different GPO/cpu settings for remote desktop - which ones do i need and when?

This will probably be easy, but i'd like clarification on the settings for remote desktop.  There are a lot of em in the GPOs and a couple on a local server, and I’d like to know when each are required and why not the others, etc.  Please clarify when i would want to have the following settings:
1. default domain\windows settings\security settings\user rights assignments
     access this computer from the network – admins have this right inherently, right?
                                                                         Do I need to add other groups if not admin to
                                                                         RDP?  Unnecessary due to TS setting below?
     allow log on locally – is this just required to locally log into any server in domain
                                        or is it needed for RDP as well?
     allow log on through terminal services – admins have this inherently, don’t need admin in
                                                                       this, right?  All other groups to rdp must be in here
                                                                      if we want that ability domain wide, right?

2. same for default domain controller policy
     access this computer from the network – who would need this one – other than admin only,
                                                                        cause they have that right on a DC already, right?
     allow log on locally – required to log into DC locally, right?  other than an admin, right?
     allow log on through terminal services – required to rdp into DC through rdp, right?

3. remote desktop users group in computer management on member server
     member server - admin have inherent right to terminal in and don't need to be in here- right?
                                 I’d add a group to rdp into this server only here, but that group would need
                                to be in “allow log on through terminal services” in GPO applied to the OU
                                 that the server is in in order to rdp into any server as well, right?
4. member server - system properties -remote tab
       who would be required to be in here?  Is this same as remote desktop users group on
           member server above?  when is this one needed?

5. Active Directory Built-in Remote Desktop users group
     this is just for those to allow rdp into DCs - right?
     domain admins have it inherently - don't need to add - right?

6. how do i allow rdp on a member server only while restricting rights to remote into any other
     server on the domain?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
1. Access remotely is required for RDP, Log on Locally is not. Any groups or users that need access to RDP on the server will need to be assigned the Access remotely and Log in through Terminal Services right. But don't set this in the default domain policy. Create a new GPO and set the permissions with that. You'll also want to link it only to the OUs where those groups specifically need that right or they will be able to access all computers that have RDP enabled.
2. Same as above, don't set in the Default Domain Controller policy.
3. You really don't need to worry about this group if you assign the user right in group policy. The Remote desktop users group is assigned the Allow logon through Remote Desktop right by default, so if you set that right in a GPO, there is no need to add users to this group. You can, however, add users and groups into that local group and not have to worry about setting group policy.
4. The only people that need to be listed there are those who are not members of the Remote Desktop Users group, users that are not admins, and users that don't have the User right assigned to them. If a user meets any of those requirements, they need not be listed.
5. Same as the local group. It's assigned remote desktop login right by default. Can be ignored if you use group policy to assign the right, can be used to avoid having a GPO with user rights assigned.
6. By creating a GPO with the necessary login rights, you can then filter the GPO to allow only one server (or group of servers) to apply the policy. Once done, that will be the only server on the network with the applied permissions for RDP. Other servers can be managed differently, but if you have an additional GPO with RDP permissions set in it, you'll want to deny the server permission to read and apply it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JodyBearAuthor Commented:
1. So if Remote Desktop Users in a member server's Computer Management is just a group i can use to TS into that server - it seems the same as the Remote tab under System properties functionally.  When would you use one over the other? can you give me an example for each so i can differentiate?

2.  Our domain uses the Remote Desktop Users group in active directory users and computers for access to domain controllers.  i thought that group was used for only remote access into a DC? or does that just seem to be what our network does (guessing perhaps here)?
Adam BrownSr Solutions ArchitectCommented:
1. They're pretty much interchangeable. In fact, the Remote tab box actually adds any user you put in there into the Local Remote Desktop Users group. Adding a user to the Remote Desktop users group will cause them to show up in the Remote tab as well.
2. A lot of the Builtin groups you see in AD are actually there because Domain Controllers don't have local users and groups. So they exist to allow similar functionality for domain controllers. Adding users to the Remote tab on a DC will add them to the Builtin Remote Desktop Users group in AD. To be honest, I would advise against using that group for anything other than access to Domain Controllers because of the security settings that are configured for that group by default.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.