Domain User can RDP into Domain Controller?

windows-server-2008 security active-directory remote-desktop group-policy
12,229

Solution 1

There is a built-in group called Remote Desktop Users that can RDP into domain controllers. Check to see which accounts are in that group.

Solution 2

I would run rsop.msc on the domain controller - that will give you a listing of all the settings that are applied via gpo. Check and see if there is a setting defined somewhere that applies. If there is i would move to Group Policy Management Console and run a modeling wizard run. That will tell you what policies are applied where.

Solution 3

Well first off, the ability to remote in is obviously enabled because you normally remote in as a domain admin. The fact that the "Allow log on through Terminal Services" setting is not defined simply means that the setting is not being managed by policy. If you look at the Remote tab of the system properties you'll find that the "Enable Remote Desktop on this computer" setting is checked.

Take a look at the permissions tab of the RDP Protocol in TS Configuration and you'll see the RDP permissions for the RDP protocol on the server. I'm betting you'll find the domain\Remote Desktop Users group in the permissions list with User and Guest access, so check the members of this group and adjust accordingly.

You might find that there's another group with User and Guest access. you'll want to adjust these permissions accordingly.

Share:
12,229
Matt Rogish
Author by

Matt Rogish

I like: Ruby on Rails, Mobile Apps, IT/Strategy, Travel, etc. etc.

Updated on September 17, 2022

Comments

  • Matt Rogish
    Matt Rogish over 1 year

    Vanilla Windows Server 2008 x64 Standard DC (AD, DNS). I was remoting into my DC to do a bit of work and, thru force of habit, logged into the server using a regular domain account, not a domain admin. I was shocked to see that I was able to RDP into this box! Why would that be? I'm looking thru the policy and for Domain Controllers "Allow log on through Terminal Services" is "Not Defined". The user account I was using is not a member of the Domain Admins group. Is there any other policy modeling I can use to figure out why this user account was able to log into a domain controller?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to Apply Computer Configuration Group Policy to a Remote Desk server based on user security group
Installing Terminal Server (Remote Desktop Services) on a Domain Controller (Active Directory)
Users on windows 2008 R2 server cannot change own password
IIS7 give ApplicationPoolIdentity access to a network location
Can't edit Local Security Policy
Remove delete permission for active directory group in Microsoft 2008 Server R2
Default Domain Policy Overriding Custom GPO even though Custom GPO is Enforced
Limit folder size on Windows Server 2008
Group Policy Objects stopped applying to most security groups
connecting ipads to a windows domain