Fix: ERROR_CTX_LOGON_DISABLED (0X00001B7D) – Logon Privilege Disabled
This error means your user account or group lacks the 'Allow log on through Remote Desktop Services' right. Here's how to fix it fast.
When This Error Hits
You're trying to RDP into a Windows Server box—could be 2016, 2019, or 2022—and BAM: 'Your interactive logon privilege has been disabled. Please contact your administrator.' The error code is 0X00001B7D. Had a client last month whose entire IT team locked themselves out of a domain controller because someone ran a GPO update that yanked the Remote Desktop Users group from the logon right. Messy.
What's Actually Going On
Windows has a built-in security setting called 'Allow log on through Remote Desktop Services.' This is the key that lets users connect via RDP. If your account or the group it belongs to (like Remote Desktop Users or Domain Users) doesn't have that privilege, Windows slams the door. The 0X00001B7D error is the result. It's not a network problem or a licensing issue—it's a permissions problem in the Local Security Policy or Group Policy.
The Fix: Restore the Logon Right
You'll need admin access to the server—hopefully you still have console or physical access. If not, you'll have to boot into Safe Mode or use a local admin account that hasn't been restricted. Here's the step-by-step:
- Open Local Security Policy
Press Win + R, typesecpol.msc, and hit Enter. - Navigate to the Right Setting
Go toSecurity Settings > Local Policies > User Rights Assignment. - Find 'Allow log on through Remote Desktop Services'
Scroll down to that policy. Double-click it. - Add Your User or Group
Click 'Add User or Group...', type the user's name or the group (e.g.,Domain UsersorRemote Desktop Users), then click OK. If you're on a domain, use domain\username format. - Apply and Close
Click OK on the policy window, then close secpol.msc. - Refresh the Policy
Open a command prompt as admin and rungpupdate /force. Or just reboot the server. - Test the Connection
Try RDP again. Should work now.
If That Didn't Fix It
Check if a Group Policy is overriding your local setting. Open gpedit.msc and look under Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment for the same policy. If it's defined there, it'll beat the local setting. You'd need to modify the domain GPO or edit the local GPO to not conflict.
Also check account status: make sure the account isn't disabled, expired, or locked out. Run net user username /domain to see.
If you're still stuck, check the RDP listener itself. Open tsconfig.msc (Remote Desktop Session Host Configuration) and verify the 'RDP-Tcp' connection is enabled and permissions include your user. Had one case where a dev messed with the listener security descriptor directly—that's a quick win to check.
Final word: On domain controllers, the default security policy is stricter. The 'Allow log on through Remote Desktop Services' normally includes only Administrators. You'll need to add the Remote Desktop Users group manually if you want non-admins to RDP. Seen that catch plenty of admins off guard.
Was this solution helpful?