0
This follows from a previous question. I am trying to create a group that will confer (amongst others) the right to connect and login using the Windows remote desktop. Summarising my results so far:
I create a group and, using gpedit, assign it the right to log on through remote desktop services. Log in fails without creating a remote desktop. The reason given is "insufficient access privileges".
I place the user in the "Remote Desktop Users" group. The user can now log in with a remote desktop.
I remove the "log on through remote desktop services" right from the "Remote Desktop Users" group. A group member can still log in to a remote desktop.
I add the "Deny logon through remote desktop services" attribute to the "Remote Desktop Users" group. A group member can still log on.
I remove the "log on through remote desktop services" from the "Administrators" group. The user "Administrator" can create a remote desktop but not log in. The reason given is "you must be granted the log on through terminal services right".
I assign the right to log on through remote desktop to a specific user that is not a member of the remote desktop users group. That user cannot establish a remote desktop session.
My tentative conclusions:
The "Remote Desktop Users" group is assumed to have all rights needed to connect and login to a remote desktop. That it actually has these rights is never verified.
Two distinct rights are needed in order to log in with a remote desktop, the right to create a remote desktop session and the right to use it to log in to Windows.
The Administrators group is not assumed to have the log in through remote desktop services right. That right must be explicitly granted. However, it does have the right to establish a remote desktop session.
My question is how can I grant a group, or even a user, the right to establish a remote desktop connection, as distinct from using that connection to log in to Windows?
Chris Barry
Posted 2019-10-03T14:26:35.910
Reputation: 99
Is this computer a member of a domain? – I say Reinstate Monica – 2019-10-03T14:46:18.467
From a security prospective, if you want a normal user to have remote desktop access rights, they should be a member of the
Remote Desktop Userusergroup and a member of the User usergroup. If you want an Administrator to have acess, then they need to be a member of that group, a memeber of the Administrator group, and a member of the User user group. Being a member of multiple roles, adding additional permissions, is not unheard of. If you were to have an Audit group, you would add the additional role to the user, by adding them to that group. – Ramhound – 2019-10-03T16:24:14.730"My question is how can I grant a group, or even a user, the right to establish a remote desktop connection, as distinct from using that connection to log in to Windows?" - Why are you opposed to granting them this permission by adding them to the
Remote Desktop Userusergroup? – Ramhound – 2019-10-03T16:27:28.490@Twisty Impersonator No, this is plain Windows 7, SP1 but I think I had similar situation recently with a Server 2008r2 domain controller. I didn't have time to investigate and simply put each user into the remote desktop group. – Chris Barry – 2019-10-03T21:58:21.460
@Ramhound Essentially aesthetic reasons. A Group should correspond to a role. There should never be a Remote Desktop group as this is not a role merely an access method. Adding a user to a group should automatically confer all rights required by that role. It is conceivable that a user may have two roles, each of which requires RDP. If that user loses one of these roles how would you know whether or not to remove RDP? I would also like to get a better understanding of how Remote Desktop is implemented. – Chris Barry – 2019-10-03T22:20:04.713
@ChrisBarry - You can be granted the ability to remotely access your desktop without being an Administrator. In fact, that is the entire point of the Remote Desktop User group. Are we talking about a local non-network installation or an installation connected to an Active Directory domain? – Ramhound – 2019-10-03T22:47:54.477
After I did considerable amount of research on this subject, I am shocked that your Administrators do not already have the permissions required, which indicates one of the required permissions was previously removed.
– Ramhound – 2019-10-03T22:47:56.570