1

Recently 3 of my Active directory admins are unable to login to AD server through RDP.

After we cross checked everything, we found these 3 users are added in one security group called "Deny RDP access" after i removed users from this group they are able to login now.

  1. I just want to check is there any logs that can give me information about who added these 3 users into this "Deny RDP access" group ?

  2. Is this security group(Deny RDP Access) is default or created one ??

  3. If its created one, how to check who created it ?

Thanks, Ram

Akhil RAM
  • 11
  • 2

1 Answers1

0

This doesn't seem to be a built-in group, so it was likely created by somebody and associated with the group policy setting that denies users access via RDP.

The only way you can find out who created that group is:

  • If you are auditing group changes
  • If the event log still has the event and hasn't been overwritten

You also didn't mention whether it's a domain or a local group? If it's a domain group then the event you are looking for is here:

https://system32.eventsentry.com/security/event/4727

That page also shows you what auditing needs to be enabled in order to get this event in the first place.

Lucky Luke
  • 1,634
  • 1
  • 11
  • 12