Aug 14 2023 07:57 AM
Hello,
Our cyber team needs remote desktop access to our domain controllers for read purposes. They're part of the built-in "remote desktop users" group, but that doesn't give them RDP access. I thought this group was designed specifically for RDP access to DCs as it's not available for selection within group policy preferences. When I try to login as a member of the remote desktop services group I get an error on the DCs:
"To sign in remotely, you need the rights to sign in through Remote Desktop Services. By default, members of the Administrators group have this"
It seems that the built-in "remote desktop users" does nothing by default (?)
I'm planning on adding the remote desktop users group to a domain controller GPO with the setting "Allow log on through Remote Desktop Services". Is this the best way to provide RDP access to the cyber security team?
Also, will using this GPO impact any other settings such as "Allow logon locally"?
Thanks
Aug 14 2023 09:52 PM - edited Aug 14 2023 09:59 PM
Hi HungryMoo,
I advice:
- only allowing domain administrators logging in to domain controllers
- prevent using Remote Desktop to interactively manage domain controllers
- never using the Remote Desktop Users group (in general: never use built-in groups)
- implementing a secure administrative "jump server" architecture
Aug 15 2023 03:02 AM