This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. If your organization uses Remote Assistance as part of its help desk strategy, create a group and assign it this user right through Group Policy. If the help desk in your organization does not use Remote Assistance, assign this user right only to the Administrators group or use the restricted groups feature to ensure that no user accounts are part of the Remote Desktop Users group. Restrict this user right to the Administrators group, and possibly the Remote Desktop Users group, to prevent unwanted users from gaining access to computers on your network by means of the Remote Assistance feature. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers. Vulnerability: Any account with the Allow log on through Terminal Services user right can log on to the remote console of the computer. If you do not restrict this user right to legitimate users who need to log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges. Counter Measure: For domain controllers, assign the Allow log on through Terminal Services user right only to the Administrators group. For other server roles and end-user computers, add the Remote Desktop Users group. For Terminal Servers that do not run in Application Server mode, ensure that only authorized IT personnel who need to manage the computers remotely belong to either of these groups. Caution For Terminal Servers that do run in Application Server mode, ensure that only users who require access to the server have accounts that belong to the Remote Desktop Users group, because this built-in group has this logon right by default. Alternatively, you can assign the Deny Logon Through Terminal Services user right to groups such as Account Operators, Server Operators, and Guests. However, be careful when you use this method because you could block access to legitimate administrators who also happen to belong to a group that has the Deny Logon Through Terminal Services user right. Potential Impact: Removal of the Allow log on through Terminal Services user right from other groups or membership changes in these default groups could limit the abilities of users who perform specific administrative roles in your environment. You should confirm that delegated activities will not be adversely affected. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on through Remote Desktop Services (2) REG: NO INFO