cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to enable Remote Desktop on to Domain Controllers for non admins

HungryMoo
Copper Contributor

‎Aug 14 2023 07:57 AM

‎Aug 14 2023 07:57 AM

How to enable Remote Desktop on to Domain Controllers for non admins

Hello,

 Our cyber team needs remote desktop access to our domain controllers for read purposes. They're part of the built-in "remote desktop users" group, but that doesn't give them RDP access. I thought this group was designed specifically for RDP access to DCs as it's not available for selection within group policy preferences. When I try to login as a member of the remote desktop services group I get an error on the DCs:

"To sign in remotely, you need the rights to sign in through Remote Desktop Services. By default, members of the Administrators group have this"

 

It seems that the built-in "remote desktop users" does nothing by default (?)

 

I'm planning on adding the remote desktop users group to a domain controller GPO with the setting "Allow log on through Remote Desktop Services". Is this the best way to provide RDP access to the cyber security team?

 

Also, will using this GPO impact any other settings such as "Allow logon locally"?

 

Thanks

 

 

 

5,081 Views
0 Likes
2 Replies
Reply
2 Replies
MathieuVandenHautte

‎Aug 14 2023 09:52 PM - edited ‎Aug 14 2023 09:59 PM

‎Aug 14 2023 09:52 PM - edited ‎Aug 14 2023 09:59 PM

Re: How to enable Remote Desktop on to Domain Controllers for non admins

Hi HungryMoo,

I advice:
- only allowing domain administrators logging in to domain controllers
- prevent using Remote Desktop to interactively manage domain controllers
- never using the Remote Desktop Users group (in general: never use built-in groups)

- implementing a secure administrative "jump server" architecture

0 Likes
Reply
HungryMoo

‎Aug 15 2023 03:02 AM

‎Aug 15 2023 03:02 AM

Re: How to enable Remote Desktop on to Domain Controllers for non admins

Thanks Mathieu,
"never using the Remote Desktop Users group (in general: never use built-in groups)" - the group is empty by default. The obvious question being, if they're never intended for use, why have them in the first place?
0 Likes
Reply