Home / server / Questions / 912281
In Process
nepdev
Asked: 2018-05-16 01:54:11 +0800 CST

Remote Desktop Services User Policy Applied to Wrong Users

  • 772

Windows Server 2016 Remote Desktop Services installation with 3 session host servers, one DC. Clean install from scratch.

Created a single RDS policy which has both user and computer settings, is being applied to RDS users group, and also to the session host servers.

My understanding is that the computer policy part of that GP would apply to the session host servers, and the user policies would apply to the users the GP is configured for, i.e. the RDS user group.

However:

If I log onto one of the session host servers with a domain admin account (which is NOT in the RDS user group), I anyway get all of the RDS user group policy settings applied.

How do I solve that? Do I need to create two policies, one with only computer settings, one with only user settings?

Update:

Link location for the RDS user group policy is the entire domain.

Security filtering:

To make it more clear, objects included in the security filtering are the 3 computer objects for the 3 RDS session hosts, and the RDS user group. Definitely, this security filter does NOT include "Authenticated Users".

UPDATE 2

Running the GP results wizard for one of the affected servers (their names XXSERVER22 ... 24, the domain is called "external") and an administrative user who is definitely not in the user group.

As shown here, two GPOs are applied - thedefault domain policy which is almost empty (installation default) and the "RDS User Policy".

Security filter shows that the GPO is applied to the 3 servers and the user group.

In the RDS user policy, I have a number of USER settings, for example: User Configuration > Administrative Templates > System > Prevent access to the command prompt

The result of that policy is that when opening a command prompt, the user gets the message "The command prompt has been disabled by your administrator."

The admin user for who I ran below GP result, and which is NOT part of the "RDS User Group 1" gets that "disabled" message also when he tries to open a command prompt. When logged on as local admin, this message does not appear. And so it is with all user policies of that GPO.


Applied GPOs  
Default Domain Policy [{31B2F340-016D-11D2-945F-00C04FB984F9}]
...

RDS User Policy [{5E9FA90A-7A2E-4B8D-968A-0C5684020FC6}]
Link Location   external.mydomain.com 
Extensions Configured 802.3 Group Policy
{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}
Registry Enforced     No 
Disabled    None 
Security Filters 
  EXTERNAL\XSVR24$
  EXTERNAL\XSVR22$
  EXTERNAL\XSVR23$
  EXTERNAL\RDS User Group 1 
Revision AD (28), SYSVOL (28) 
WMI Filter
group-policy

0 Answers