A user is trying to RDP to a Windows server via Advanced Server Access (ASA) or Okta Privileged Access (OPA) server agents, but failing with the following error:

To sign in remotely, you need the right to sign in through Remote Desktop Services

 

• Okta Privileged Access (OPA)
  • When configured for OPA to provision local users onto the server
• Advanced Server Access (ASA)
  • When not using AD-joined feature

OPA and ASA server agents will provision/manage local users onto the servers (unless OPA is configured to manage existing local users, or if ASA's AD-joined feature is used). It is these local users that OPA/ASA will RDP the user into the server.

This error generally indicates the server is rejecting the RDP attempt because it determines that the specified user is not allowed to RDP to that server. In general, this can often be caused when a user is not part of the "Remote Desktop Users" group. This should be verified, but is unlikely to be the case because OPA and ASA server agents should be adding the local users to this group.

In this case, the issue was due to a specific GPO that was denying RDP access to all local accounts regardless of if that account was a member of the "Remote Desktop Users" group.
 

Reconfigure the following GPO to make sure "Local accounts" are NOT denied access to Remote Desktop Services: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignments > Deny log on through Remote Desktop Services.

Example of the GPO causing the issue (so removing "Local accounts" from this setting would resolve the issue):