Users can log on remotely despite not being in Remote Desktop Users group

I'm trying to lock down my Windows Server 2012 R2 RDS server to a security group. Previously, only members of this security group have been able to log in to the server. However, something has changed and now all users can log on.

We locked this down in the past by adding the security group to System Properties -> Remote Tab as below:

I've double checked local users and groups to see if this has applied to the remote desktop users local group:

Finally, I checked secpol to ensure that there were no unexpected groups in Allow log on through Remote Desktop Services:

I also checked the collection properties to ensure this was locked down correctly:

Is there anywhere else I'm missing? The most confusing part is that this was all working correctly about a week a go - something must have changed to bypass this and allow all users to log on, but I'm not sure what it could be.

I'd really appreciate any help
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

colonytireDirector of TechnologyCommented:
Possibly an overlapping permission setting giving users local Admin rights to the server.
TSC70Author Commented:
I've double checked this in the Administrators group in local users and groups and can't see any indication of this being the case. Also when logging on as a standard user it has no elevated permissions.
Shaun VermaakTechnical SpecialistCommented:
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

TSC70Author Commented:
I've had a look and again there doesn't appear to be anything untoward. We have this setting enabled but as the description says, only users of the Remote Desktop Users group on the target computer should be allowed to connect:

EDIT: just to check further, I removed the affected server from any OUs where group policy is applying and we still get the same issue
bbaoIT ConsultantCommented:
i guess you might have noticed the wording in your first screenshot of RDP options: computers running RDP,  not users. it clearly means any computer having RDP client install can do that.
TSC70Author Commented:
Are you referring to the tickbox for Network Level Authentication? This just means that we only accept RDP clients with NLA, for security reasons.
TSC70Author Commented:
It looks as though the issue was "Authenticated Users" being added to the "Allow log on through Remote Desktop Services" Local Security Setting (as seen in the 4th screenshot). I removed this and it now works as expected.

I'm not sure how this setting got added, that's the next mystery!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shaun VermaakTechnical SpecialistCommented:
TSC70, this is exactly what RSOP.msc would have shown you
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.