none
Remote Desktop Users

    Question

  • We have a VM of our Server 2012 DataCenter - We have some remote users who we add to the local "Remote Desktop Users" on the PC - but they disappear after Group Policy is refreshed. How do I track down which group policy is doing this? I've looked at the few we have and there is nothing indicated that would delete the users from the remote desktop group.

    I can supply my group policies as well if you need to see them.

    Wednesday, January 18, 2017 3:30 PM

Answers

  • Hi,

    If you do not change settings in local group policy, it a normal behavior.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by ejc67 Sunday, January 29, 2017 9:50 PM
    Wednesday, January 25, 2017 1:44 AM
    Moderator
  • Thank you for your response Mark - but there is no need to use capital letters to stress your point.  As an FYI - I have resolved the issue before your comment. 
    • Marked as answer by ejc67 Sunday, January 29, 2017 9:50 PM
    Sunday, January 29, 2017 9:49 PM

All replies

  • Am 18.01.2017 um 16:30 schrieb ejc67:
    > How do I track down which group policy is doing this?
     
    create a local gpresult and take a look at security\restricted groups
    and Preferences\local users and groups
     
    ... or someone scripted it.
     
    Tschö
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Wednesday, January 18, 2017 9:37 PM
  • You can use rsop.msc to list the applied GPOs/Settings. You mainly need to look in Restricted Groups GPOs or GPOs with a startup script that might be forcing specific local groups membership.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Wednesday, January 18, 2017 11:24 PM
  • Hi,

    I have tested for the case.

    If you configure Restricted group for the computer with remote desktop user group(as mentioned above), it will caused the problem. I suggest you try to run gpresult /h gpreport.html with administrator to check if there is restricted group setting has been applied.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 19, 2017 10:58 AM
    Moderator
  • Hi,

    Are there any updates?

    If the replies have resolved your problem, please mark it as answer as it would be helpful to anyone who encounters the similar issue.

    Thank you.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 23, 2017 6:04 AM
    Moderator
  • Hi Jay and everyone else -

    Looks like the Local Group Policy is being denied because it is empty. 

    Tuesday, January 24, 2017 7:50 PM
  • Hi,

    If you do not change settings in local group policy, it a normal behavior.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by ejc67 Sunday, January 29, 2017 9:50 PM
    Wednesday, January 25, 2017 1:44 AM
    Moderator
  • Hi Jay,

    OK - I need to give two employees access to RDP into their PC's from the VPN - we usually go in and add them to the local group "Remote Desktop Users" - that usually does the trick.  But now if we add them - when that GPO refreshes - they are removed from that role. 

    I've even gone in and added them to the domain remote desktop users but that is not working either.  Any thoughts?

    Ed

    Friday, January 27, 2017 9:01 PM
  • Hi,
     
    Am 27.01.2017 um 22:01 schrieb ejc67:
    > [...] But now if we add them - when that GPO refreshes - they are
    > removed from that role. [...] Any thoughts?
     
    Yes, get someone else to solve your problem, you are not able to.
     
    Mr.X, Jay Gu and myself told you what you should be aware and where to
    look for and you do something totally different!?
     
    You have a GROUP POLICY issue. The GP rules the group. So, placing a
    member in the local group or domain group of Remote Desktop Users is
    completly nonsense. Why? Because GROUP POLICY rules members in the Local
    group in your case, which you can proove by gpupdate, what you already
    did on your first post.
     
    That means, "somewhere" inside your ALL OF YOUR Group Policy Objects
    there will be a configuration inside the Restricted Groups or the GPP
    Local Users and Groups, that defines the group.
     
    We can not help you to look inside your GPOs, you need to READ yourself.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Saturday, January 28, 2017 7:42 AM
  • Thank you for your response Mark - but there is no need to use capital letters to stress your point.  As an FYI - I have resolved the issue before your comment. 
    • Marked as answer by ejc67 Sunday, January 29, 2017 9:50 PM
    Sunday, January 29, 2017 9:49 PM
  • Am 29.01.2017 um 22:49 schrieb ejc67:
    > [...] but there is no need to use capital letters to stress your
    > point.
     
    there was ... at least for my personal behalf.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Monday, January 30, 2017 1:42 PM