We are following the C.I.S guide for securing our windows 10 desktop. All changes were made in GP and applied to an OU which contained all WIN10 workstations. Recently it was brought to our attention that staff can no longer remote to a workstation, they get the following message:
The system administrator has restricted the types of logon (network or interactive) that you may use. For
assistance, contact your system administrator or technical support
GP setting: Allow log on through Remote Desktop Services - Remote desktop users and Administrators
The staff is a member of remote desktop users.
GP setting: Deny log on through Remote Desktop Services - Local accounts + Guests
I don't think domain staff would be consider local accounts
staff is not restrict to log on to any particular workstation. I checked
when I move the workstation out of the OU and the GP is removed, staff can RDP to the workstation with no problems.
For the life of me I can't figure out which setting in the GP is causing the RDP issue.