Solved

Remote Desktop Users group membership.

Posted on 2013-10-30
8
846 Views
Last Modified: 2013-11-07
Remote Desktop Users group membership.

If I understand Domain Adminis group is member of every Local Administrators group in computers that are joined to the domain.

So, if a user is member of domain Admins Group, will they be able to RDP to computers in the domain, or they will still have to be added to Remote Desktop Users in the local computers they want to remote to?

The reason I am asking is, I have a user who is member of domain admins , he can remote through RDP to a server and he is not memeber of the Remote desktop Users group on that server.

Any Idea?

Thanks
0
Comment
Question by:jskfan
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 9

Expert Comment

by:stu29
ID: 39612542
An Admin does not need to be a member of the RDP group.  They are allowed by default.  To deny certain Admin's RDP capabilities you would have to set this up via group policy.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 125 total points
ID: 39612545
Hi..

The local privilege assignment is what matters here. Check who holds the privilege "log on through terminal services". Local admins will be in there, that's why domain admins are, too.
http://technet.microsoft.com/en-us/library/cc758613(v=ws.10).aspx
0
 
LVL 14

Assisted Solution

by:comfortjeanius
comfortjeanius earned 250 total points
ID: 39612580
By default, the Administrators and Remote Desktop Users groups are given remote logon rights. So, users who are a part of these groups will be authorized to logon remotely to the server.

Adding them to the GPO will only give them authorization to the server, but will not give them permission to authenticate to the RDP-Listener.  You can configure permission for this by

typing windows key + r

type: tsconfig.msc

Click the Security tab on the RDP-Tcp Properties

It should show the groups that should have access.

“Allow Logon through Terminal Services” group policy and “Remote Desktop Users” group.

By adding the user to that GPO they should have access.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 125 total points
ID: 39612858
On the server you need to check the GPO.Is it deployed locally or from DC.Run rsop.msc and check Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Allow log on through Remote Desktop Services:http://technet.microsoft.com/en-us/library/dn221985.aspx

Check in the policy is the user listed or groups which is configured in the policy.It could be that user is added in group which is configured in policy.

Note:By default, the Administrators and Remote Desktop Users groups are given remote logon rights. So, users who are a part of these groups will be authorized to logon remotely to the server.More see this:http://social.technet.microsoft.com/Forums/windowsserver/en-US/be63ab4a-49a0-4245-a41b-0fefccaaabb0/domain-normal-user-account-is-not-authorized-to-login-to-dc-via-remote-desktop-even-after-assigned?forum=winserverDS
0
 

Author Comment

by:jskfan
ID: 39613310
if I understand you are saying members of the Local Administrators group and members of the Remote Desktop Users are ,by default, able to access the server through RDP connection.

But What I do not understand, why would you configure the police, since they already are able to RDP to the server.

Thank you
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39613495
Better not configure the police, stick to configuring policies.
Your "phenomenon" has been explained. While explaining, someone told you, to change the behavior - if you wanted to - you would need to modify policies, that's all.
0
 
LVL 14

Accepted Solution

by:
comfortjeanius earned 250 total points
ID: 39614133
But What I do not understand, why would you configure the police, since they already are able to RDP to the server.

If you open the RDP-Tcp Properties you will see default groups in this location.  RDP- Listener gives them access to the establish a connection.
0
 

Author Closing Comment

by:jskfan
ID: 39631386
Thank you
0

Join & Write a Comment

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now