Solved

Remote Desktop Users group membership.

Posted on 2013-10-30
8
866 Views
Last Modified: 2013-11-07
Remote Desktop Users group membership.

If I understand Domain Adminis group is member of every Local Administrators group in computers that are joined to the domain.

So, if a user is member of domain Admins Group, will they be able to RDP to computers in the domain, or they will still have to be added to Remote Desktop Users in the local computers they want to remote to?

The reason I am asking is, I have a user who is member of domain admins , he can remote through RDP to a server and he is not memeber of the Remote desktop Users group on that server.

Any Idea?

Thanks
0
Comment
Question by:jskfan
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 9

Expert Comment

by:stu29
ID: 39612542
An Admin does not need to be a member of the RDP group.  They are allowed by default.  To deny certain Admin's RDP capabilities you would have to set this up via group policy.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 125 total points
ID: 39612545
Hi..

The local privilege assignment is what matters here. Check who holds the privilege "log on through terminal services". Local admins will be in there, that's why domain admins are, too.
http://technet.microsoft.com/en-us/library/cc758613(v=ws.10).aspx
0
 
LVL 14

Assisted Solution

by:comfortjeanius
comfortjeanius earned 250 total points
ID: 39612580
By default, the Administrators and Remote Desktop Users groups are given remote logon rights. So, users who are a part of these groups will be authorized to logon remotely to the server.

Adding them to the GPO will only give them authorization to the server, but will not give them permission to authenticate to the RDP-Listener.  You can configure permission for this by

typing windows key + r

type: tsconfig.msc

Click the Security tab on the RDP-Tcp Properties

It should show the groups that should have access.

“Allow Logon through Terminal Services” group policy and “Remote Desktop Users” group.

By adding the user to that GPO they should have access.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 125 total points
ID: 39612858
On the server you need to check the GPO.Is it deployed locally or from DC.Run rsop.msc and check Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Allow log on through Remote Desktop Services:http://technet.microsoft.com/en-us/library/dn221985.aspx

Check in the policy is the user listed or groups which is configured in the policy.It could be that user is added in group which is configured in policy.

Note:By default, the Administrators and Remote Desktop Users groups are given remote logon rights. So, users who are a part of these groups will be authorized to logon remotely to the server.More see this:http://social.technet.microsoft.com/Forums/windowsserver/en-US/be63ab4a-49a0-4245-a41b-0fefccaaabb0/domain-normal-user-account-is-not-authorized-to-login-to-dc-via-remote-desktop-even-after-assigned?forum=winserverDS
0
 

Author Comment

by:jskfan
ID: 39613310
if I understand you are saying members of the Local Administrators group and members of the Remote Desktop Users are ,by default, able to access the server through RDP connection.

But What I do not understand, why would you configure the police, since they already are able to RDP to the server.

Thank you
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39613495
Better not configure the police, stick to configuring policies.
Your "phenomenon" has been explained. While explaining, someone told you, to change the behavior - if you wanted to - you would need to modify policies, that's all.
0
 
LVL 14

Accepted Solution

by:
comfortjeanius earned 250 total points
ID: 39614133
But What I do not understand, why would you configure the police, since they already are able to RDP to the server.

If you open the RDP-Tcp Properties you will see default groups in this location.  RDP- Listener gives them access to the establish a connection.
0
 

Author Closing Comment

by:jskfan
ID: 39631386
Thank you
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question