All Products
Document Center

Remote login to Windows instance reported "remote desktop user group does not have this permission" error

Last Updated: Dec 30, 2020

Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.

Problem description

The following error occurs when you remotely log on to an ECS instance running Windows.

Possible cause

The following two reasons may cause the failure to log on remotely:

  • In the local security policy, the policy is modified.
  • The common user is not granted the remote logon permission.


Alibaba Cloud reminds you that:

  • Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
  • If you modify the configurations and data of instances including but not limited to ECS and RDS instances, we recommend that you create snapshots or enable RDS log backup.
  • If you have authorized or submitted security information such as the logon account and password in the Alibaba Cloud Management console, we recommend that you modify such information in a timely manner.

This topic provides the following solutions for different reasons.

Solution to local security policy problems

  1. Log on to the ECS console to connect to the server. Press the winattr shortcut key to open the run window. In the run window, enter the gpedit.msc command to open the local group policy editor.
  2. In the local group policy editor, click computer configuration > Windows settings > Security settings > User permission allocation.
  3. In the user rights assignment view, double-click deny logon through Remote Desktop Services to go to the deny logon through Remote Desktop Services property window.
  4. In the deny Remote Desktop Services properties window, check whether there is "Remote Desktop Users" and the domain user account to log on, if any, please delete it.
  5. In the user rights assignment view, double-click allow remote desktop service login to enter the allow remote desktop service login property window
  6. In the allow Remote Desktop service properties window, check whether "Remote Desktop Users" and the domain user account to log on, if not, please add.
    For example, to add a yyy user account, confirm that the yyy account exists and click OK.
  7. Use the newly added user to remotely log on to the Windows instance from another host. For example, use the "yyy" user to remotely log on to the instance again.
  8. Confirm that you can log on to the remote host normally. The problem of remote logon failure has been solved.

Solution to a common user that is not granted the remote logon permission

  1. Right-click computer and choose manage > Local user and group to create a corresponding user. This topic takes creating a test user as an example.
  2. After the user is created, right-click the test user name, select properties, select belonging to, click add to add the user to the "Remote Desktop Users" group, the common user can log on remotely.
    Note: The "Remote Desktop Users" group is the group for which you want to grant the Remote logon permission. All the Users in this group are granted the Remote logon permission.

Application scope

  • ECS