Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Remote Desktop Users group membership.

Posted on 2013-10-30
8
Medium Priority
?
975 Views
Last Modified: 2013-11-07
Remote Desktop Users group membership.

If I understand Domain Adminis group is member of every Local Administrators group in computers that are joined to the domain.

So, if a user is member of domain Admins Group, will they be able to RDP to computers in the domain, or they will still have to be added to Remote Desktop Users in the local computers they want to remote to?

The reason I am asking is, I have a user who is member of domain admins , he can remote through RDP to a server and he is not memeber of the Remote desktop Users group on that server.

Any Idea?

Thanks
0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 9

Expert Comment

by:stu29
ID: 39612542
An Admin does not need to be a member of the RDP group.  They are allowed by default.  To deny certain Admin's RDP capabilities you would have to set this up via group policy.
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 39612545
Hi..

The local privilege assignment is what matters here. Check who holds the privilege "log on through terminal services". Local admins will be in there, that's why domain admins are, too.
http://technet.microsoft.com/en-us/library/cc758613(v=ws.10).aspx
0
 
LVL 14

Assisted Solution

by:comfortjeanius
comfortjeanius earned 1000 total points
ID: 39612580
By default, the Administrators and Remote Desktop Users groups are given remote logon rights. So, users who are a part of these groups will be authorized to logon remotely to the server.

Adding them to the GPO will only give them authorization to the server, but will not give them permission to authenticate to the RDP-Listener.  You can configure permission for this by

typing windows key + r

type: tsconfig.msc

Click the Security tab on the RDP-Tcp Properties

It should show the groups that should have access.

“Allow Logon through Terminal Services” group policy and “Remote Desktop Users” group.

By adding the user to that GPO they should have access.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 500 total points
ID: 39612858
On the server you need to check the GPO.Is it deployed locally or from DC.Run rsop.msc and check Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Allow log on through Remote Desktop Services:http://technet.microsoft.com/en-us/library/dn221985.aspx

Check in the policy is the user listed or groups which is configured in the policy.It could be that user is added in group which is configured in policy.

Note:By default, the Administrators and Remote Desktop Users groups are given remote logon rights. So, users who are a part of these groups will be authorized to logon remotely to the server.More see this:http://social.technet.microsoft.com/Forums/windowsserver/en-US/be63ab4a-49a0-4245-a41b-0fefccaaabb0/domain-normal-user-account-is-not-authorized-to-login-to-dc-via-remote-desktop-even-after-assigned?forum=winserverDS
0
 

Author Comment

by:jskfan
ID: 39613310
if I understand you are saying members of the Local Administrators group and members of the Remote Desktop Users are ,by default, able to access the server through RDP connection.

But What I do not understand, why would you configure the police, since they already are able to RDP to the server.

Thank you
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39613495
Better not configure the police, stick to configuring policies.
Your "phenomenon" has been explained. While explaining, someone told you, to change the behavior - if you wanted to - you would need to modify policies, that's all.
0
 
LVL 14

Accepted Solution

by:
comfortjeanius earned 1000 total points
ID: 39614133
But What I do not understand, why would you configure the police, since they already are able to RDP to the server.

If you open the RDP-Tcp Properties you will see default groups in this location.  RDP- Listener gives them access to the establish a connection.
0
 

Author Closing Comment

by:jskfan
ID: 39631386
Thank you
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question