2

I've setup this GPO :

capture of the "Group Policy Results" on a given machine from "Group Policy Management" tool capture of the "Group Policy Results" on a given machine from "Group Policy Management" tool

But the local group stays empty after rebooting / starting a session / calling gpupdate :

capture of "Local Users And Groups" tool on the same machine capture of "Local Users And Groups" tool on the same machine

And so the users allowed to use RDP stays empty (until I edit it locally) :

capture of RDP user list capture of RDP user list

I don't understand what I'm doing wrong.

  • there is no conflicting GPO
  • there is no filtering of the GPO, it applies to every authenticated users
  • the "Allow Log On Through Remote Services" policy is left untouched, so default to "Administrators + Remote Desktop Users Group"
additional informations
  • The GPO is set up as follow :

capture of the GPO "Setup Remote Desktop Users Group" settings capture of the GPO "Setup Remote Desktop Users Group" settings

  • Content of GptTmpl.inf matching the current policy (edited the domain name, even though it doesn't really matter...)
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Group Membership]
***\Domain Users__Memberof = *S-1-5-32-555
***\Domain Users__Members =
additional informations (gpscv.log)

from gpsvc.log, the policy seems to be processed. The log is quiet long, I may have missed an information...

GPSVC(174c.3720) 14:37:48:868 ProcessGPO(Machine):  GPSVC(174c.3720) 14:37:48:868 ProcessGPO(Machine):  ==============================
GPSVC(174c.3720) 14:37:48:868 ProcessGPO(Machine):  Searching <cn={33591F18-FA1D-4E9F-807F-2B9EAF614135},cn=policies,cn=system,DC=ad,DC=***,DC=tv>
GPSVC(174c.3720) 14:37:48:869 ProcessGPO(Machine):  Machine has access to this GPO.
GPSVC(174c.3720) 14:37:48:869 ProcessGPO(Machine):  Found common name of:  <{33591F18-FA1D-4E9F-807F-2B9EAF614135}>
GPSVC(174c.3720) 14:37:48:870 ProcessGPO(Machine):  GPO passes the filter check.
GPSVC(174c.3720) 14:37:48:870 ProcessGPO(Machine):  Found functionality version of:  2
GPSVC(174c.3720) 14:37:48:870 ProcessGPO(Machine):  Found file system path of:  <\\ad.***.tv\SysVol\ad.***.tv\Policies\{33591F18-FA1D-4E9F-807F-2B9EAF614135}>
GPSVC(174c.3720) 14:37:48:877 ProcessGPO(Machine):  Found display name of:  <Setup Remote Desktop>
GPSVC(174c.3720) 14:37:48:877 ProcessGPO(Machine):  Found machine version of:  GPC is 52, GPT is 52
GPSVC(174c.3720) 14:37:48:878 ProcessGPO(Machine):  Found flags of:  0
GPSVC(174c.3720) 14:37:48:878 ProcessGPO(Machine):  Found extensions:  [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
GPSVC(174c.3720) 14:37:48:879 ProcessGPO(Machine):  ==============================

Thanks for your help,

Paul Jacamon

Improve this question
12
  • You need to provide the policy details. Where is it linked?
    – Greg Askew
    Commented Jun 13 at 9:36
  • The policy is inside a "Setup Remote Desktop Group" GPO, linked to the root of the "forest" (We don't have a huge domain, so we actually don't need a lot of specific Organisation Units). Does it answers the question ?
    – Paul
    Commented Jun 13 at 10:06
  • Furthermore, the 1st capture is from the "results", so only applied policies are shown
    – Paul
    Commented Jun 13 at 10:10
  • Open the policy in GPMC, take screenshots of the settings and group memberships that you have configured. Also find the policy folder in SYSVOL by the guid, and get the text inf ini file that contains the group memberships.
    – Greg Askew
    Commented Jun 13 at 11:03
  • 1
    The GPO setup you have is wrong. The policy needs to be for the Remote Desktop Users group, not Domain Users.
    – Greg Askew
    Commented Jun 13 at 17:10

1 Answer 1

Reset to default
2

As Greg Askew said in a comment, your policy is wrong.

You should configure the policy to act on the "Remote Desktop Users" group and add "DOMAINNAME\Domain Users" to it as a member, while instead you are trying to do the exact opposite.

Improve this answer
1
  • 1
    This is true and please don’t link the GPO to the root of the forest/domain. Configuring Restricted Groups incorrectly can create significant security concerns. You might consider creating a new security group, adding only the users who need to login using RDP, and adding the group to Remote Desktop Users. Service accounts and other non-authorized accounts should not be allowed to login using RDP so you do not want to use Domain Users as the group to add to “Remote Desktop Users”.
    – user5870571
    Commented Jun 26 at 22:44

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .