0

Windows Server 2016 Remote Desktop Services installation with 3 session host servers, one DC. Clean install from scratch.

Created a single RDS policy which has both user and computer settings, is being applied to RDS users group, and also to the session host servers.

My understanding is that the computer policy part of that GP would apply to the session host servers, and the user policies would apply to the users the GP is configured for, i.e. the RDS user group.

However:

If I log onto one of the session host servers with a domain admin account (which is NOT in the RDS user group), I anyway get all of the RDS user group policy settings applied.

How do I solve that? Do I need to create two policies, one with only computer settings, one with only user settings?

Update:

Link location for the RDS user group policy is the entire domain.

Security filtering:

To make it more clear, objects included in the security filtering are the 3 computer objects for the 3 RDS session hosts, and the RDS user group. Definitely, this security filter does NOT include "Authenticated Users".

UPDATE 2

Running the GP results wizard for one of the affected servers (their names XXSERVER22 ... 24, the domain is called "external") and an administrative user who is definitely not in the user group.

As shown here, two GPOs are applied - thedefault domain policy which is almost empty (installation default) and the "RDS User Policy".

Security filter shows that the GPO is applied to the 3 servers and the user group.

In the RDS user policy, I have a number of USER settings, for example: User Configuration > Administrative Templates > System > Prevent access to the command prompt

The result of that policy is that when opening a command prompt, the user gets the message "The command prompt has been disabled by your administrator."

The admin user for who I ran below GP result, and which is NOT part of the "RDS User Group 1" gets that "disabled" message also when he tries to open a command prompt. When logged on as local admin, this message does not appear. And so it is with all user policies of that GPO.


Applied GPOs  
Default Domain Policy [{31B2F340-016D-11D2-945F-00C04FB984F9}]
...

RDS User Policy [{5E9FA90A-7A2E-4B8D-968A-0C5684020FC6}]
Link Location   external.mydomain.com 
Extensions Configured 802.3 Group Policy
{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}
Registry Enforced     No 
Disabled    None 
Security Filters 
  EXTERNAL\XSVR24$
  EXTERNAL\XSVR22$
  EXTERNAL\XSVR23$
  EXTERNAL\RDS User Group 1 
Revision AD (28), SYSVOL (28) 
WMI Filter
nepdev
  • 391
  • 1
  • 7
  • 21
  • You'll need to show us the Security Filtering for the GPO and show us where you have it linked. – joeqwerty May 15 '18 at 11:19
  • Did you enable Loopback policy processing at all? That would cause the user part of the policy to apply to all users logging on computer that is in scope of the security filtering/link. As joequerty says knowing the link location(s) in terms of whether the OUs contain the target computers or users or both would be useful. – Mintra May 15 '18 at 11:51
  • Updated the question with that data. – nepdev May 15 '18 at 13:06
  • How about the Loopback setting, did you check that - if set and this policy is linked whole-domain it will certainly give the behaviour you describe. Note that Loopback only has to be set once in *any* policy that applies to the computer and it will knock onto other policies like this one - you can use the Group Policy Results modeller to track it down if you have a lot of GPOs. – Mintra May 15 '18 at 13:14
  • And you're sure that the settings under User Configuration in the GPO are being applied to a user who is not a member of this security group? And you're sure that this user is not a member of this security group? And you're sure that the Security Filtering for the GPO does not include Authenticated Users to APPLY the GPO? How about running the GP Results wizard in the GPMC for one of these sevrers and this user and posting the results to your querstion? We need to see which GPO's are being applied and denied to the computer and the user. – joeqwerty May 15 '18 at 20:01
  • Additionally, could you show us the settings in the GPO and under which node they're configured (Computer Configuration or User Configuration)? – joeqwerty May 15 '18 at 21:25
  • See update 2 on my original post. Definitely, "authenticated users" is not included in security filter, the user is not member of the RDS user group. GP result wizard text shown above in update 2. I also included a sample policy and show that it is configured under User Policy, not computer policy. – nepdev May 21 '18 at 17:01

0 Answers0