Solved

Group Policy causing RDP issue

Posted on 2016-07-15
7
447 Views
Last Modified: 2016-08-07
We are following the C.I.S guide for securing our windows 10 desktop. All changes were made in GP and applied to an OU which contained all WIN10 workstations. Recently it was brought to our attention that staff can no longer remote to a workstation, they get the following message:

The system administrator has restricted the types of logon (network or interactive) that you may use. For
assistance, contact your system administrator or technical support

GP  setting: Allow log on through Remote Desktop Services -  Remote desktop users and Administrators
The staff is a member of remote desktop users.

GP setting: Deny log on through Remote Desktop Services - Local accounts + Guests
I don't think domain staff would be consider local accounts

staff is not restrict to log on to any particular workstation. I checked

when I move the workstation out of the OU and the GP is removed, staff can RDP to the workstation with no problems.

For the life of me I can't figure out which setting in the GP is causing the RDP issue.
0
Comment
Question by:iamuser
  • 3
  • 3
7 Comments
 
LVL 41

Expert Comment

by:Jackie Man
Comment Utility
It seems to be that your user account is regarded as a local account.

The denied user group will override remote desktop group.
0
 
LVL 23

Expert Comment

by:Coralon
Comment Utility
That's probably not an RDP setting per-se.. the logon messages for RDP are different..

1. Did you set any policies affecting logon rights (anything in the user rights assignment section)?
2. Can you RDP out of any of those workstations?
3. Do you have the option of listing the policies you set here so we can look at them?

Coralon
0
 

Author Comment

by:iamuser
Comment Utility
Being an administrator I can remote out and users can run RDP without problems

users are allow to log on locally - this works fine
allow to Remote desktop users and administrators - allow to connect remotely but users in the Remote desktop group cannot connect.

allow log on through  remote desktop services - Administrators + Remote desktop users

Deny log on through remote desktop services -  Guests + local accounts

above post mentioned 'The denied user group will override remote desktop group'. Would a domain staff account be considered a local account? I can't see that being the case.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 23

Assisted Solution

by:Coralon
Coralon earned 500 total points
Comment Utility
Generally, the domain staff are not local users, so that's why I didn't look at that very deeply.

Can you turn off the deny logon through RDS policy and see if they can then get logged in? (only temporarily, since this is really just for diagnostic info).

A GPResult report for one of those users against one of the problematic servers would be hugely helpful.

Coralon
0
 

Accepted Solution

by:
iamuser earned 0 total points
Comment Utility
so I finally found the problem. Removing
domain users
group from
"allow access to this computer from the network"
stops SMB connections to local workstations but it also removes the ability to connect via RDP. Once i added domain users group back into the "allow access to this computer from the network", RDP started functioning for users. Thanks for all the input guys
0
 
LVL 23

Expert Comment

by:Coralon
Comment Utility
don't forget to award points :-)

Coralon
0
 

Author Closing Comment

by:iamuser
Comment Utility
I found the answer but thanks for the help Coralon
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

Remote Desktop Shadowing often has a lot of benefits. When helping end users determine problems, it is much easier to see what is going on, what is being slecected and what is being clicked on. While the industry has many products to help with this,…
Resolve DNS query failed errors for Exchange
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now