Remoter Desktop Services

Question

I am a little bit confused about RDS Remote Desktop features in Windows Server 2019.
I installed RDS on a server member of an AD domain.
I configured my server as an RD session host and created a collection to publish some applications.
If a domain user, let's say, user1@domainname.local attempts to access the server via web connecting to http://servername.domainname.local/rdweb he opens a page with the published applications.
Consider that user1@domainname.local is member of "domain users" and domain users is member of the "remote desktop users" local group of the RDP server.
If the same user attempts to connect via "Remote Desktop" to the RDP server he can logon, start the desktop and run applications.
How can this be possible?
Have I made any mistake?
If this is the standard behavior, what is the reason to public only specific applications?
Regards

Answer 1

Hi @Marius - Roma

Yes if a user is in the Remote Desktop Users group then he can log on, start the desktop and run applications.

By default, members of the Administrators group have this right on domain controllers, workstations, and servers. The Remote Desktops Users group also has this right on workstations and servers.
To control who can open a Remote Desktop Services connection and log on to the device, add users to or remove users from the Remote Desktop Users group.

You can adjust this by using this policy.
Allow log on through Remote Desktop Services
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services

Hope this resolves your Query!!

--------------

--If the reply is helpful, please Upvote and Accept it as an answer--