Active_Directory [SOLVED]: RDP access to domain controllers ("Allow Logon through Terminal Services" GPO)

Active_Directory [SOLVED]: RDP access to domain controllers ("Allow Logon through Terminal Services" GPO)

Home Forums Active Directory Active_Directory [SOLVED]: RDP access to domain controllers ("Allow Logon through Terminal Services" GPO)

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #35915

    Anonymous

    QuestionQuestion

    I have a problem. I set GPO on the “Domain Controllers” OU with “Allow Logon through Terminal Services”, where I set one user group. I wanted to assign RDP access to group of technicians. But after that, I lost RDP access to all DCs with accounts in the Administrators group and even with the Domain admin accounts. When I deleted this GPO, it’s not how it used to be. I still can’t log in with these accounts. I have to specify them in this GPO to get the access there. But it’s not set like that with the default Domain Controllers Policy. How can I set it how it was? Thank you…

    #35916

    Anonymous

    Accepted AnswerAnswer

    User Rights settings remain even when the GPO that configured them no longer applies.

    By default, Domain Controllers have the user right of “Allow log on through Remote Desktop Services” assigned to the Builtin Administrators group. What you did with your GPO was effectively remove the Builtin Administrators group from that user right and you replaced it with your technicians group. Removing or deleting the GPO will not “reset” this user rights assignment back to it’s default setting.

    There are two ways to fix this:

    1. Apply a Group Policy Object that sets this user right back to the Builtin Administrators group.

    2. Log on to every Domain Controller and set this user right back to it’s default setting in local Group Policy (secpol.msc).

    In the future, if you want to grant this user right to a group of technicians for the Domain Controllers either do it in local Group Policy on each Domain Controller or do it with domain based Group Policy but make sure to include the Builtin Administrators group in the policy in addition to your technicians group.

    Source: https://serverfault.com/questions/887171/rdp-access-to-domain-controllers-allow-logon-through-terminal-services-gpo
    Author: joeqwerty
    Creative Commons License
    This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.