Group Policy causing RDP issue

Posted on 2016-07-15
Last Modified: 2016-08-07
We are following the C.I.S guide for securing our windows 10 desktop. All changes were made in GP and applied to an OU which contained all WIN10 workstations. Recently it was brought to our attention that staff can no longer remote to a workstation, they get the following message:

The system administrator has restricted the types of logon (network or interactive) that you may use. For
assistance, contact your system administrator or technical support

GP  setting: Allow log on through Remote Desktop Services -  Remote desktop users and Administrators
The staff is a member of remote desktop users.

GP setting: Deny log on through Remote Desktop Services - Local accounts + Guests
I don't think domain staff would be consider local accounts

staff is not restrict to log on to any particular workstation. I checked

when I move the workstation out of the OU and the GP is removed, staff can RDP to the workstation with no problems.

For the life of me I can't figure out which setting in the GP is causing the RDP issue.
Question by:iamuser
  • 3
  • 3
LVL 44

Expert Comment

by:Jackie Man
ID: 41713810
It seems to be that your user account is regarded as a local account.

The denied user group will override remote desktop group.
LVL 25

Expert Comment

ID: 41714928
That's probably not an RDP setting per-se.. the logon messages for RDP are different..

1. Did you set any policies affecting logon rights (anything in the user rights assignment section)?
2. Can you RDP out of any of those workstations?
3. Do you have the option of listing the policies you set here so we can look at them?


Author Comment

ID: 41719651
Being an administrator I can remote out and users can run RDP without problems

users are allow to log on locally - this works fine
allow to Remote desktop users and administrators - allow to connect remotely but users in the Remote desktop group cannot connect.

allow log on through  remote desktop services - Administrators + Remote desktop users

Deny log on through remote desktop services -  Guests + local accounts

above post mentioned 'The denied user group will override remote desktop group'. Would a domain staff account be considered a local account? I can't see that being the case.
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

LVL 25

Assisted Solution

Coralon earned 500 total points
ID: 41722085
Generally, the domain staff are not local users, so that's why I didn't look at that very deeply.

Can you turn off the deny logon through RDS policy and see if they can then get logged in? (only temporarily, since this is really just for diagnostic info).

A GPResult report for one of those users against one of the problematic servers would be hugely helpful.


Accepted Solution

iamuser earned 0 total points
ID: 41729838
so I finally found the problem. Removing
domain users
group from
"allow access to this computer from the network"
stops SMB connections to local workstations but it also removes the ability to connect via RDP. Once i added domain users group back into the "allow access to this computer from the network", RDP started functioning for users. Thanks for all the input guys
LVL 25

Expert Comment

ID: 41734035
don't forget to award points :-)


Author Closing Comment

ID: 41746082
I found the answer but thanks for the help Coralon

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question