Solved

Seeing Users Added into 'Select Remote Users' without having been added manually

Posted on 2013-12-09
6
307 Views
Last Modified: 2013-12-12
Hi,

I was trying to connect to our domain controller running W2K8 R2, I was unable to access it using an RDP console, it was ping-able on the network.

We connected into it on a console and thought that perhaps we needed to toggle the 'allow remote connections...', we immediately noticed that there were many users that had somehow been added in as being allowed remote access.

Any ideas as to how these users were somehow added into this and being granted remote access?

I was under the impression that they needed to be added in manually, is it possible that they somehow were added in automatically as part of a security group that has been granted remote access to this DC?

Any help on this would be greatly appreciated as I have never come across this before.
I dug in a little further and I am seeing this...

The users are all listed in a security group called "Remote Desktop Users" which is a "Security Group - Domain Local" domain local security group.

How is this group adding itself in like that? I thought that you had to manually add users in the "Select Remote Users" box under the 'Remote' tab in 'System Properties'.

Will rebooting the server remove them?

How can we prevent this from happening again?

Thank-you for taking the time to respond to this post, it is greatly appreciated.

ElliTech
0
Comment
Question by:ellitech
6 Comments
 
LVL 11

Expert Comment

by:BillBondo
ID: 39707025
From what you describe it sounds like its correct. They are part of a group allowed RDP. Remove the users from the group if you like.
0
 

Author Comment

by:ellitech
ID: 39707046
This security group was set up to allow users to connect to our citrix server using an RDP connection. These names have only just now shown up as having being allowed access to this specific server.
How is it that the users are showing up here in the first place?

ElliTech
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 39707126
That is why the users are listed there!

The group is meant for to grant access to all domain controllers in domain.
When you add any users to "remote desktop users" group in Built-in AD container, they will be directly added as "remote users" in My computer properties \ remote tab and can connect to any domain controller in domain.
If you have multiple domain controllers, you will find all those users in all domain controllers remote tab

Since this group is mapped to Citrix servers as well, the only way is to map some another group for citrix and add them to that group. Then remove all users from "Remote Desktop Users" group.
By doing this only those users and groups who are members of Built-in Administrators group (group in Built-in Container) can logon to DC server remotely as this group has default rights of remoting to DC servers regardless of "Remote Desktop users" group membership
For Ex: domain admins group, built-in administrators etc.

Mahesh
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:ellitech
ID: 39708598
I do not believe that these users should be listed in the "Select Remote Users" box under the 'Remote' tab in 'System Properties'. The Remote Desktop Users group have access by default!!

All other users need to be manually added in here!!

They were not there before, but they are now all of a sudden.

Could someone else please explain to me why we are seeing these users listed there now?

ElliTech
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39709648
Is there any group policy defined ?
Run start>Run >rsop
Computer Configuration\Windows Settings\Security Settings\Restricted Groups\
See if  if any groups are mentioned - related to Remote Desktop Users

--

If you wish to restrict only certain users can access remote desktop, you can create a group policy
Goto : Computer Configuration\Windows Settings\Security Settings\Restricted Groups\
Add a group that contains users who can perform remote desktop
Later, users membership can be managed though group for this purpose
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39709883
There is no rocket science in it. It is default behaviour.

Even if you have workgroup server, there is Remote Desktop Users group under local groups
Just create some test local users on server.
Then add them to Remote Desktop Users group under local groups

Now if you navigate to My Computer Properties \ remote  and go to select users, you will find all added users there in Remote Desktop users window.

Same thing is true in case of domain controllers also and you can view those users on all domain controllers in given domain
In fact if you add any domain group to Remote Desktop users group on DC, then those groups also will be visible in Remote Desktop users window
In fact it is the graphical representation of Remote Desktop users group.

Restricted groups will not help and is not required to control Remote Desktop users group membership.

If you don't want those users to access DC but same time if you want to retain their Citrix access then my earlier comment is the solution for that.

Mahesh
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now