Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Symptoms

When a Windows Server 2012 Remote Desktop Virtualization Host is added to a domain and the default domain policy is applied, the option to select a physical GPU used for Remote FX (within Hyper-V settings) is unavailable.

Even if the option to select a physical GPU in the Hyper-V settings is available, you are unable to add the RemoteFX 3D Adapter to the Virtual Machines provisioned on the host server.

Cause

The issue can occur if the Default Domain policy (or any other policy) has removed the “Users” group from the “Allow log on locally” policy.

The RemoteFX feature availability in a Remote Desktop Virtualization host is provided by a system account named 'RDV Graphics Service'. This account is part of the local ‘Users' group on the Remote Desktop Virtualization Host. If the 'Users' group is denied the permission to logon on to the system, the account in turn is also denied permission to log on to the server.

Resolution

To resolve this problem, follow these steps:

  1. Add the “Users” group back to “Allow log on locally” policy.

    • Click Start, type gpedit.msc, and then press ENTER.

    • In the console tree, expand Computer Configuration, Policies, Windows Settings, Security Settings, and Local Policies, and then click User Rights Assignment.

    • In the details pane, double-click Allow Logon Locally.

    • Verify the users added here and click Add User or Group.

    • Type the name of the account "USERS" that you want to allow to log on locally. As an alternative, click Browse to locate the account with the Select Users, Computers, or Groups dialog box, and then click OK.

    • After you have the account name entered, click OK in the Add User or Group dialog box, and then click OK in the Allow log on locally Properties dialog box.

  3. Check the “Deny Logon Locally” policy for any explicit inclusion of the “Users” group

    • Click Start, type gpedit.msc, and then press ENTER.

    • In the console tree, expand Computer Configuration, Policies, Windows Settings, Security Settings, and Local Policies, and then click User Rights Assignment.

    • In the details pane, double-click Deny Logon Locally.

    • Verify the users added here and Make sure USERS group is not added.

Note: The same steps apply to a Domain Group policy (or any other Group policy) that needs to be added or modified using Group Policy Management Console.

More Information

This issue is fixed in Windows Server 2012 R2.

Facebook LinkedIn Email

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×