Restricted RDP GPO for domain controllers

brajkishor Singh 1 Reputation point
2022-09-29T18:06:07.55+00:00

Hi Guys,

Would you pls advise is there any possibility to apply restricted RDP GPO only on domain controllers .We would like to control Domain controller via GPO instead of manually adding users into "Remote Desktop Users"

Requirement is only users which is the part of certain groups they can only access Domain controllers if somebody has added users manually into Built-In "Remote Desktop users" it will be remove automatically.

Pls let me know if this is possible i have tested with Restricted groups but things not working as expected

Regards

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,639 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,724 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Gary Reynolds 9,376 Reputation points
    2022-09-29T20:39:06.303+00:00

    Hi,

    Restricted groups are an ideal solution for this scenario, what was the issue you experienced?

    You could also look at GPP group management to do the same thing.

    Gary.


  2. Gary Reynolds 9,376 Reputation points
    2022-10-01T00:53:04.92+00:00

    Hi,

    Here is an article that explains how to configure remote desktop access for non-admins. This approach is not using restricted groups, as membership is controlled in the AD group which can only be changed by users that have been granted access.

    http://woshub.com/allow-non-administrators-rdp-access-to-domain-controller

    This didn't work as documented in my test environment, but mine is not really standard any more. If this doesn't work for you let me know and I can provide the details I used to get it working in my environment.

    Gary.


  3. Limitless Technology 43,996 Reputation points
    2022-10-03T07:33:57.637+00:00

    Hello there,

    You can try the security groups. Security groups can provide an efficient way to assign access to resources on your network.

    You can also configure the "Deny logon locally" user right on the local computer to eliminate the option of logging on one or a few computers.

    Group Policy Objects can be configured to restrict privileged access on Domain Controllers. To do this, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Local Settings\User Rights Assignments. To manage privilege access in GPOs, you must do the following:

    Deny network access to the computer
    Deny logon as a batch job
    Deny logon as a service
    Deny logon through Remote Desktop Services

    Active Directory security groups https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups

    How to restrict use of a computer to one domain user only https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/restrict-use-one-domain-user-only

    ---------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments