question

LeChau-1065 avatar image
0 Votes"
LeChau-1065 asked FanFan-MSFT commented

Deny Interactive Logon GPO NOT-LINKED to the Domain Controllers Container yet being applied!

I have a GPO to deny interactive logon linked to Servers OU. In the policy, I'm denying interactive logon to an AD Group called "Deny interactive logon" (I know creative).

This policy IS NOT linked to the Domain Controllers OU.

Yet when I put a domain admin in this group, the policy applies and the domain admin CANNOT RDP to the DC.

Troubleshooting steps
Look at all GP's linked to the Domain Controllers container and none has Deny Interactive Login Setting
Ran a GPO modeling with the DA account and the DC ...exported the report html and search for anything "DENY" and nothing exists in the report with that word

I'm at a lost here why this is being applied to domain controllers when the GP is NOT linked to the domain controller container.

Help please!

windows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,

When " the domain admin CANNOT RDP to the DC", what's the error message?
Was the domain admin a member of the administrators group?

Run the cmd on the DC and enter the command as administrator : gpresult /h c:\report.html
If possible , please share a screenshot here!

Then check the default domain controller policy ,under the Allow log on through Remote Desktop Services :if the domain admin was added.
By default, only administrators can rdp to the DCs.

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeChau-1065 avatar image
0 Votes"
LeChau-1065 answered FanFan-MSFT commented

Here is the error message... typical deny interactive login

84152-interactivelogon1.png




yes the default domain controller policy has allow log on thru remote desktop services with BUILD\Administrator. But for some reason the GPO from the servers OU (a different OU ...not DC OU) is being applied to the DC's.

I can't run gpresult /h because I can't log in! haha


interactivelogon1.png (390.2 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If I take my self out of the group that the policy is being applied to then I can log in with no issues.

I'm completely stumped! I checked all the GPO's that trickle down to the domain controllers OU to see if there is ANYTHING remotely to deny RDP ... nada!

The only deny RDP is in a GPO linked to servers OU. crazy

0 Votes 0 ·

Hi,

"I put a domain admin in this group", what's the account you used? Was it the built-in administrator account or users you created? Is it in the built-in administrators group?
Can you check the settings from the local group policy:
![84383-4055.jpg][1]

If possible, you can share a screenshot here!
Best Regards,
[1]: /answers/storage/attachments/84383-4055.jpg

0 Votes 0 ·
4055.jpg (166.2 KiB)

II'm very sorry for late response.

Turns out that when we go on the DC it self and run GPEDIT.MSC we found the group was MANUALLY configured here to deny interactive login...and thats why it was failing eventhough there was NO GPO being applied.... someone ran some hardening script when the DC was built. Ughhh thanks so much everyone!

0 Votes 0 ·

Glad to hear you find the cause!
You can accept your answer as answer to help more people.
Best Regards,

0 Votes 0 ·