question

susanb avatar image
0 Votes"
susanb asked susanb answered

Users are allowed to RDP to a Virtual Machine

I inherited a 2019 server where users are allowed to RDP to a Virtual Machine on the DC host that allows users to remote to the VM.
I cannot see how because the users are a member of the RDS Accounting team but this team does not have Log on Locally rights to the VM.
Remote Desktop Users group does but has no members.

It appears that the last admin attempted to setup RDS but it is not configured.

Is there a registry edit or some other method that would allow this?

Thanks in advance.

remote-desktop-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cooldadtx avatar image
0 Votes"
cooldadtx answered

To remote into a machine Remote Access has to be turned on. The user must either be in the Administrators group on the local machine or part of the Remote Desktop Users group. My gut instinct is that the user is in a group that is ultimately in the Administrators group on the machine. You can use the Users and Groups UI to find the user and determine what group(s) they are a member of. Alternatively I tend to use a command line tool to dump the group memberships for a user on a particular machine.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

susanb avatar image
0 Votes"
susanb answered

It turns out that Users were allowed log on locally to the VM.
I changed it to Remote Desktop Users.
I hope to change this with installation of RDS.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KarlieWeng-MSFT avatar image
0 Votes"
KarlieWeng-MSFT answered

Hello @susanb

Are these users who have RDP rights domain users ?

Is the VM on Hyper-V ?

Is there any GPO configured ?
This policy might related:
Computer Configuration -> Windows settings -> Security Settings -> Local policies -> User Rights Assignment Edit "Allow log on through terminal services"


Best Regards
Karlie


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.