🟠 High   ⏱ 5–30 min  Last verified: 29 May 2026
Affected versions: Windows Server 2019

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution — Primary Fix
  7. Solution — Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Authorized admins cannot sign in over RDP, delaying support and maintenance operations.

Environment & Reproduction

Windows Server 2019 after GPO hardening that modifies User Rights Assignment.

qwinsta
secedit /export /cfg C:Tempsecpol.cfg

Root Cause Analysis

Allow log on through Remote Desktop Services right was removed or deny rights were applied to required groups.

Quick Triage

Verify NLA, group membership, and policy assignments.

Get-LocalGroupMember -Group 'Remote Desktop Users'
reg query 'HKLMSYSTEMCurrentControlSetControlTerminal Server' /v fDenyTSConnections

Step-by-Step Diagnosis

Inspect effective GPO and security events tied to failed logon attempts.

gpresult /h C:Temprdp-policy.html
Get-WinEvent -LogName Security -MaxEvents 80 | Where-Object Id -in 4625,4776
Illustrative mockup for windows-server-2019 — terminal_or_powershell
RDP rights and policy checks — Illustrative mockup — Progressive Robot

Solution — Primary Fix

Restore required user rights and group membership, then refresh policy.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

net localgroup 'Remote Desktop Users' 'CONTOSOServerAdmins' /add
gpupdate /force
Illustrative mockup for windows-server-2019 — event_or_log_viewer
Security log events for failed RDP logon — Illustrative mockup — Progressive Robot

Solution — Alternative Approaches

Use Just-in-Time local group assignment for temporary admin access.

Add-LocalGroupMember -Group 'Remote Desktop Users' -Member 'CONTOSOOpsOnCall'

Verification & Acceptance Criteria

RDP sign-in succeeds for approved group and denied users remain blocked.

Test-NetConnection server01.contoso.local -Port 3389

Rollback Plan

Revert local group changes if they conflict with central privileged access model.

net localgroup 'Remote Desktop Users' 'CONTOSOOpsOnCall' /delete

Prevention & Hardening

Manage RDP rights through dedicated GPO linked to server admin OUs with change review.

Get-GPO -All | Select DisplayName

Linked to NLA certificate issues and expired privileged account passwords.

Related tutorial: View the step-by-step tutorial for Windows Server 2019.

View all Windows Server 2019 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: RDP security policy and user rights assignment guidance.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.