Active Directory permission : log on to domain controller

dessin bureau windows

How to permit to log on DC



  • Customer has an « Administration » Domain with DCs running Win2016 in « Forest A » and a Production Domain with DCs running Win2008R2 in « Forest B » (Single domain)
  • There is a Two-way trust in place between the Forests

Active Directory logo

  • Currently, in order for the « Administration » Domain administrators to log on to DCs in the Production domain via RDP, they have added them to the Domain Admins Group in production
  • They would like to be able to achieve this goal without adding the Forest A Administrators to the Domain Admins group (or equivalent) in Forest B


  • They want to know what are the required privileges or necessary rights to achieve this



  • Configuration



  • In order to allow the Administrators from Forest A to logon to the DCs in Forest B without being added to the Forest B Domain Admins group we performed the following actions:outils ressources tournevis et clé


    • We created a new Domain Local Security Group in Forest B and a new Global Security Group in Forest A and added the user from Forest A to the group which in turn was added to the Local security group in Forest B
    • We added the Local group to the “Allow Logon Locally” user right in the Default Domain Controllers Policy in Forest B
    • We also added the group to the “Allow Logon Through Remote Desktop Services” user right in the Default Domain Controllers Policy in Forest B
    • In the “Remote” tab /”Select Users” of the “System Properties” on a DC in Forest B we added the group to the “Remote Desktop Users” list



    • Also, in the Remote Desktop Console on the Server, you added the new Group to the “Remote Desktop Users”

never stop learning sur mac book


More information

Grant a Member the Right to Logon Locally


Allow log on locally – security policy setting


“Allow Logon through Terminal Services” group policy and “Remote Desktop Users” group.


Allow log on through Remote Desktop Services


logo2 itconsult

Laisser un commentaire