none
restricted groups issue

    Question

  • hello!

    I've came a cross a problem that i cannot explain.

    Here is the scenario: 

    The goal is to enforce policy that will control local administrators group on a windows 2008r2 sp1 server by GPO. only one group will be assigned administrator rights, and no other administrator can modify local administrators group directly on a server.

    Steps to accomplish that:

    1) created AD group called domain\groupA and added various members to it.

    2) created GPO with below setting:

    Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups -> Group: Builtin\Administrators , Members : domain\groupA

    3) Applied GPO to new Organizational Unit

    4) moved desired computer accounts into newly created OU

    5) run gpupdate /force on windows server which computer account was moved into new OU

    6) confirmed that local administrators group indeed had all individual users removed and that only domain\groupA group was present in administrators list.

    Now... i asked users that are members of domain\groupA to login to a server and to my surprise they received below message:

    "Connection is denied because the user account is not authorized for remote login".

    In security log i was able to see Event ID 4825 with following message:

    age=A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.
    

    What am i missing here? I've confirmed that computer accounts have "read members" right on domain\groupA and that domain\groupA was added by GPO to local administrators group.

    would appreciate your input!

    Monday, October 19, 2015 12:55 PM

All replies

  • Hello,

    Thank you for your post.

    This is a quick note to let you know that we are performing research on this issue.


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, October 21, 2015 5:28 AM
    Moderator
  • Hi,
     
    Have you ever configured the "Allow logon through Remote Desktop Services" group policy?
     
    If yes, please try to add domain\groupA into this group policy list, then try again.
     
    Refer to these articles for more information about this setting:
     
    https://technet.microsoft.com/en-us/library/dn221985.aspx
     
    http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, October 21, 2015 7:25 AM
    Moderator
  • hello,

    thanks for the advise.

    I've confirmed that allow log on through remote desktop services includes administrators group, which domain\groupA is part of.

    Would you know how exactly computer account pulls information from AD around group members?

    Thursday, October 22, 2015 2:01 PM
  • Would you know how exactly computer account pulls information from AD around group members?

    When you join your computer into domain, computer will get a computer account in AD and it can use this account to authenticated with other objects like groups in Active Directory. If you want to go deep, you might need to look into AD authentication process.

    For the RDS connection issue, try to add the group to “Remote Desktop Users” group instead then check result.

    Monday, October 26, 2015 10:24 AM