Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Remote Desktop Users group membership.

Posted on 2013-10-30
8
Medium Priority
?
1,005 Views
Last Modified: 2013-11-07
Remote Desktop Users group membership.

If I understand Domain Adminis group is member of every Local Administrators group in computers that are joined to the domain.

So, if a user is member of domain Admins Group, will they be able to RDP to computers in the domain, or they will still have to be added to Remote Desktop Users in the local computers they want to remote to?

The reason I am asking is, I have a user who is member of domain admins , he can remote through RDP to a server and he is not memeber of the Remote desktop Users group on that server.

Any Idea?

Thanks
0
Comment
Question by:jskfan
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 9

Expert Comment

by:stu29
ID: 39612542
An Admin does not need to be a member of the RDP group.  They are allowed by default.  To deny certain Admin's RDP capabilities you would have to set this up via group policy.
0
 
LVL 57

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 39612545
Hi..

The local privilege assignment is what matters here. Check who holds the privilege "log on through terminal services". Local admins will be in there, that's why domain admins are, too.
http://technet.microsoft.com/en-us/library/cc758613(v=ws.10).aspx
0
 
LVL 14

Assisted Solution

by:comfortjeanius
comfortjeanius earned 1000 total points
ID: 39612580
By default, the Administrators and Remote Desktop Users groups are given remote logon rights. So, users who are a part of these groups will be authorized to logon remotely to the server.

Adding them to the GPO will only give them authorization to the server, but will not give them permission to authenticate to the RDP-Listener.  You can configure permission for this by

typing windows key + r

type: tsconfig.msc

Click the Security tab on the RDP-Tcp Properties

It should show the groups that should have access.

“Allow Logon through Terminal Services” group policy and “Remote Desktop Users” group.

By adding the user to that GPO they should have access.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 500 total points
ID: 39612858
On the server you need to check the GPO.Is it deployed locally or from DC.Run rsop.msc and check Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Allow log on through Remote Desktop Services:http://technet.microsoft.com/en-us/library/dn221985.aspx

Check in the policy is the user listed or groups which is configured in the policy.It could be that user is added in group which is configured in policy.

Note:By default, the Administrators and Remote Desktop Users groups are given remote logon rights. So, users who are a part of these groups will be authorized to logon remotely to the server.More see this:http://social.technet.microsoft.com/Forums/windowsserver/en-US/be63ab4a-49a0-4245-a41b-0fefccaaabb0/domain-normal-user-account-is-not-authorized-to-login-to-dc-via-remote-desktop-even-after-assigned?forum=winserverDS
0
 

Author Comment

by:jskfan
ID: 39613310
if I understand you are saying members of the Local Administrators group and members of the Remote Desktop Users are ,by default, able to access the server through RDP connection.

But What I do not understand, why would you configure the police, since they already are able to RDP to the server.

Thank you
0
 
LVL 57

Expert Comment

by:McKnife
ID: 39613495
Better not configure the police, stick to configuring policies.
Your "phenomenon" has been explained. While explaining, someone told you, to change the behavior - if you wanted to - you would need to modify policies, that's all.
0
 
LVL 14

Accepted Solution

by:
comfortjeanius earned 1000 total points
ID: 39614133
But What I do not understand, why would you configure the police, since they already are able to RDP to the server.

If you open the RDP-Tcp Properties you will see default groups in this location.  RDP- Listener gives them access to the establish a connection.
0
 

Author Closing Comment

by:jskfan
ID: 39631386
Thank you
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question