Hi,
Restricted groups are an ideal solution for this scenario, what was the issue you experienced?
You could also look at GPP group management to do the same thing.
Gary.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi Guys,
Would you pls advise is there any possibility to apply restricted RDP GPO only on domain controllers .We would like to control Domain controller via GPO instead of manually adding users into "Remote Desktop Users"
Requirement is only users which is the part of certain groups they can only access Domain controllers if somebody has added users manually into Built-In "Remote Desktop users" it will be remove automatically.
Pls let me know if this is possible i have tested with Restricted groups but things not working as expected
Regards
Hi,
Restricted groups are an ideal solution for this scenario, what was the issue you experienced?
You could also look at GPP group management to do the same thing.
Gary.
Hi,
Here is an article that explains how to configure remote desktop access for non-admins. This approach is not using restricted groups, as membership is controlled in the AD group which can only be changed by users that have been granted access.
http://woshub.com/allow-non-administrators-rdp-access-to-domain-controller
This didn't work as documented in my test environment, but mine is not really standard any more. If this doesn't work for you let me know and I can provide the details I used to get it working in my environment.
Gary.
Hello there,
You can try the security groups. Security groups can provide an efficient way to assign access to resources on your network.
You can also configure the "Deny logon locally" user right on the local computer to eliminate the option of logging on one or a few computers.
Group Policy Objects can be configured to restrict privileged access on Domain Controllers. To do this, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Local Settings\User Rights Assignments. To manage privilege access in GPOs, you must do the following:
Deny network access to the computer
Deny logon as a batch job
Deny logon as a service
Deny logon through Remote Desktop Services
Active Directory security groups https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups
How to restrict use of a computer to one domain user only https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/restrict-use-one-domain-user-only
---------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer–