• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1033
  • Last Modified:

Remote Desktop Users group membership.

Remote Desktop Users group membership.

If I understand Domain Adminis group is member of every Local Administrators group in computers that are joined to the domain.

So, if a user is member of domain Admins Group, will they be able to RDP to computers in the domain, or they will still have to be added to Remote Desktop Users in the local computers they want to remote to?

The reason I am asking is, I have a user who is member of domain admins , he can remote through RDP to a server and he is not memeber of the Remote desktop Users group on that server.

Any Idea?

Thanks
0
jskfan
Asked:
jskfan
  • 2
  • 2
  • 2
  • +2
4 Solutions
 
stu29Commented:
An Admin does not need to be a member of the RDP group.  They are allowed by default.  To deny certain Admin's RDP capabilities you would have to set this up via group policy.
0
 
McKnifeCommented:
Hi..

The local privilege assignment is what matters here. Check who holds the privilege "log on through terminal services". Local admins will be in there, that's why domain admins are, too.
http://technet.microsoft.com/en-us/library/cc758613(v=ws.10).aspx
0
 
comfortjeaniusCommented:
By default, the Administrators and Remote Desktop Users groups are given remote logon rights. So, users who are a part of these groups will be authorized to logon remotely to the server.

Adding them to the GPO will only give them authorization to the server, but will not give them permission to authenticate to the RDP-Listener.  You can configure permission for this by

typing windows key + r

type: tsconfig.msc

Click the Security tab on the RDP-Tcp Properties

It should show the groups that should have access.

“Allow Logon through Terminal Services” group policy and “Remote Desktop Users” group.

By adding the user to that GPO they should have access.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
SandeshdubeyCommented:
On the server you need to check the GPO.Is it deployed locally or from DC.Run rsop.msc and check Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Allow log on through Remote Desktop Services:http://technet.microsoft.com/en-us/library/dn221985.aspx

Check in the policy is the user listed or groups which is configured in the policy.It could be that user is added in group which is configured in policy.

Note:By default, the Administrators and Remote Desktop Users groups are given remote logon rights. So, users who are a part of these groups will be authorized to logon remotely to the server.More see this:http://social.technet.microsoft.com/Forums/windowsserver/en-US/be63ab4a-49a0-4245-a41b-0fefccaaabb0/domain-normal-user-account-is-not-authorized-to-login-to-dc-via-remote-desktop-even-after-assigned?forum=winserverDS
0
 
jskfanAuthor Commented:
if I understand you are saying members of the Local Administrators group and members of the Remote Desktop Users are ,by default, able to access the server through RDP connection.

But What I do not understand, why would you configure the police, since they already are able to RDP to the server.

Thank you
0
 
McKnifeCommented:
Better not configure the police, stick to configuring policies.
Your "phenomenon" has been explained. While explaining, someone told you, to change the behavior - if you wanted to - you would need to modify policies, that's all.
0
 
comfortjeaniusCommented:
But What I do not understand, why would you configure the police, since they already are able to RDP to the server.

If you open the RDP-Tcp Properties you will see default groups in this location.  RDP- Listener gives them access to the establish a connection.
0
 
jskfanAuthor Commented:
Thank you
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now