Vanilla Windows Server 2008 x64 Standard DC (AD, DNS). I was remoting into my DC to do a bit of work and, thru force of habit, logged into the server using a regular domain account, not a domain admin. I was shocked to see that I was able to RDP into this box! Why would that be? I'm looking thru the policy and for Domain Controllers "Allow log on through Terminal Services" is "Not Defined". The user account I was using is not a member of the Domain Admins group. Is there any other policy modeling I can use to figure out why this user account was able to log into a domain controller?
There is a built-in group called Remote Desktop Users that can RDP into domain controllers. Check to see which accounts are in that group.
I would run rsop.msc on the domain controller - that will give you a listing of all the settings that are applied via gpo. Check and see if there is a setting defined somewhere that applies. If there is i would move to Group Policy Management Console and run a modeling wizard run. That will tell you what policies are applied where.
Well first off, the ability to remote in is obviously enabled because you normally remote in as a domain admin. The fact that the "Allow log on through Terminal Services" setting is not defined simply means that the setting is not being managed by policy. If you look at the Remote tab of the system properties you'll find that the "Enable Remote Desktop on this computer" setting is checked.
Take a look at the permissions tab of the RDP Protocol in TS Configuration and you'll see the RDP permissions for the RDP protocol on the server. I'm betting you'll find the domain\Remote Desktop Users group in the permissions list with User and Guest access, so check the members of this group and adjust accordingly.
You might find that there's another group with User and Guest access. you'll want to adjust these permissions accordingly.