NISPOM Tool reports groups "Guests" and "Remote Desktop Users" have excessive privileges - remediation?

Similar Messages

• Group Policy for Remote Desktop Users

  Hi,
  Currently my users use desktops and have user and computer GPOs applied (typical things like logon scripts etc.) at the OU level where they reside e.g. Finance Users, Sales Users etc.
  I am planning a Remote Desktop 2012 environment.
  I have read the following:
  TechNet cc779327
  So, my understanding is that I create a new OU for my Remote Desktop Server only (not users), and create a new security Group for my RD Users and a security group for my RD server.
  Remote Desktop Servers OU
             * RD User GPO (filter on RD User security Group and RD Computer Security Group)
             * RD Computer GPO (filter on RD User security Group and RD Computer Security Group)
  I then apply all computer settings to the RD Computer GPO (loopback processing, Windows installer, hide shortcuts etc.).
  I then apply all user settings to the RD User GPO (app specific, templates etc.)
  Why not consolidate the two GPOs into one?
  If I set computer settings in the computer GPO, and apply it as above to filter to the RD Server group and RD Users Group will this apply to only users un the RD User Group...or ALL users since I added the server to the filter?
  If a user currently gets a setting in their normal OU e.g. Finance logon script, will they still get it on the Remote Desktop? Or do I need to copy that GPO setting to my new RD User GPO also?
  Am I right to add both RD Server and RD User groups to the filter on both RD User and RD Computer GPOs?
  Loopback processing - merge or replace typically for Remote Desktop?

  Hi,
  Thank you for posting in Windows Server Forum.
  Create OU for RDS Server in Active Directory. Create security group for users who will use Remote Desktop Host (i.e. RDS Users). Create GPO (i.e. RDS Server Lock Down). In Security Filtering delete Authenticated Users, add RDS Server Account, and the security
  group created in previous step.
  Please check beneath article might useful for better understanding.
  Lock Down Remote Desktop Services Server 2012
  How to secure your remote desktop server with GPO
  Hope it helps!
  Thanks,
  Dharmesh

• Reporting SPLA usage of Remote Desktop user CALs

  For our SPLA, we need to report how many unique users were logged in during the month via RDP. (I also need to report how many opened Office, and Office Pro Plus, but not sure that's for this forum). Not sure how I can report on this? I asked in the scripting
  forum, and was told there might be some perfmon counters, but I can't find them. Figured I would as this forum, as I can't be the only one looking for this. I found the RDP reports, that show me which CALs will expire when, but it doesn't even tell me when
  they were issued (yes, I can put in Spreadsheet and calculate). It does not tell me anything about users logged in, unique or otherwise.
  How can I track the CAL usage?
  mpleaf

  That's interesting TP...not the way our SPLA partner explained it to us. However, that being said...we have our policy set to expire RDP licenses every 60 days, and then we obviously issue new as needed. So, it sounds like, all I need to do then, is say
  that as of October 32st (for example), is look at the number of licenses issued for the prior 60 days, and report that number for my monthly report. Does that sound right? Basically, we may have 3000 licenses "available" to be issued, but they are
  not issued unless requested by one of the 500 users created in our domain, and only those that are issued a license during the past 60 days, are those who are authorized to login. To me, if the license was not issued in the past 60 days, it can't be used.
  mpleaf
  No.  You need to report the number of users that were authorized to access the system, regardless of whether or not they actually accessed it.  For example, say you configure your permissions so that the ONLY group that can access your RDS deployment
  is a domain group named "RDS Users".  Over the course of the month (say, daily) you could export the user accounts that are members of the group.  On the first of the following month you could de-dupe the list of all the daily exports
  and come up with a total number of unique users that had access.  This assumes that each user account maps to a unique human, which is not always the case.
  The above is a very basic example.  In reality you want to have much more than that to be prepared to answer the auditor's questions.  You want each fact that you provide to be backed up by policies and procedures, documentation, etc.
  The CAL Usage report can be one element of your system, but it only gives an idea of usage--not of how many users were authorized, which is what is stipulated under SPLA.  You might want to use the CAL Usage as one of your cross-check methods. 
  For example, if you had 450 users that were authorized during the month, but the CAL Usage shows 500 users, you need to be able to explain (and document) the reason for the difference.
  -TP

• Hp laserjet pro m1217nfw and remote desktop printing

  hp laserjet pro m1217nfw and remote desktop printing, is there any issues with said function?

  whats the problerm you are having??

• Remote control and remote desktop client in sccm 2012 ?

  What is the difference between remote control and remote desktop client in sccm 2012 ?

