I created a group policy which I thought would add a group to the Remote Desktop Users on all servers and Allow log on through Terminal Services for group (ISADMIN). I created a new GPO (RemoteDesktopUsers-Servers) and assigned the following settings
1) Computer Configuration-->Policies-->Windows Settings-->Security Settings --> Local Policies/User Rights Assignment --> Policy Setting
Allow log on through Terminal Services = DomainName\ISADMINS
2) Computer Configuration-->Windows Components-->Remote Desktop Services-->Remote Desktop Session Host/Connectionsshow
Allow users to connect remotely using Remote Desktop Services = Enabled
3) Preferences--> Control Panel Settings --> Local Users and Groups --> Group
(Name: Remote Desktop Users (built-in))
Remote Desktop Users (built-in) (Order: 1)
Group name Remote Desktop Users (built-in)
Delete all member users Disabled
Delete all member groups Disabled
See attached policy export.
After this policy was applied to Domain Controllers and our Servers OUs the Domain Administrator was unable to log into the DCs unless added to the ISAdmin group and only the ISAdmin security group was left or shown under the Local Policies on those domain controllers and servers. The Domain Admin could still log into the other member servers without joining the ISadmins group however.
Does this policy somehow delete or break the Adminsitrators and Remote Desktop Users Builtin groups permissions to RDP to the DCs and servers? Do I need to explicitly specify the Administrators and Remote Desktop Users built-ins in the Allow Log On Through Terminal Services and Remote Desktop Users - Local Groups?
Mixed Environment PDC = 2012DC, DCs are 2008, 2008R2 and 2003R3, Member servers are also same mix of 2012DC, 2012, 2008, 2008R2 and 2003R2. Functional Level of forest and domain is 2003. Recently Promoted 2012DC and assigned all roles.
Any help would be appreciated.