The Friday Night Migration That Almost Went Wrong

A cautionary tale of domain controller migration, RDP lockouts, and the remote access tool that saved the weekend

8 min read Windows Server 2025 RDP Security

When "Simple" Becomes Complicated

The migration itself went perfectly. Windows Server 2022 to 2025, all domain services transferred, no errors in the event logs. But then came the moment of truth: testing RDP access for regular users.

The Error Message:

"To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Administrator group have this right. If the group you're in doesn't have this right, or if the right has been removed from the Administrator's group, you need to be granted this right manually."

The Diagnosis: Event logs told the complete story:
✅ Domain authentication: Working perfectly (users could log into the domain) ❌ Local authorization: Completely missing (server didn't recognize their RDP rights) 💡 The revelation: DC migrations preserve AD data, not local Windows configurations
The Moment of Panic
Step 1: The Quick Fix Attempt

Opened Local Security Policy, navigated to "Allow log on through Remote Desktop Services," and added a test user. Success! The user could now connect.

Step 2: The Cleanup Mistake

Removed the test user to keep things clean. But here's the critical error: I didn't add the proper domain groups first. The policy was no longer "Not Defined" - it was now explicitly empty.

Step 3: The Lockout

Computer went to sleep, RDP session disconnected. When trying to reconnect: Access Denied. Even administrator accounts were now locked out because the policy was explicitly set but empty.

The Lifeline: Third-Party Remote Access

The Save

With RDP completely locked down, the situation seemed hopeless. But there was one tool still running: a third-party remote access application that operates independently of Windows RDP services. This application uses its own authentication mechanism and doesn't rely on the "Allow log on through Remote Desktop Services" policy.

Why It Worked
  • Independent Service: Runs as its own Windows service
  • Different Authentication: Uses application-specific credentials
  • Bypasses RDP Policy: Not subject to Terminal Services restrictions
  • Always Available: Starts automatically with Windows
The Lesson

Always have a backup access method.

  • Third-party remote access tools
  • Out-of-band management (iLO, iDRAC)
  • Physical console access
  • Emergency break-glass procedures

The Resolution: Proper Group Policy Configuration

Immediate Fix

Once back in via the third-party tool, the fix was straightforward: add the Administrators group back to the "Allow log on through Remote Desktop Services" policy to restore immediate access.

The Proper Solution

Created a domain security group called "RDS Allow" with global scope, then configured the Default Domain Controllers Policy:

# PowerShell to verify the configuration
Get-GPO -Name "Default Domain Controllers Policy" | Get-GPPermissions

Group Policy Path:

Computer Configuration
→ Windows Settings
→ Security Settings
→ Local Policies
→ User Rights Assignment
→ Allow log on through Remote Desktop Services
Configuration Steps
  1. Create Domain Group: Create "DOMAINNAME\RDS Allow" (Global Security Group)
  2. Edit Default Policy: Open "Default Domain Controllers Policy" in GPMC
  3. Add Group to Policy: Add "DOMIANNAME\RDS Allow" directly to "Allow log on through Remote Desktop Services" setting
  4. Test Access: Add users to group and verify connectivity
  5. Document: Record the configuration for future reference
Why this approach works: The Default Domain Controllers Policy has proper precedence and automatically applies to all DCs, avoiding GPO conflicts.

What We Learned

Friday Migrations

Sometimes the risk is worth it when you have time to troubleshoot

Policy States

"Not Defined" ≠ "Defined but Empty" - crucial distinction

Backup Access

Alternative remote access tools can be lifesavers

Group Strategy

Domain groups + GPO = scalable, manageable solution

Prevention: Never Get Locked Out Again

Pre-Migration Checklist
Emergency Toolkit
Always Have These Ready:
  • Third-party remote access: Independent of Windows RDP
  • Out-of-band management: iLO, iDRAC, or similar
  • Physical access plan: Know where the server is
  • Emergency contacts: Who has physical access?
  • Recovery documentation: Step-by-step procedures

The Bottom Line

For System Administrators:
  • Test everything: Including user access, not just admin access
  • Understand policy states: "Not Defined" vs "Defined but Empty"
  • Plan for failure: Always have a backup access method
  • Use domain groups: Scalable and manageable through GPO
  • Document configurations: Future you will thank present you
Pro Tip:

The difference between "Not Defined" and "Defined but Empty" in Group Policy can be the difference between a smooth evening and a stressful weekend. When you modify a policy, always ensure you're setting it to the correct state, not just clearing it.

Epilogue: A Friday Night Well Spent

What started as a routine migration turned into a valuable learning experience. The combination of understanding Windows security policies, having backup access methods, and knowing how to properly configure domain-based solutions turned a potential disaster into a successful project completion.

The Happy Ending: By midnight, all users had proper RDP access through the new domain group, the GPO was correctly configured and documented, and the migration was complete. Sometimes the best lessons come from the problems we create for ourselves.

Remember: Every experienced sysadmin has a story like this. The key is learning from it and sharing the knowledge so others can avoid the same pitfalls.

Migration Summary

Migration Successful

3

Hours of Troubleshooting

1

Backup Tool Used

GPO

Final Solution

Tools That Saved the Day: Third-party remote access application

Lesson Learned: Always test with regular user accounts

Have you had a similar close call?

Every admin has war stories. The important thing is documenting and sharing them so the community can learn together.