Solved

Seeing Users Added into 'Select Remote Users' without having been added manually

Posted on 2013-12-09
6
306 Views
Last Modified: 2013-12-12
Hi,

I was trying to connect to our domain controller running W2K8 R2, I was unable to access it using an RDP console, it was ping-able on the network.

We connected into it on a console and thought that perhaps we needed to toggle the 'allow remote connections...', we immediately noticed that there were many users that had somehow been added in as being allowed remote access.

Any ideas as to how these users were somehow added into this and being granted remote access?

I was under the impression that they needed to be added in manually, is it possible that they somehow were added in automatically as part of a security group that has been granted remote access to this DC?

Any help on this would be greatly appreciated as I have never come across this before.
I dug in a little further and I am seeing this...

The users are all listed in a security group called "Remote Desktop Users" which is a "Security Group - Domain Local" domain local security group.

How is this group adding itself in like that? I thought that you had to manually add users in the "Select Remote Users" box under the 'Remote' tab in 'System Properties'.

Will rebooting the server remove them?

How can we prevent this from happening again?

Thank-you for taking the time to respond to this post, it is greatly appreciated.

ElliTech
0
Comment
Question by:ellitech
6 Comments
 
LVL 11

Expert Comment

by:BillBondo
Comment Utility
From what you describe it sounds like its correct. They are part of a group allowed RDP. Remove the users from the group if you like.
0
 

Author Comment

by:ellitech
Comment Utility
This security group was set up to allow users to connect to our citrix server using an RDP connection. These names have only just now shown up as having being allowed access to this specific server.
How is it that the users are showing up here in the first place?

ElliTech
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
Comment Utility
That is why the users are listed there!

The group is meant for to grant access to all domain controllers in domain.
When you add any users to "remote desktop users" group in Built-in AD container, they will be directly added as "remote users" in My computer properties \ remote tab and can connect to any domain controller in domain.
If you have multiple domain controllers, you will find all those users in all domain controllers remote tab

Since this group is mapped to Citrix servers as well, the only way is to map some another group for citrix and add them to that group. Then remove all users from "Remote Desktop Users" group.
By doing this only those users and groups who are members of Built-in Administrators group (group in Built-in Container) can logon to DC server remotely as this group has default rights of remoting to DC servers regardless of "Remote Desktop users" group membership
For Ex: domain admins group, built-in administrators etc.

Mahesh
0
The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

 

Author Comment

by:ellitech
Comment Utility
I do not believe that these users should be listed in the "Select Remote Users" box under the 'Remote' tab in 'System Properties'. The Remote Desktop Users group have access by default!!

All other users need to be manually added in here!!

They were not there before, but they are now all of a sudden.

Could someone else please explain to me why we are seeing these users listed there now?

ElliTech
0
 
LVL 14

Expert Comment

by:Ram Balachandran
Comment Utility
Is there any group policy defined ?
Run start>Run >rsop
Computer Configuration\Windows Settings\Security Settings\Restricted Groups\
See if  if any groups are mentioned - related to Remote Desktop Users

--

If you wish to restrict only certain users can access remote desktop, you can create a group policy
Goto : Computer Configuration\Windows Settings\Security Settings\Restricted Groups\
Add a group that contains users who can perform remote desktop
Later, users membership can be managed though group for this purpose
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
There is no rocket science in it. It is default behaviour.

Even if you have workgroup server, there is Remote Desktop Users group under local groups
Just create some test local users on server.
Then add them to Remote Desktop Users group under local groups

Now if you navigate to My Computer Properties \ remote  and go to select users, you will find all added users there in Remote Desktop users window.

Same thing is true in case of domain controllers also and you can view those users on all domain controllers in given domain
In fact if you add any domain group to Remote Desktop users group on DC, then those groups also will be visible in Remote Desktop users window
In fact it is the graphical representation of Remote Desktop users group.

Restricted groups will not help and is not required to control Remote Desktop users group membership.

If you don't want those users to access DC but same time if you want to retain their Citrix access then my earlier comment is the solution for that.

Mahesh
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now