Remote Desktop Users keep being removed
I currently removed a hand full of people that had domain admin rights from our Active Directory. I then added those users to the Remote Desktop Users group and then updated Group Policy so that Computer Configuration\Administrati
ASKER
I restricted groups, I added "Remote Desktop Users. Once I did that, I did a GPUpdate but the users did not appear in the remote desktop users on the local machine. I then under Members of this group added "Desktop Technicians and IT Operations (the two groups I need to give access to" and did another GPUpdate and then the users were under the remote desktop users. But now, none of the Domain Admins can remote into machines.
> "I then under Members of this group added "Desktop Technicians and IT Operations (the two groups I need to give access to)"
By doing so, Domain Admins is removed frm the Remote Desktop Users group every time GP is refreshed. The "Members" function within Restricted Groups is destructive - it will remove all members from the group in question except for those that you have explicitly delineated in the "Members" section.
By doing so, Domain Admins is removed frm the Remote Desktop Users group every time GP is refreshed. The "Members" function within Restricted Groups is destructive - it will remove all members from the group in question except for those that you have explicitly delineated in the "Members" section.
ASKER
So, I need to remove the users from "members" but then the users are not pushed to the machine via Group Policy because the users are not staying in the "remote desktop users" group in AD. How do I get the users to stay there or how to I find out why they are being removed?
I'm confused by your description of the problem, and what steps you have taken to resolve it.
You have a number of users whom you would like to add to the Remote Desktop Users group of every machine on your domain, correct?
Create a security group containing those users, let's call it "RDPUsers"
Create a GPO (or modify an existing GPO) and link it to the OU containing the machines that you want these users to be able to RDP into.
Within that GPO, configure "RDPUsers" as a Restricted Group. Within the "This group is always a member of..." section, add "Remote Desktop Users".
This will add "RDPUsers" to the membership list of Remote Desktop Users for the machines in question, without overwriting the existing membership in the Remote Desktop Users group.
You have a number of users whom you would like to add to the Remote Desktop Users group of every machine on your domain, correct?
Create a security group containing those users, let's call it "RDPUsers"
Create a GPO (or modify an existing GPO) and link it to the OU containing the machines that you want these users to be able to RDP into.
Within that GPO, configure "RDPUsers" as a Restricted Group. Within the "This group is always a member of..." section, add "Remote Desktop Users".
This will add "RDPUsers" to the membership list of Remote Desktop Users for the machines in question, without overwriting the existing membership in the Remote Desktop Users group.
ASKER
When I go to "Users and Computers" and I add a group or user to the "Remote Desktop Users" group, 1 minute later those users added into "Remote Desktop Users" are not under members anymore.
ASKER
Also, when I try to add "Remote Desktop Users" under "this group is a member of" it cannot resolve that group. I verified that the group was there but it cannot find it.
> "When I go to "Users and Computers" and I add a group or user to the "Remote Desktop Users" group, 1 minute later those users added into "Remote Desktop Users" are not under members anymore. "
This is because you have configured "Remote Desktop Users" as a Restricted Group using the "Members" option, which as I have described above is destructive. See the following for more information about how Restricted Groups work: http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
> "Also, when I try to add "Remote Desktop Users" under "this group is a member of" it cannot resolve that group."
Just type it in manually.
This is because you have configured "Remote Desktop Users" as a Restricted Group using the "Members" option, which as I have described above is destructive. See the following for more information about how Restricted Groups work: http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
> "Also, when I try to add "Remote Desktop Users" under "this group is a member of" it cannot resolve that group."
Just type it in manually.
ASKER
I have removed "Remote Desktop Users" as a Restricted group yet the users still do not stay. This also happened when I tried to give my self builtin\administrators. It stayed for a minute and now is gone.
ASKER
By the way, I appreciate your patience.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, I went threw all of our GPOs. I have removed restricted groups from all of them. I did a GPUpdate on the machine, then I went back in and added RDPUsers under restricted users for our server GPO. The users seem to be staying now under RDPUsers but We still do not have ability to log in remotely
ASKER
Problem solved. I had done the same thing with Administrators on that group and in an attempt to fix it just removed administrators from the restricted group. Once I redid administrators using the correct method listed above, it fixed undid my breaking. Thanks for the help.
What configuration did you created in the Restricted Groups node? I can almost guarantee you that this is where your issue lies.