My RDS 2008 Terminal Server (domain-joined) allows anyone to login remotely. I am trying to restrict that down to one Security Group: DOMAIN\TerminalServerUsers.
I've been testing with a new user who is only a member of Domain Users.
The Remote tab under Terminal Server shows Domain\Domain Admins and DOMAIN\TerminalServerUsers.
Local Security Policy Allow Logon Through RDS shows Domain\Domain Admins and DOMAIN\TerminalServerUsers.
Local Security Policy Allow Local Login shows Domain\Domain Admins and DOMAIN\TerminalServerUsers.
Local Security Policy Deny Logon Through RDS is blank
Group Policies do not show alterations to policies relating to RDS.
Where else might I restrict Terminal Server users down to a group?
Have you considered using the
Remote Desktop Userslocal group on the server? You can modify it with a group policy.One way to add users/groups to
Remote Desktop Usersmanually is (explained in details here):Test if it works and then you may set it with a group policy with SOM only the servers you need to restrict access to. A pretty neat guide is available here.
I figured out the problem. Of course, this is a server I inherited with little information as to how it got into this configuration.
Under the Local Security Policy, "Administrators" was inside Allow Logon Through Remote Desktop Services. The Administrators group on the Terminal Server had Domain Users inside of it. I removed that and scoped it down to Domain Admins and the Terminal Server group I created.