remote\r\nconsole of the device. If you don't restrict this user right to legitimate users who must sign in to the console of the\r\ncomputer, unauthorized users could download and run malicious software to elevate their privileges.\r\nFor domain controllers, assign the Allow log on through Remote Desktop Services user right only to the\r\nAdministrators group. For other server roles and devices, add the Remote Desktop Users group. For servers that\r\nhave the Remote Desktop (RD) Session Host role service enabled and don't run in Application Server mode,\r\nensure that only authorized IT personnel who must manage the computers remotely belong to these groups.\r\nCaution:  For RD Session Host servers that run in Application Server mode, ensure that only users who\r\nrequire access to the server have accounts that belong to the Remote Desktop Users group because this\r\nbuilt-in group has this logon right by default.\r\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services\r\nPage 2 of 3\n\nAlternatively, you can assign the Deny log on through Remote Desktop Services user right to groups such as\r\nAccount Operators, Server Operators, and Guests. However, be careful when you use this method because you\r\ncould block access to legitimate administrators who also belong to a group that has the Deny log on through\r\nRemote Desktop Services user right.\r\nRemoval of the Allow log on through Remote Desktop Services user right from other groups (or membership\r\nchanges in these default groups) could limit the abilities of users who perform specific administrative roles in your\r\nenvironment. You should confirm that delegated activities aren't adversely affected.\r\nUser Rights Assignment\r\nSource: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allo\r\nw-log-on-through-remote-desktop-services\r\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services"
	],
	"report_names": [
		"allow-log-on-through-remote-desktop-services"
	],
	"threat_actors": [],
	"ts_created_at": 1775441592,
	"ts_updated_at": 1775791196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f1f5480d6e0bb8564533eef8bee2540b9f248ca1.pdf",
		"text": "https://archive.orkl.eu/f1f5480d6e0bb8564533eef8bee2540b9f248ca1.txt",
		"img": "https://archive.orkl.eu/f1f5480d6e0bb8564533eef8bee2540b9f248ca1.jpg"
	}
}