All Products
Document Center

:"Connection denied because this user account is not authorized to remotely log on to the ECS instance" error

Last Updated:Dec 15, 2020

Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.


Problem description

When you connect to a Windows-based ECS instance, the connection is denied because the user account is not authorized to log on remotely." Error, causing remote login to the server.

Note: logon through VNC is not affected.


Possible cause

The Windows Remote Desktop permission configuration is abnormal.



Alibaba Cloud reminds you that:

  • Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
  • If you modify the configurations and data of instances including but not limited to ECS and RDS instances, we recommend that you create snapshots or enable RDS log backup.
  • If you have authorized or submitted security information such as the logon account and password in the Alibaba Cloud Management console, we recommend that you modify such information in a timely manner.

Perform troubleshooting as follows.


Troubleshooting group policy user permission allocation

  1. Management terminal
  2. Select start > Run input secpol.msc , open the group policy editor
  3. Select local policy User permission allocation>   Allow logon through Remote Desktop Services. Confirm that the following user groups are included. If the corresponding user group is missing, click the add users or user groups button to add to.


Troubleshoot user group attributes

  1. Select start > Run input lusrmgr.msc , open local users and groups configuration management unit.
  2. Click the users node in the left-side navigation pane and switch to user management.
  3. Double-click the username with an access exception. In the displayed user Properties dialog box, switch to the reports tab. Ensure that the user belongs to how do I use the group policy user rights assignment section has been imparted to the remote server with the permissions of the user to a RAM user group with.


Troubleshoot remote desktop session host configuration

  1. Select start > Run input tsconfig.msc , open remote desktop session host configuration management unit.
  2. Double-click the default Remote Desktop Connection configuration RDP-Tcp or another connection configuration added by the user, and then switch to the security tab.
  3. Ensure group or user names under comprising how do i use the group policy user rights assignment section has been imparted to the remote server with the permissions of the group, or a separate username. If the configuration is missing, click the add button to add.
  4. Restart the server, or run the following command in the command prompt to restart the remote desktop service to make the configuration take effect. A warning prompt appears, select Y, and click OK.
    net stop TermService
    net start TermService


Application scope

  • ECS