Solved

Seeing Users Added into 'Select Remote Users' without having been added manually

Posted on 2013-12-09
6
310 Views
Last Modified: 2013-12-12
Hi,

I was trying to connect to our domain controller running W2K8 R2, I was unable to access it using an RDP console, it was ping-able on the network.

We connected into it on a console and thought that perhaps we needed to toggle the 'allow remote connections...', we immediately noticed that there were many users that had somehow been added in as being allowed remote access.

Any ideas as to how these users were somehow added into this and being granted remote access?

I was under the impression that they needed to be added in manually, is it possible that they somehow were added in automatically as part of a security group that has been granted remote access to this DC?

Any help on this would be greatly appreciated as I have never come across this before.
I dug in a little further and I am seeing this...

The users are all listed in a security group called "Remote Desktop Users" which is a "Security Group - Domain Local" domain local security group.

How is this group adding itself in like that? I thought that you had to manually add users in the "Select Remote Users" box under the 'Remote' tab in 'System Properties'.

Will rebooting the server remove them?

How can we prevent this from happening again?

Thank-you for taking the time to respond to this post, it is greatly appreciated.

ElliTech
0
Comment
Question by:ellitech
6 Comments
 
LVL 11

Expert Comment

by:BillBondo
ID: 39707025
From what you describe it sounds like its correct. They are part of a group allowed RDP. Remove the users from the group if you like.
0
 

Author Comment

by:ellitech
ID: 39707046
This security group was set up to allow users to connect to our citrix server using an RDP connection. These names have only just now shown up as having being allowed access to this specific server.
How is it that the users are showing up here in the first place?

ElliTech
0
 
LVL 36

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 39707126
That is why the users are listed there!

The group is meant for to grant access to all domain controllers in domain.
When you add any users to "remote desktop users" group in Built-in AD container, they will be directly added as "remote users" in My computer properties \ remote tab and can connect to any domain controller in domain.
If you have multiple domain controllers, you will find all those users in all domain controllers remote tab

Since this group is mapped to Citrix servers as well, the only way is to map some another group for citrix and add them to that group. Then remove all users from "Remote Desktop Users" group.
By doing this only those users and groups who are members of Built-in Administrators group (group in Built-in Container) can logon to DC server remotely as this group has default rights of remoting to DC servers regardless of "Remote Desktop users" group membership
For Ex: domain admins group, built-in administrators etc.

Mahesh
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:ellitech
ID: 39708598
I do not believe that these users should be listed in the "Select Remote Users" box under the 'Remote' tab in 'System Properties'. The Remote Desktop Users group have access by default!!

All other users need to be manually added in here!!

They were not there before, but they are now all of a sudden.

Could someone else please explain to me why we are seeing these users listed there now?

ElliTech
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39709648
Is there any group policy defined ?
Run start>Run >rsop
Computer Configuration\Windows Settings\Security Settings\Restricted Groups\
See if  if any groups are mentioned - related to Remote Desktop Users

--

If you wish to restrict only certain users can access remote desktop, you can create a group policy
Goto : Computer Configuration\Windows Settings\Security Settings\Restricted Groups\
Add a group that contains users who can perform remote desktop
Later, users membership can be managed though group for this purpose
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39709883
There is no rocket science in it. It is default behaviour.

Even if you have workgroup server, there is Remote Desktop Users group under local groups
Just create some test local users on server.
Then add them to Remote Desktop Users group under local groups

Now if you navigate to My Computer Properties \ remote  and go to select users, you will find all added users there in Remote Desktop users window.

Same thing is true in case of domain controllers also and you can view those users on all domain controllers in given domain
In fact if you add any domain group to Remote Desktop users group on DC, then those groups also will be visible in Remote Desktop users window
In fact it is the graphical representation of Remote Desktop users group.

Restricted groups will not help and is not required to control Remote Desktop users group membership.

If you don't want those users to access DC but same time if you want to retain their Citrix access then my earlier comment is the solution for that.

Mahesh
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question