question

YannickGeerlings-6291 avatar image
0 Votes"
YannickGeerlings-6291 asked ElevenYu-MSFT commented

Remote desktop gateway Pre-Windows 2000 Compatible Access group

We try to empty the Pre-Windows 2000 Compatible Access group.
When we do that the users aren't allowed throught the remote desktop gateway anymore.

We have setup a special group where the users must be memberof to be allow through the gateway.
if the Pre-Windows 2000 Compatible Access group is empty we get the following error.

The user "xxx\xxxxx", on client computer "x.x.x.x", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP". The following error occurred: "23003".

i'm unable to find the solution so we can keep this group empty.
I would appreciate any help.




remote-desktop-services
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Have you checked if the answer helps? Do you have any further question?

If the Answer is helpful, please click "Accept Answer" and upvote it. Thanks.

0 Votes 0 ·

1 Answer

ElevenYu-MSFT avatar image
0 Votes"
ElevenYu-MSFT answered ElevenYu-MSFT rolled back

Hi,

The issue seems to be more related to Active Directory permission. I am not a specialist in AD aspect.

But I did some research and found some articles that describe the Pre-Windows 2000 Compatible Access group.

As per this article, the group Pre–Windows 2000 Compatible Access is assigned Read permissions on the domain root and on user, computer, and group objects.

I am not sure if the problem occurred because the users have no read permission in Active Directory so that they could not authenticate themselves after the the Pre-Windows 2000 Compatible Access group was emptied.

Also, the Pre-Windows 2000 Compatible Access group contains additional identifiers to the default ones. This grants these group members access to some RPC calls. It is used to serve backward compatibility purposes for systems prior to Windows 2000 (Windows NT 4.0). This group must only include Authenticated Users (S-1-5-11).
Not sure if the problem is related to RPC issue.

Based on my research, it is not clear what the side effects of emptying this Pre-Windows 2000 Compatible Access Group will be.

Appreciate your understanding.


For more details:
https://glanden.dev/ad-assessment/
https://hitechglitz.com/removing-users-from-the-pre-windows-2000-legacy-group-can-prevent-the-exploitation-of-domain-controllers/

Thanks,


If the Answer is helpful, please click "Accept Answer" and upvote it. Thanks.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.