Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Group Policy causing RDP issue

Posted on 2016-07-15
Medium Priority
Last Modified: 2016-08-07
We are following the C.I.S guide for securing our windows 10 desktop. All changes were made in GP and applied to an OU which contained all WIN10 workstations. Recently it was brought to our attention that staff can no longer remote to a workstation, they get the following message:

The system administrator has restricted the types of logon (network or interactive) that you may use. For
assistance, contact your system administrator or technical support

GP  setting: Allow log on through Remote Desktop Services -  Remote desktop users and Administrators
The staff is a member of remote desktop users.

GP setting: Deny log on through Remote Desktop Services - Local accounts + Guests
I don't think domain staff would be consider local accounts

staff is not restrict to log on to any particular workstation. I checked

when I move the workstation out of the OU and the GP is removed, staff can RDP to the workstation with no problems.

For the life of me I can't figure out which setting in the GP is causing the RDP issue.
Question by:iamuser
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 49

Expert Comment

by:Jackie Man
ID: 41713810
It seems to be that your user account is regarded as a local account.

The denied user group will override remote desktop group.
LVL 25

Expert Comment

ID: 41714928
That's probably not an RDP setting per-se.. the logon messages for RDP are different..

1. Did you set any policies affecting logon rights (anything in the user rights assignment section)?
2. Can you RDP out of any of those workstations?
3. Do you have the option of listing the policies you set here so we can look at them?


Author Comment

ID: 41719651
Being an administrator I can remote out and users can run RDP without problems

users are allow to log on locally - this works fine
allow to Remote desktop users and administrators - allow to connect remotely but users in the Remote desktop group cannot connect.

allow log on through  remote desktop services - Administrators + Remote desktop users

Deny log on through remote desktop services -  Guests + local accounts

above post mentioned 'The denied user group will override remote desktop group'. Would a domain staff account be considered a local account? I can't see that being the case.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 25

Assisted Solution

Coralon earned 2000 total points
ID: 41722085
Generally, the domain staff are not local users, so that's why I didn't look at that very deeply.

Can you turn off the deny logon through RDS policy and see if they can then get logged in? (only temporarily, since this is really just for diagnostic info).

A GPResult report for one of those users against one of the problematic servers would be hugely helpful.


Accepted Solution

iamuser earned 0 total points
ID: 41729838
so I finally found the problem. Removing
domain users
group from
"allow access to this computer from the network"
stops SMB connections to local workstations but it also removes the ability to connect via RDP. Once i added domain users group back into the "allow access to this computer from the network", RDP started functioning for users. Thanks for all the input guys
LVL 25

Expert Comment

ID: 41734035
don't forget to award points :-)


Author Closing Comment

ID: 41746082
I found the answer but thanks for the help Coralon

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question