If you are RDP’ing to a machine and you see:
The system administrator has limited the computers you can log on with.
the problem is the language Microsoft has used in their LOG ON TO button in Active Directory Users and Computers. It should be LOG ON FROM. If you restrict users access to log onto particular computers it also applies to the machines they are RDP’ing from.
For example USER-A has a Log On To setting on PC-A and PC-B. This means USER-A can log in from the desktop of PC-A or PC-B and they can RDP from PC-A to PC-B (or vise versa). What USER-A cannot do is sit at PC-C that is already logged in as another user and try to Remote Desktop to PC-A or PC-B.
The ‘fix’ is to add in the host name of the PC that the users will be logging in from. Soooo, in our example, if you USER-A will be sitting at PC-C (logged in as someone else) and wants to RDP to PC-A, you need to add PC-C (and make sure PC-A is there too) into the LOG IN TO in ADUC.
This has been a particular pain when trying to work with restrictions on Terminal Services / Remote Desktop Services servers.
It is a silly English language problem that I have argued with Microsoft Partner Support about a few times over the years.
This just caught me by surprise again and I spent more than an hour today fighting the problem after I change my PC to a new one running Windows 10.
This website uses cookies.
View Comments
It looks like there's a typo in your write up.
"Soooo, in our example, if you USER-A will be sitting at PC-C (logged in as someone else) and wants to RDP to PC-A, you need to add PC-A into the LOG IN TO in ADUC."
If USER-A is sitting at PC-C and needs to RDP into PC-A, he would need to add PC-C into the LOG IN TO attribute, the first paragraph already stated that PC-A was in there.