Remote Desktop Users keep being removed

I currently removed a hand full of people that had domain admin rights from our Active Directory.  I then added those users to the Remote Desktop Users group and then updated Group Policy so that Computer Configuration\Administrative Templates\Windows Components\Terminal Services and enabled "Allow users to connect remtely using Terminal Services"  I also went to Computer Configuration\Windows Settings\Security Settings\Restricted Groups and added Remote Desktop Users to the Restricted Group.  After doing a GPUpdate /force on the machines, these users can not connect still.  I went back to verify that the users were in the Remote Desktop Users group and I noticed they were gone.  I tried to add a user again and after about 1 minute, the user was gone again.  
Kitsap_TechnologyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LauraEHunterMVPCommented:
> "I also went to Computer Configuration\Windows Settings\Security Settings\Restricted Groups and added Remote Desktop Users to the Restricted Group. "

What configuration did you created in the Restricted Groups node?  I can almost guarantee you that this is where your issue lies.
0
Kitsap_TechnologyAuthor Commented:
I restricted groups, I added "Remote Desktop Users.  Once I did that, I did a GPUpdate but the users did not appear in the remote desktop users on the local machine.  I then under Members of this group added "Desktop Technicians and IT Operations (the two groups I need to give access to" and did another GPUpdate and then the users were under the remote desktop users.  But now, none of the Domain Admins can remote into machines.  
0
LauraEHunterMVPCommented:
> "I then under Members of this group added "Desktop Technicians and IT Operations (the two groups I need to give access to)"

By doing so, Domain Admins is removed frm the Remote Desktop Users group every time GP is refreshed.  The "Members" function within Restricted Groups is destructive - it will remove all members from the group in question except for those that you have explicitly delineated in the "Members" section.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Kitsap_TechnologyAuthor Commented:
So, I need to remove the users from  "members" but then the users are not pushed to the machine via Group Policy because the users are not staying in the "remote desktop users" group in AD. How do I get the users to stay there or how to I find out why they are being removed?
0
LauraEHunterMVPCommented:
I'm confused by your description of the problem, and what steps you have taken to resolve it.

You have a number of users whom you would like to add to the Remote Desktop Users group of every machine on your domain, correct?

Create a security group containing those users, let's call it "RDPUsers"

Create a GPO (or modify an existing GPO) and link it to the OU containing the machines that you want these users to be able to RDP into.

Within that GPO, configure "RDPUsers" as a Restricted Group.  Within the "This group is always a member of..." section, add "Remote Desktop Users".

This will add "RDPUsers" to the membership list of Remote Desktop Users for the machines in question, without overwriting the existing membership in the Remote Desktop Users group.
0
Kitsap_TechnologyAuthor Commented:
When I go to "Users and Computers" and I add a group or user to the "Remote Desktop Users" group, 1 minute later those users added into "Remote Desktop Users" are not under members anymore.  
0
Kitsap_TechnologyAuthor Commented:
Also, when I try to add "Remote Desktop Users" under "this group is a member of" it cannot resolve that group.  I verified that the group was there but it cannot find it.
0
LauraEHunterMVPCommented:
> "When I go to "Users and Computers" and I add a group or user to the "Remote Desktop Users" group, 1 minute later those users added into "Remote Desktop Users" are not under members anymore. "

This is because you have configured "Remote Desktop Users" as a Restricted Group using the "Members" option, which as I have described above is destructive.  See the following for more information about how Restricted Groups work: http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

> "Also, when I try to add "Remote Desktop Users" under "this group is a member of" it cannot resolve that group."

Just type it in manually.
0
Kitsap_TechnologyAuthor Commented:
I have removed "Remote Desktop Users" as a Restricted group yet the users still do not stay.  This also happened when I tried to give my self builtin\administrators.  It stayed for a minute and now is gone.
0
Kitsap_TechnologyAuthor Commented:
By the way, I appreciate your patience.
0
LauraEHunterMVPCommented:
> "This also happened when I tried to give my self builtin\administrators"

Please clarify what this sentence means.

Have you confirmed that there are no other GPOs configured (potentially with Restricted Groups settings) that are affecting the computers/users in question??
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kitsap_TechnologyAuthor Commented:
Ok, I went threw all of our GPOs.  I have removed restricted groups from all of them.  I did a GPUpdate on the machine, then I went back in and added RDPUsers under restricted users for our server GPO.  The users seem to be staying now under RDPUsers but We still do not have ability to log in remotely
0
Kitsap_TechnologyAuthor Commented:
Problem solved.  I had done the same thing with Administrators on that group and in an attempt to fix it just removed administrators from the restricted group.  Once I redid administrators using the correct method listed above, it fixed undid my breaking.  Thanks for the help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.