Domain Users cannot access machines through RDP, even though GPO exists

UCS - Univention Corporate Server
#1

Hi All.
I simply cannot figure out what I am getting wrong here, hope some of you can assist.
I am trying to allow users to remote into their computers using RDP.

GROUPS :
Remote Desktop Users - A buildin group that should do exactly this, according to microsoft documentation, members of this group should have access to rdp by default even without creating a GPO:
Screen Shot 2023-02-13 at 11.58.02 am

pz-msrdp - A second group I have created for troubleshooting, since the Remote Desktop Group is not getting populated to the win clients:

In this example i will be using user flinden.
In ucs, flinden is a member of remote desktop users, and a member of pz-msrdp
Screen Shot 2023-02-13 at 11.49.11 am

Querying windows shows not all groups are being populated on the domain joined machines:
Screen Shot 2023-02-13 at 11.44.55 am
Screen Shot 2023-02-13 at 11.45.28 am

So the Remote Desktop Group is not pushed to the windows client, however pz-winrdp is:
Editing GPO to allow pz-winrdp does not allow the user to login through rdp (They can login on the physical machine)
The GPO(AllowRDP) is enabled and on the correct OU’s, on the screenshot above you can see the GPO was indeed applied, screenshot of the GPO below:
Screen Shot 2023-02-13 at 11.50.14 am

I am at a loss, Im sure its me missing something, but what i cannot figure out.

All the best

Ras

#2

You have to add the “Remote Desktop User” Domain Group to the local Remote Desktop Users Group:

If you need to specify the users (or groups) that can REMOTE DESKTOP (RDP) to a PC and you want to do this with Group Policy, you are in the right place:

    In Group Policy Management Console (GPMC.MSC) select Computer Configuration\Windows Settings\Security Settings\Restricted Groups\
    Right-click Restricted Groups and then click Add Group.
    Click the Browse button, type Remote and click the Check Names and you should see REMOTE DESKTOP USERS come up.
    Click OK in the Add Groups dialog.
    Click Add beside the MEMBERS OF THIS GROUP box then click Browse.
    Type the name of the domain group, then click the Check Names button, then click OK to close this box.
    Click OK to close this box which will complete the addition of the domain group to the Remote Desktop Users group.
    Go to your PC and in an elevated command prompt type GPUPDATE /FORCE to refresh the GPolicy on your PC
    Verify that the group has been added to under the SELECT USERS button on the REMOTE tab of the PC’s SYSTEM PROPERTIES.

rg
Christian

1 Like
#3

Christian you are a star.
Pointing me to checking the remote desktop allowed users showed the GPO was not being applied to the computer.
I had completely missed that when computers join the domain in UCS they do not go into the correct ou.
I will be updating my computer template to fix this.
After moving the computer to the OU where the GPO are linked, I could see the group getting pushed correctly to the machine, and appearing under allowed users as you suggested.

Once again thanks for your help
All the best from me.

Mastodon