iamuser
asked on
Group Policy causing RDP issue
We are following the C.I.S guide for securing our windows 10 desktop. All changes were made in GP and applied to an OU which contained all WIN10 workstations. Recently it was brought to our attention that staff can no longer remote to a workstation, they get the following message:
GP setting: Allow log on through Remote Desktop Services - Remote desktop users and Administrators
The staff is a member of remote desktop users.
GP setting: Deny log on through Remote Desktop Services - Local accounts + Guests
I don't think domain staff would be consider local accounts
staff is not restrict to log on to any particular workstation. I checked
when I move the workstation out of the OU and the GP is removed, staff can RDP to the workstation with no problems.
For the life of me I can't figure out which setting in the GP is causing the RDP issue.
The system administrator has restricted the types of logon (network or interactive) that you may use. For
assistance, contact your system administrator or technical support
GP setting: Allow log on through Remote Desktop Services - Remote desktop users and Administrators
The staff is a member of remote desktop users.
GP setting: Deny log on through Remote Desktop Services - Local accounts + Guests
I don't think domain staff would be consider local accounts
staff is not restrict to log on to any particular workstation. I checked
when I move the workstation out of the OU and the GP is removed, staff can RDP to the workstation with no problems.
For the life of me I can't figure out which setting in the GP is causing the RDP issue.
That's probably not an RDP setting per-se.. the logon messages for RDP are different..
1. Did you set any policies affecting logon rights (anything in the user rights assignment section)?
2. Can you RDP out of any of those workstations?
3. Do you have the option of listing the policies you set here so we can look at them?
Coralon
1. Did you set any policies affecting logon rights (anything in the user rights assignment section)?
2. Can you RDP out of any of those workstations?
3. Do you have the option of listing the policies you set here so we can look at them?
Coralon
ASKER
Being an administrator I can remote out and users can run RDP without problems
users are allow to log on locally - this works fine
allow to Remote desktop users and administrators - allow to connect remotely but users in the Remote desktop group cannot connect.
allow log on through remote desktop services - Administrators + Remote desktop users
Deny log on through remote desktop services - Guests + local accounts
above post mentioned 'The denied user group will override remote desktop group'. Would a domain staff account be considered a local account? I can't see that being the case.
users are allow to log on locally - this works fine
allow to Remote desktop users and administrators - allow to connect remotely but users in the Remote desktop group cannot connect.
allow log on through remote desktop services - Administrators + Remote desktop users
Deny log on through remote desktop services - Guests + local accounts
above post mentioned 'The denied user group will override remote desktop group'. Would a domain staff account be considered a local account? I can't see that being the case.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
don't forget to award points :-)
Coralon
Coralon
ASKER
I found the answer but thanks for the help Coralon
The denied user group will override remote desktop group.