How to Deny Users and Groups to Log on with Remote Desktop in Windows 10


You can use the Remote Desktop Connection (mstsc.exe) or Microsoft Remote Desktop app to connect to and control your Windows 10 PC from a remote device. When you allow remote desktop connections to your PC, you can use another device to connect to your PC and have access to all of your apps, files, and network resources as if you were sitting at your desk.

By default, administrators and added Remote Desktop Users are allowed to connect (log on) remotely to your computer through Remote Desktop Services.

See also: Deny log on through Remote Desktop Services (Windows 10) | Microsoft Docs

This tutorial will show you how to deny specific users and groups to log on with a Remote Desktop connection in Windows 10.

You must be signed in as an administrator to deny users and groups to log on through Remote Desktop Services.

This Deny log on through Remote Desktop Services policy will override the Allow log on through Remote Desktop Services policy.


 CONTENTS:

  • Option One: Deny Users and Groups to Log on with Remote Desktop in Local Security Policy
  • Option Two: Undeny Users and Groups to Log on with Remote Desktop in Local Security Policy
  • Option Three: Deny or Undeny Users and Groups to Log on with Remote Desktop in Command Prompt





Deny Users and Groups to Log on with Remote Desktop in Windows 10 OPTION ONE Deny Users and Groups to Log on with Remote Desktop in Windows 10
Deny Users and Groups to Log on with Remote Desktop in Local Security Policy

Local Security Policy is only available in the Windows 10 Pro, Enterprise, and Education editions.

All editions can use Option Three below.

1. Press the Win+R keys to open Run, type secpol.msc into Run, and click/tap on OK to open Local Security Policy.

2. Expand open Local Policies in the left pane of Local Security Policy, click/tap on User Rights Assignment, and double click/tap on the Deny log on through Remote Desktop Services policy in the right pane. (see screenshot below)

Name:  Deny_Remote_Desktop_Services_user_rights_assignment-1.jpg
Views: 276
Size:  71.2 KB

3. Click/tap on the Add User or Group button. (see screenshot below)

Name:  Deny_Remote_Desktop_Services_user_rights_assignment-2.png
Views: 270
Size:  9.6 KB

4. Click/tap on the Advanced button. (see screenshot below)

Name:  Deny_Remote_Desktop_Services_user_rights_assignment-3.png
Views: 264
Size:  8.7 KB

5. Click/tap on the Object Types button. (see screenshot below)

Name:  Deny_Remote_Desktop_Services_user_rights_assignment-4.png
Views: 268
Size:  14.6 KB

6. Check all the boxes for Object types, and click/tap on the OK. (see screenshot below)

Name:  Deny_Remote_Desktop_Services_user_rights_assignment-5.png
Views: 260
Size:  9.4 KB

7. Click/tap on the Find Now button, select the name of the user or group (ex: "Guests") you want to add to deny, and click/tap on OK. (see screenshots below)

If you like, you can press and hold the Ctrl key to select more than one user and/or group.

Name:  Deny_Remote_Desktop_Services_user_rights_assignment-6.jpg
Views: 266
Size:  62.6 KB Name:  Deny_Remote_Desktop_Services_user_rights_assignment-7.jpg
Views: 260
Size:  55.7 KB

8. Click/tap on OK. (see screenshot below)

Name:  Deny_Remote_Desktop_Services_user_rights_assignment-8.png
Views: 263
Size:  9.3 KB

9. Click/tap on OK. (see screenshot below)

Name:  Deny_Remote_Desktop_Services_user_rights_assignment-9.png
Views: 267
Size:  9.7 KB

10. When finished, you can close Local Users and Groups if you like.






Deny Users and Groups to Log on with Remote Desktop in Windows 10 OPTION TWO Deny Users and Groups to Log on with Remote Desktop in Windows 10
Undeny Users and Groups to Log on with Remote Desktop in Local Security Policy

Local Security Policy is only available in the Windows 10 Pro, Enterprise, and Education editions.

All editions can use Option Three below.

1. Press the Win+R keys to open Run, type secpol.msc into Run, and click/tap on OK to open Local Security Policy.

2. Expand open Local Policies in the left pane of Local Security Policy, click/tap on User Rights Assignment, and double click/tap on the Deny log on through Remote Desktop Services policy in the right pane. (see screenshot below)

Name:  Deny_Remote_Desktop_Services_user_rights_assignment-1.jpg
Views: 276
Size:  71.2 KB

3. Select the user or group (ex: "Guests") you want to remove to undeny, and click/tap on the Remove button. (see screenshot below)

If you like, you can press and hold the Ctrl key to select more than one user and/or group.

Name:  Deny_Remote_Desktop_Services_user_rights_assignment-10.png
Views: 265
Size:  10.9 KB

4. Click/tap on OK. (see screenshot below)

Name:  Deny_Remote_Desktop_Services_user_rights_assignment-11.png
Views: 265
Size:  9.7 KB

5. When finished, you can close Local Users and Groups if you like.






Deny Users and Groups to Log on with Remote Desktop in Windows 10 OPTION THREE Deny Users and Groups to Log on with Remote Desktop in Windows 10
Deny or Undeny Users and Groups to Log on with Remote Desktop in Command Prompt

1. If you haven't already, you will need to do the following below before continuing on to step 2 below.

A) Download the ntrights.exe file below from the Windows Server 2003 Resource Kit Tools.

download

B) Save the ntrights.zip file to your desktop, and unblock it.

C) Open the ntrights.zip file, copy or move the ntrights.exe file into your C:\Windows\System32 folder, and click/tap on Continue to approve.

2. Open an elevated command prompt.

3. Type the command you want below into the elevated command prompt, and press Enter.

(Add user or group to allow)
ntrights +r SeDenyRemoteInteractiveLogonRight -u "User or Group"

OR

(Remove user or group to prevent)
ntrights -r SeDenyRemoteInteractiveLogonRight -u "User or Group"

Substitute User or Group in the command above with the actual name of the user or group (ex: "Guests) you want to add or remove for this policy.

For example: ntrights +r SeDenyRemoteInteractiveLogonRight -u "Guests"

4. When finished, you can close the elevated command prompt if you like.


That's it,
Shawn