Group Policy causing RDP issue

Posted on 2016-07-15
Last Modified: 2016-08-07
We are following the C.I.S guide for securing our windows 10 desktop. All changes were made in GP and applied to an OU which contained all WIN10 workstations. Recently it was brought to our attention that staff can no longer remote to a workstation, they get the following message:

The system administrator has restricted the types of logon (network or interactive) that you may use. For
assistance, contact your system administrator or technical support

GP  setting: Allow log on through Remote Desktop Services -  Remote desktop users and Administrators
The staff is a member of remote desktop users.

GP setting: Deny log on through Remote Desktop Services - Local accounts + Guests
I don't think domain staff would be consider local accounts

staff is not restrict to log on to any particular workstation. I checked

when I move the workstation out of the OU and the GP is removed, staff can RDP to the workstation with no problems.

For the life of me I can't figure out which setting in the GP is causing the RDP issue.
Question by:iamuser
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 47

Expert Comment

by:Jackie Man
ID: 41713810
It seems to be that your user account is regarded as a local account.

The denied user group will override remote desktop group.
LVL 25

Expert Comment

ID: 41714928
That's probably not an RDP setting per-se.. the logon messages for RDP are different..

1. Did you set any policies affecting logon rights (anything in the user rights assignment section)?
2. Can you RDP out of any of those workstations?
3. Do you have the option of listing the policies you set here so we can look at them?


Author Comment

ID: 41719651
Being an administrator I can remote out and users can run RDP without problems

users are allow to log on locally - this works fine
allow to Remote desktop users and administrators - allow to connect remotely but users in the Remote desktop group cannot connect.

allow log on through  remote desktop services - Administrators + Remote desktop users

Deny log on through remote desktop services -  Guests + local accounts

above post mentioned 'The denied user group will override remote desktop group'. Would a domain staff account be considered a local account? I can't see that being the case.
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

LVL 25

Assisted Solution

Coralon earned 500 total points
ID: 41722085
Generally, the domain staff are not local users, so that's why I didn't look at that very deeply.

Can you turn off the deny logon through RDS policy and see if they can then get logged in? (only temporarily, since this is really just for diagnostic info).

A GPResult report for one of those users against one of the problematic servers would be hugely helpful.


Accepted Solution

iamuser earned 0 total points
ID: 41729838
so I finally found the problem. Removing
domain users
group from
"allow access to this computer from the network"
stops SMB connections to local workstations but it also removes the ability to connect via RDP. Once i added domain users group back into the "allow access to this computer from the network", RDP started functioning for users. Thanks for all the input guys
LVL 25

Expert Comment

ID: 41734035
don't forget to award points :-)


Author Closing Comment

ID: 41746082
I found the answer but thanks for the help Coralon

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question