Share via

Users can login to RDS despite 'deny this user permissions to log on to remote desktop session host server' checked in their account

Robert Gijsen 161 Reputation points
2021-01-14T08:52:59.95+00:00

After spending 15 minuten to find the windows-remote-desktop-services tag in this turd of a Technet forums replacement, here I finally am.

We are running several Server 2019 machines with RDS role, all domain joined, in a RDS deployment. We've been using this for years (despite OS updates). Our AD runs on two dedicated AD controllers, both also running Server 2019 and the domain functionality level is 2016.

In the past we've used the 'deny this user permissions to log on to remote desktop session host server' on AD accounts to successfully prevent them from logging in to any RDS server. However yesterday it came to me that that's not working anymore. Regardsless of that setting being checked or not, users can login to RDS, be it on 2019, 2016 or 2008R2 (I've got one isolated for one specific application).

Now obviously because of how a RDS deployment works, a user is actually in the 'Remote Desktop Users' group on a given RDS (through a group he's member of). But still, if 'deny this user permissions to log on to remote desktop session host server' is checked, in the past that still prevented a user from logging in to RDS.

How to troubleshoot this, and how is this setting actually supposed to work? As far as I know it just sets a property on a user account, and does not actually change anything to permissions as such.

Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services
Windows for business | Windows Server | User experience | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2021-01-15T02:46:47.407+00:00

    Hello @Robert Gijsen

    I think we need to remove that user account from Remote Desktop Users group.
    And also check if you add the user or group to “Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Terminal Services"

    Here's an explanation given by this doc, but applies to Windows Server 2008:

    “However, in Windows Server 2008 this setting is checked on a machine that has Remote Desktop Services in Application Mode only. Remote Administration mode won't check this parameter. If you change the Windows Server 2008 server to Remote Desktop Services Application Mode by installing the role, this user won't be denied logon via RDP.”

    They also give a resolution by using group policy.

    1. Start | Run | Gpedit.msc if editing the local policy or chose the appropriate policy and edit it.
    2. Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.
    3. Find and double-click "Deny logon through Remote Desktop Services".
    4. Add the user and / or the group that you would like to deny access.
    5. Select ok.
    6. Either run gpupdate /force /target:computer or wait for the next policy refresh for this setting to take effect.

    Reference article:
    Deny log on through Remote Desktop Services

    Best Regards
    Karlie

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.