Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Apply Remote Desktop & Allow Log on through Terminal Services Policy

Posted on 2013-06-12
4
Medium Priority
?
906 Views
Last Modified: 2013-06-18
I created a group policy which I thought would add a group to the Remote Desktop Users  on all servers and Allow log on through Terminal Services for group (ISADMIN).   I created a new GPO (RemoteDesktopUsers-Servers) and assigned the following settings

1) Computer Configuration-->Policies-->Windows Settings-->Security Settings --> Local Policies/User Rights Assignment --> Policy Setting

Allow log on through Terminal Services = DomainName\ISADMINS

2) Computer Configuration-->Windows Components-->Remote Desktop Services-->Remote Desktop Session Host/Connectionsshow

Allow users to connect remotely using Remote Desktop Services = Enabled

3) Preferences--> Control Panel Settings --> Local Users and Groups --> Group
(Name: Remote Desktop Users (built-in))
Remote Desktop Users (built-in) (Order: 1)
Local Group
Action Update
Properties
Group name Remote Desktop Users (built-in)
Delete all member users Disabled
Delete all member groups Disabled
Add membersCORE\ISAdmin

See attached policy export.

After this policy was applied to Domain Controllers and our Servers OUs the Domain Administrator was unable to log into the DCs unless added to the ISAdmin group and only the ISAdmin security group was left or shown under the Local Policies on those domain controllers and servers.  The Domain Admin could still log into the other member servers without joining the ISadmins group however.  

Does this policy somehow delete or break the Adminsitrators and Remote Desktop Users Builtin groups permissions to RDP to the DCs and servers?  Do I need to explicitly specify the Administrators and Remote Desktop Users built-ins in the Allow Log On Through Terminal Services and Remote Desktop Users - Local Groups?

Mixed Environment PDC = 2012DC,  DCs are 2008, 2008R2 and 2003R3,  Member servers are also same mix of 2012DC, 2012, 2008, 2008R2 and 2003R2.   Functional Level of forest and domain is 2003.    Recently Promoted 2012DC and assigned all roles.  

Any help would be appreciated.

Thanks
Tom
0
Comment
Question by:schultetg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 

Accepted Solution

by:
schultetg earned 0 total points
ID: 39241516
I added the Administrators and Remote Desktop Users back to the Allow log on through Terminal Services policy which now allows domain admin to log on to the DCs.
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39242410
Seeing that you already answered your own question..

Yes you need to explicitly allow administrators and domain admins the right to log on through terminal services..
0
 

Author Comment

by:schultetg
ID: 39243024
I guess I misunderstood the definition that the Administrators group and Remote Desktop users had access by default to mean it was implicit and did not need to be explicitly specified in the policy.  

The reason for creating this new policy was due to an anomaly in GP:  the ISAdmins group was a member of the Administrators group but one member recently added to the ISadmins group did not have remote desktop access to any servers (or DCs).  When the user was added to the local remote desktop users group on DCs they obtained access to each DC, but still not able to access any other member servers.   When I removed this new policy from the Servers (and Domain Controllers) OUs the user was now able to acess all member servers.  It seems as though a previous policy may have been "hung up" preventing the new user from accessing these member servers (even though they were members of the Administrators group) and the policy some how reset itself after this new policy was removed, reverting back to the local policy setting (defaulting Administrators & Remote Desktop USers)......  I guess.
0
 

Author Closing Comment

by:schultetg
ID: 39255639
I have not received a more complete explanation
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question