Users are allowed to RDP to a Virtual Machine

Question

I inherited a 2019 server where users are allowed to RDP to a Virtual Machine on the DC host that allows users to remote to the VM.
I cannot see how because the users are a member of the RDS Accounting team but this team does not have Log on Locally rights to the VM.
Remote Desktop Users group does but has no members.

It appears that the last admin attempted to setup RDS but it is not configured.

Is there a registry edit or some other method that would allow this?

Thanks in advance.

Answer 1

To remote into a machine Remote Access has to be turned on. The user must either be in the Administrators group on the local machine or part of the Remote Desktop Users group. My gut instinct is that the user is in a group that is ultimately in the Administrators group on the machine. You can use the Users and Groups UI to find the user and determine what group(s) they are a member of. Alternatively I tend to use a command line tool to dump the group memberships for a user on a particular machine.

Answer 2

Hello @susanb

Are these users who have RDP rights domain users ?

Is the VM on Hyper-V ?

Is there any GPO configured ?
This policy might related:
Computer Configuration -> Windows settings -> Security Settings -> Local policies -> User Rights Assignment Edit "Allow log on through terminal services"

Best Regards
Karlie

----------

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

It turns out that Users were allowed log on locally to the VM.
I changed it to Remote Desktop Users.
I hope to change this with installation of RDS.