This will probably be easy, but i'd like clarification on the settings for remote desktop. There are a lot of em in the GPOs and a couple on a local server, and I’d like to know when each are required and why not the others, etc. Please clarify when i would want to have the following settings:
1. default domain\windows settings\security settings\user rights assignments
access this computer from the network – admins have this right inherently, right?
Do I need to add other groups if not admin to
RDP? Unnecessary due to TS setting below?
allow log on locally – is this just required to locally log into any server in domain
or is it needed for RDP as well?
allow log on through terminal services – admins have this inherently, don’t need admin in
this, right? All other groups to rdp must be in here
if we want that ability domain wide, right?
2. same for default domain controller policy
access this computer from the network – who would need this one – other than admin only,
cause they have that right on a DC already, right?
allow log on locally – required to log into DC locally, right? other than an admin, right?
allow log on through terminal services – required to rdp into DC through rdp, right?
3. remote desktop users group in computer management on member server
member server - admin have inherent right to terminal in and don't need to be in here- right?
I’d add a group to rdp into this server only here, but that group would need
to be in “allow log on through terminal services” in GPO applied to the OU
that the server is in in order to rdp into any server as well, right?
4. member server - system properties -remote tab
who would be required to be in here? Is this same as remote desktop users group on
member server above? when is this one needed?
5. Active Directory Built-in Remote Desktop users group
this is just for those to allow rdp into DCs - right?
domain admins have it inherently - don't need to add - right?
6. how do i allow rdp on a member server only while restricting rights to remote into any other
server on the domain?