I have have user1 be a member of group1. Then i have configured my server 2008 r2 server to only allow RDC session via NLA and added group1 I also have added group to the default group remote desktop users group of my domain. But still user1 is still unable to access the server and get this message. Is there any possible way to grant group1 to RDC with adding them to administrators group? because i only intend group 1 to be able to manage shared folders on that server

'Remote Desktop Users' is a 'Built-in local' 'Security' group and that is local to only individual machines ! To allow normal users to log on to the servers via RDC, you need to add Domain User IDs or Group/s in "Local" 'Remote Desktop Users' group on individual Servers/Machines ! In Active Directory Users and Computers, When normal domain users are added in that group, that will be local to Domain Controllers however, Users who are part of that group still can't log on to Domain Controllers, since DDCP (Default Domain Controller Policy) doesn't allow normal users to log on through Remote Desktop Services. Only Domain\Administrators are allowed to log on to the domain controllers by default. HTHRegards, Santosh I do not represent the organisation I work for, all the opinions expressed here, are my own. This posting is provided AS IS with no warranties or guarantees and confers no rights. Blog | Wiki

I've checked the domain\builtin directory and viewed the members of the remote desktop users security group, group1 is already a member of this group. Am I viewing the correct group? i can seem to find the user and group under computer management.

I've checked the domain\builtin directory and viewed the members of the remote desktop users security group, group1 is already a member of this group. Am I viewing the correct group? No. As I mentioned in my previous post, you need to add that group1 in 'Local' 'Remote Desktop Users' on the server in question where you would like to allow Users who are part that group1 to logon through RDC. Please remove group1 from Domain\Remote Desktop Users which you see in Active Directory Users and Computers. E.G. Group A needs to be added in 'Local' 'Remote Desktop Users' ( Server A\Remote Desktop Users) on the Server A, NOT in Domain\Remote Desktop Users. Regards,Santosh I do not represent the organisation I work for, all the opinions expressed here, are my own. This posting is provided AS IS with no warranties or guarantees and confers no rights. Blog | Wiki

I have added group1 to the "builtin\remote desktop user" group, but still users in group1 cannot login to the server.

I have added group1 to the "builtin\remote desktop user" group, but still users in group1 cannot login to the server. Please read my previous reply carefully once again. It appears that, you didn't follow that. You need to add group in Local Remote Desktop Users group on the server !!! ( Don't use Active Directory Users and Computers) Local Remote Desktop User group on server would look like below Regards, Santosh I do not represent the organisation I work for, all the opinions expressed here, are my own. This posting is provided AS IS with no warranties or guarantees and confers no rights. Blog | Wiki

I have added group1 to the "builtin\remote desktop user" group, but still users in group1 cannot login to the server. Please read my previous reply carefully once again. It appears that, you didn't follow that. You need to add group in Local Remote Desktop Users group on the server !!! ( Don't use Active Directory Users and Computers) Local Remote Desktop User group on server would look like below Regards, Santosh I do not represent the organisation I work for, all the opinions expressed here, are my own. This posting is provided AS IS with no warranties or guarantees and confers no rights. Blog | Wiki

Hi Santosh, It seems that if I open the Start > Administrative Tools > Computer Management, this is what I see. Is there any other way to modify builtin groups for a computer other than ADUC if that server is also hosting a AD Services?

Is there any other way to modify builtin groups for a computer other than ADUC if that server is also hosting a AD Services? You would have mentioned that, the server in question was a Domain Controller at the first place itself !!! Anyways... Please note that, allowing users to log on to the Domain Controllers is NOT a Good practice. If you are just experimenting in a lab setup, then that would be ok. To permit normal users to log on to the domain controller, you need to edit DDCP (Default Domain Controller Policy) and update following policy settings and add desired user or group. Allow log on locally and Allow log on through Remote Desktop Service Regards, Santosh I do not represent the organisation I work for, all the opinions expressed here, are my own. This posting is provided AS IS with no warranties or guarantees and confers no rights. Blog | Wiki