通过RDP连接到Windows计算机或服务器时，您可能会遇到错误：

要远程登录，您需要有权通过远程桌面服务登录。默认情况下，Administrators组的成员具有此权限，或者如果已从Administrators组中删除了该权限，则需要手动授予此权限。

您如何远程连接到这样的计算机的桌面（屏幕截图，错误取自Windows 10）？

您可能知道，默认情况下，本地管理员组的成员可以使用通过远程桌面远程登录的权限。连接计算机所使用的帐户必须是本地Administrators组的成员。您可以使用本地用户和组 MMC控制台（lusrmgr.msc）在计算机上进行检查。

在“本地用户和组”控制台中，转到“ 组”部分，选择“ 管理员”组，然后检查您的帐户是否在此列表中。

如果普通用户（非管理员）的帐户已添加到本地组“ 远程桌面用户”（该组中的成员被授予远程登录的权限），则也可以通过RDP连接到计算机。

在相同的lusrmgr.msc管理单元中，签出这些组成员。如果您在此计算机上具有管理员权限，则可以通过单击“ 添加”按钮将用户帐户添加到该组中。输入用户或安全组的名称，然后单击确定两次以保存更改。

因此，用户将具有通过远程桌面远程登录的权限，但在计算机上没有本地管理员特权。

您还可以允许用户使用本地组策略编辑器远程连接到远程桌面服务。

1. 运行gpedit.msc控制台，然后转到“计算机配置”>“ Windows设置”>“安全设置”>“本地策略”>“用户权限分配”部分；
2. 查找名为“ 允许通过远程桌面服务属性登录”的策略；
   提示。如果此策略仅包含Administrators组，则您的管理员出于某种原因拒绝了本地Remote Desktop Users组通过RDP对系统的访问。
3. 单击添加用户和组按钮，然后添加需要允许RDP登录的用户或组；
4. 使用以下命令保存更改并更新计算机策略：gpupdate / force

提示。使用此策略，您可以向技术人员或用户授予对域控制器的RDP访问权限，而无需向他们授予Active Directory域中的域管理员权限。如果您已在AD域控制器上安装了远程桌面服务角色（尽管不建议这样做），并且您希望允许普通用户通过RDP / RemoteApp连接到它，则该技巧也将起作用。

同样，在GPO编辑器的同一部分中，确保未在“通过远程桌面服务拒绝登录”策略中指定您的帐户。此策略具有更高的优先级。

如果您的计算机已加入AD域，则域策略可能会覆盖这些设置。可以使用rsop.msc管理单元获取当前的GPO设置。

--------------------------------以下为原文----------------------------------

To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Administrators group have this right, or if the right has been removed from the Administrators group, you need to be granted this right manually.

How can you remotely connect to the desktop of such a computer (the screenshot with an error taken from Windows 10)?

As you probably know, by default, the permissions to remotely login via Remote Desktop is available to members of the local administrators group. The account under which you connect to the computer must be a member of the local Administrators group. You can check it on the computer using the Local Users and Groups MMC console (lusrmgr.msc).

In the Local Users and Groups console, go to the Groups section, select the Administrators group and check if your account is in this list.

A common user (non-administrator) can also connect to a computer via RDP if his account is added to the local group Remote Desktop Users (Members in this group are granted the right to logon remotely).

In the same lusrmgr.msc snap-in, check out these group members. If you have administrator privileges on this computer, you can add a user account to this group by clicking the Add button. Enter the name of the user or security group and click OK twice to save the change.

Due to this, the user will have the permission to remotely logon via Remote Desktop, but won’t have local administrator privileges on the computer.

You can also allow users to remotely connect to Remote Desktop Services using the local group policy editor.

1. Run the gpedit.msc console and go to the section Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment;
2. Find a policy named Allow log on through Remote Desktop Services Properties;
   Tip. If this policy only contains the Administrators group, then your administrator, for some reason, has denied access to the system via RDP for the local Remote Desktop Users group.
3. Click the Add User and Group button and add users or groups that need to allow RDP login;
4. Save changes and update computer policies using the command: gpupdate /force

Tip. Using this policy, you can grant RDP access to domain controllers to technical staff or users without giving them domain admin permissions in the Active Directory domain. This trick will also work if you have installed the Remote Desktop Services role on the AD domain controller (although this is not recommended) and you want to allow ordinary users to connect to it via RDP/RemoteApp.

Also in the same section of the GPO editor, make sure that your account is not specified in the Deny log on through Remote Desktop Services policy. This policy has higher priority.

If your computer is joined to the AD domain, these settings may be overwritten by domain policies. The current GPO settings can be obtained using the rsop.msc snap-in.

 

文章来源：https://theitbros.com/to-sign-in-remotely-you-need-the-right-to-sign-in-through-remote-desktop-service/