You notice that the check box "Deny this user permissions to logon to a Remote Desktop Session Host Server" behaves differently in Windows 2003 and Windows 2008


You may notice that the behavior of the 'Deny this use permissions to logon to a Remote Desktop Session Host Server' is different between Windows Server 2003 and Windows Server 2008. In Windows Server 2003 this setting is called 'Deny this user permission to logon to any Terminal Server.'

Consider the following setup:

1. Windows 2008 Server member server.

2. Windows Server 2003 member server.

3. Within Active Directory Users and Computers snap-in, choose a user and access the Remote Desktop Services Profile tab. If the domain controller is running Windows Server 2003, this will be called Terminal Services Profile. Here set the 'Deny this user permission to logon to a Remote Desktop Session Host server'setting. Again, in Windows Server 2003 this is called 'Deny this user permission to logon to any Terminal Server'.

4. Set this user as a member of either the "Remote Desktop Users" group or the local "Administrators" group under both the Windows Server 2003 as well as Windows Server 2008 servers.

Now, use this user's credentials to logon to the Windows 2003 member server via RDP, you will notice that this user will be blocked. However, this user will be able to logon to the Windows Server 2008 server.


This behaviour is by design. In Windows Server 2003, this setting is checked irresepective of whether the server is in Remote Administration Terminal Server mode or Application Terminal Server mode. However, in Windows Server 2008 this setting is checked on a machine that has Remote Desktop Services in Application Mode only. Remote Administration mode will not check this parameter. If you change the Windows Server 2008 server to Remote Desktop Services Application Mode by installing the role, this user will not be denied logon via RDP.


To deny a user or a group logon via RDP, explicitly set the "Deny logon through Remote Desktop Services" privilege. To do this access a group policy editor (either local to the server or from a OU) and set this privilege:

1. Start | Run | Gpedit.msc if editing the local policy or chose the appropriate policy and edit it.

2. Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.

3. Find and double click "Deny logon through Remote Desktop Services"

4. Add the user and / or the group that you would like to dny access.

5. Click ok.

6. Either run gpupdate /force /target:computer or wait for the next policy refresh for this setting to take effect.