I have 100+ servers, I have added a Universal AD group to the local servers Adminstrators Group based on the server's name. Within this AD group I have nested various AD groups as is appropriate for that server's usage. However I am discovering on a small subset of servers (of which I can NOT discern any connection either by Server OS, app, etc) I have issues with users assigned to the nested AD groups not being able to remote in. They can login via the console, but RDP fails. Now if they are explicitly added to the local servers admin group, they can RDP in. The issue is random in that it affects different users on different servers. I have discovered no discernable pattern. Example: User A and B are in the same AD group, User A can RDP to Server 1/2/3 with no issues. But he has issues with Server 4. User B can RDP in to 2/3/4, but has issues with 1. There are no implicit denies in play, the servers are same OS (2016). If I add their individual accounts to the appropriate server's Admin group they can RDP right in.
Asked
Active
Viewed 342 times
0
-
1If they logon at the console, does `whoami /groups` show the universal access group? – Greg Askew Oct 07 '20 at 15:35
-
Yes, it does. I am starting to wonder if it may be token bloat, that may explain it's randomness. – Stephen Oct 07 '20 at 16:40