how to fix remote desktop access in Windows Server 2012 R2

Kind of an embarrassing question but...

One day I was playing around with GPOs to try and grant local Administrator access to a specific User group for a specific Client computer.

Somehow, I messed up the GPO. I have since deleted that GPO and I can’t find the original guide I was following.

The end result is that I now have a server running Windows Server 2012 R2, which I cannot connect to via RDP, using a domain Administrator account!

I receive the following message when attempting to connect as a domain Administrator:

To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Administrators group have this right. If the group you are in doesn’t have this right, or if the right has been removed from the Administrators group, you need to be granted this right manually.

Basically, how can I “undo” the effects of that old GPO, and return the RDP access settings to their default state? I know I could just add “Administrators” to the list of allowed users in the control panel, but I want to make sure I actually reverse whatever changes I accidentally made before.

I have console access to the server. I don’t need to fix the problem via GPO. How can I fix it on the machine directly?

Edit the membership of the Administrators group, or whichever group it was that you changed.

Is there any way I can see which groups have been changed from default :o

Unfortunately, no. :( If you have a similar server that didn't have the same policy applied, it might help you make an educated guess.

So... apparently you can’t directly edit local users and groups on a domain controller, which this server happens to be. Soooooo, how can I edit this local group from the console :o

I just ran net localgroup and net localgroup administrators on a server core domain controller (without arguments) and it seemed to work. I didn't attempt to make any changes, though.

Yes, I think I was playing around with Restricted Groups, but I'm not sure what I did exactly. I have a working RDP GPO which makes use of Restricted Groups by editing the BUILTIN\Administrators and BUILTIN\Remote Desktop Users groups. Well, I'm still at a loss as to what is wrong with this server as running net localgroup Administrators and net localgroup "Remote Desktop Users" both show my DomainAdminAccount. So I'm not sure why my RDP connection is getting rejected. :(

Nevermind. Finally found the problem. Launch gpedit.msc, navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Allow log on through Remote Desktop Services In my case this was empty, whereas on my working Servers it had the group Administrators. Adding the group Administrators immediately fixed my problem.