|
| 1 | +--- |
| 2 | +title: The System Administrator Has Restricted the Types of Logon |
| 3 | +description: Helps resolve an error "The system administrator has restricted the types of logon (network or interactive) that you may use" when connecting to an Azure virtual machine (VM). |
| 4 | +ms.date: 05/22/2025 |
| 5 | +manager: dcscontentpm |
| 6 | +audience: itpro |
| 7 | +ms.topic: troubleshooting |
| 8 | +ms.reviewer: kaushika, akastha, v-lianna |
| 9 | +ms.custom: |
| 10 | +- sap:remote desktop services and terminal services\session connectivity |
| 11 | +- pcy:WinComm User Experience |
| 12 | +--- |
| 13 | +# "The system administrator has restricted the types of logon" error when connecting to an Azure VM |
| 14 | + |
| 15 | +This article helps resolve an error "The system administrator has restricted the types of logon (network or interactive) that you may use" when connecting to an Azure virtual machine (VM). |
| 16 | + |
| 17 | +When you use a Remote Desktop Protocol (RDP) connection to connect to an Azure VM, you're prompted for credentials. However, the session ends immediately after authentication, and you receive the following error message: |
| 18 | + |
| 19 | +> The system administrator has restricted the types of logon (network or interactive) that you may use. |
| 20 | +
|
| 21 | +This error indicates that an attempted RDP connection is blocked because of a restriction in the system's Local Security Policy or Group Policy settings related to the allowed logon type. |
| 22 | + |
| 23 | +In addition, you also receive the following events or messages in Event Viewer logs: |
| 24 | + |
| 25 | +- [Event ID 4625](/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625) with a logon failure due to logon type restrictions. |
| 26 | +- [Event ID 4005](/answers/questions/389027/winlogon-error-4005) with the message "The Windows logon process has unexpectedly terminated." |
| 27 | + |
| 28 | +This error might occur for the following reasons: |
| 29 | + |
| 30 | +|Cause |Explanation | |
| 31 | +|---------|---------| |
| 32 | +|The user lacks the **Allow log on through Remote Desktop Services** right |The account isn't a member of a group allowed to use RDP (like **Remote Desktop Users** or **Administrators**). | |
| 33 | +|Group Policy restrictions on logon types |Group Policy Object (GPO) or local security policy denies logon via RDP or network. | |
| 34 | +|Conflicting security settings |One policy allows logon, but another policy overrides it and denies it.| |
| 35 | +|RDP logon denied by "Deny" policies |The user is explicitly denied logon rights. | |
| 36 | +|Network Level Authentication (NLA) incompatibility |NLA requires credentials before establishing an RDP session. Older accounts or systems might fail. | |
| 37 | + |
| 38 | +## Troubleshooting steps |
| 39 | + |
| 40 | +1. Add the user to the **Remote Desktop Users** group by using the following cmdlet: |
| 41 | + |
| 42 | + ```Powershell |
| 43 | + Add-LocalGroupMember -Group "Remote Desktop Users" -Member "DOMAIN\Username" |
| 44 | + ``` |
| 45 | +
|
| 46 | +2. Verify user rights and group membership. |
| 47 | +
|
| 48 | + - On the local machine (via **secpol.msc** and **lusrmgr.msc**): |
| 49 | +
|
| 50 | + - In the Local Security Policy snap-in (**secpol.msc**), go to **Local Policies** > **User Rights Assignment**: |
| 51 | +
|
| 52 | + - Ensure the user or group is included in the following policies: |
| 53 | +
|
| 54 | + - **Access this computer from the network** |
| 55 | + - **Allow log on locally** |
| 56 | + - **Allow log on through Remote Desktop Services** |
| 57 | +
|
| 58 | + - Ensure the user or group isn't included in the following policies: |
| 59 | +
|
| 60 | + - **Deny access to this computer from the network** |
| 61 | + - **Deny log on locally** |
| 62 | + - **Deny log on through Remote Desktop Services** |
| 63 | +
|
| 64 | + - Open **lusrmgr.msc** and ensure the user is a member of **Remote Desktop Users**. |
| 65 | +
|
| 66 | + - On the domain controller (if the system is domain-joined): |
| 67 | +
|
| 68 | + - Open Group Policy Management Console and edit **Default Domain Controllers Policy**. |
| 69 | +
|
| 70 | + Go to **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Local Policies** > **User Rights Assignment**, and confirm the same settings as listed in the preceding step. |
| 71 | +
|
| 72 | + - Open the Active Directory Users and Computers snap-in: |
| 73 | +
|
| 74 | + - Ensure the user or group is a member of **Remote Desktop Users**. |
| 75 | + - Confirm group policy inheritance applies as expected. |
| 76 | +
|
| 77 | +3. Check effective Group Policy. Run the following command: |
| 78 | +
|
| 79 | + ```console |
| 80 | + gpresult /h report.html |
| 81 | + ``` |
| 82 | +
|
| 83 | + Open the report and verify the relevant logon rights under **Computer Details**. |
| 84 | +
|
| 85 | +4. Ensure NLA compatibility. You can temporarily disable NLA by using the following cmdlet if necessary: |
| 86 | +
|
| 87 | + ```powershell |
| 88 | + Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Value 0 |
| 89 | + ``` |
| 90 | +
|
| 91 | +5. Restart the system or update Group Policy settings by using the following command: |
| 92 | +
|
| 93 | + ```console |
| 94 | + gpupdate /force |
| 95 | + ``` |
0 commit comments