• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6099
  • Last Modified:

Group Policy causing RDP issue

We are following the C.I.S guide for securing our windows 10 desktop. All changes were made in GP and applied to an OU which contained all WIN10 workstations. Recently it was brought to our attention that staff can no longer remote to a workstation, they get the following message:

The system administrator has restricted the types of logon (network or interactive) that you may use. For
assistance, contact your system administrator or technical support

GP  setting: Allow log on through Remote Desktop Services -  Remote desktop users and Administrators
The staff is a member of remote desktop users.

GP setting: Deny log on through Remote Desktop Services - Local accounts + Guests
I don't think domain staff would be consider local accounts

staff is not restrict to log on to any particular workstation. I checked

when I move the workstation out of the OU and the GP is removed, staff can RDP to the workstation with no problems.

For the life of me I can't figure out which setting in the GP is causing the RDP issue.
0
iamuser
Asked:
iamuser
  • 3
  • 3
2 Solutions
 
Jackie ManCommented:
It seems to be that your user account is regarded as a local account.

The denied user group will override remote desktop group.
0
 
CoralonCommented:
That's probably not an RDP setting per-se.. the logon messages for RDP are different..

1. Did you set any policies affecting logon rights (anything in the user rights assignment section)?
2. Can you RDP out of any of those workstations?
3. Do you have the option of listing the policies you set here so we can look at them?

Coralon
0
 
iamuserAuthor Commented:
Being an administrator I can remote out and users can run RDP without problems

users are allow to log on locally - this works fine
allow to Remote desktop users and administrators - allow to connect remotely but users in the Remote desktop group cannot connect.

allow log on through  remote desktop services - Administrators + Remote desktop users

Deny log on through remote desktop services -  Guests + local accounts

above post mentioned 'The denied user group will override remote desktop group'. Would a domain staff account be considered a local account? I can't see that being the case.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
CoralonCommented:
Generally, the domain staff are not local users, so that's why I didn't look at that very deeply.

Can you turn off the deny logon through RDS policy and see if they can then get logged in? (only temporarily, since this is really just for diagnostic info).

A GPResult report for one of those users against one of the problematic servers would be hugely helpful.

Coralon
0
 
iamuserAuthor Commented:
so I finally found the problem. Removing
domain users
group from
"allow access to this computer from the network"
stops SMB connections to local workstations but it also removes the ability to connect via RDP. Once i added domain users group back into the "allow access to this computer from the network", RDP started functioning for users. Thanks for all the input guys
0
 
CoralonCommented:
don't forget to award points :-)

Coralon
0
 
iamuserAuthor Commented:
I found the answer but thanks for the help Coralon
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now