  Remote Control is a built-in feature for SCCM 2012 and uses the RPC protocol. When you use this, the user can still be logged on while helping.
  Remote Desktop is a buit-in feature for Windows and uses the RDP protcol. When you use it, the user will be logged off.
  Why you would use one over the other depends on your requirements.
  Blog: www.danielclasson.com/blog |
  LinkedIn:
  Daniel Classon | Twitter: @danielclasson

• SG 300 and remote Desktop

  Greetings; I am new to the community and would appreciate some help.
  I have recently upgraded to the SG 300 managed switches and after doing so my internal remote desktop connections have stopped working - I get a dialog that says the computer can't connect to the remote computer.  I have an RVS4000 router with (2) SG-300 series switch installed on ports 1 and 2 and (2) WAP4410N access points on ports 3 and 4.  There are no problems pinging the remote machines. The only thing that has changed is the switch upgrade.
  Any insight is welcome. Thanks!

  Parker,
  Have you double checked the that there is no acl's or denying the RDP protocol port 3389 through your network.  Also is RDP still enabled on the pc?
  Just putting the switch in the mix, unless it has some type of acl's it shouldn't be blocking the ports.
  Can you get the RDP to work locally to the pc?

• Can't change search options in Outlook 2007 on Windows Server 2008R2 Remote Desktop Users

  One of my users is trying to change search options in Outlook 2007.
  But he can't change the search options.
  He is working with Outlook 2007 on Remote Desktop Services 2008 r2.
  We doen't use cache mode on terminal server.
  Any sugesstion how we can enabling search options for remote desktop  users ?

  Hi Roel,
  Thank you for posting in Windows Server Forum.
  To customize Instant Search options by using Group Policy 
  - In Group Policy, load the Office Outlook 2007 template (Outlk12.adm).
  - To customize how results are displayed, under
  User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options\Preferences\Search Options, double-click the setting that you want to set. For example, double-click Turn off wordwheel.
  - Click Enabled. For hit highlighting color, choose a color from the Background Color drop-down list.
  - Click OK.
  More information.
  Configure Instant Search options in Outlook 2007
  http://technet.microsoft.com/en-in/library/cc178983(v=office.12).aspx
  In addition, perform below steps to edit the registry key and check.
  Step 1: Open the Registry Editor application.
  Step 2: In the Registry Editor, click the Edit menu and select Find. Type PreventIndexingOutlook in the search field and click Find Next.
  Step 3: Right click PreventIndexingOutlook and select Modify. Change its Value data to
  0 and click OK.
  Step 4: Search again by clicking the Edit menu and select Find. Type SetupCompletedSuccessfully in the search field and click Find Next. Locate this key.
  Step 5: Right click the SetupCompletedSuccessfully key and select Modify. Change its Value Data to 0 and click OK.
  Step 6: Restart your computer and you will now be able to perform advanced searches in Microsoft Outlook.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Remote Desktop Service Manager - configure permissions for Remote Desktop Users to Send Message, Disconnect, Logoff

  Hello, dear colleagues.
  We are using Windows Server 2012 R2 as Remote Desktop Server. Also use Windows Server 2008 R2 with Remote Desktop Service Manager to control RDS user sessions (Send Message, Disconnect, Logoff, Query Info). 
  Send Message, Disconnect, Logoff options works only for users in Administrators group.
  I can't to configure permissions for Remote Desktop Users, specific user or AD group. 
  To set permissions I'm running RDS Host Configuration on Windows Server 2008 R2 and connect to Windows Server 2012 R2. Then double-click
  RDP-Tcp, Security tab, add specific user account , AD group or configure
  advanced permissions
  for Remote Desktop Users.  
  But, as I sad above, these options works only for users in Administrators group. How to make it work for Remote Desktop Users or specific user, AD group?
  Thanks.
  P.S. If move specific user from Remote Desktop Users group to Administrators group on
  Windows Server 2012 R2 - it works. 

  Hi,
  You can prevent administrators from changing the permissions for a connection by applying the
  Do not allow local administrators to customize permissions Group Policy setting. 
  This Group Policy setting is located in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
  Apart there is one command with which you can set the permission for that check the related
  article. Additionally checkthis
  thread for more detail.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Windows 2008 R2 Standard Remote Desktop Users cannot Connect

  I have a windows 2008 R2 Standard Terminal Server and some users aren't able to connect even though they are in groups that are in Remote Desktop Users on the local computer.  I checked the local security policy setting "Allow log on through Remote
  Desktop Services" and I see that Remote Desktop Users is a member of this group.  Inside of Remote Desktop Users we have DOMAIN\Domain Users and DOMAIN\Terminal Users.  Most of our users are in both groups, but there are still some people that
  aren't able to connect via Remote Desktop to this computer.  There are no users in "Deny logon through Terminal Services."
  Thanks!

  Hi,
  Thank you for posting in Windows Server Forum.
  Is it happens to all users or any particular group of users?
  Please check by creating new user add them to “Remote Desktop Users” group and then see whether that test user can remote desktop to the server.
  It also might happens that you may be limited in number of users or some connection issue or may be firewall setting issue. Please go through beneath article for information.
  Remote Desktop disconnected or can’t connect to remote computer or to Remote Desktop server (Terminal Server) that is running Windows Server 2008 R2
  http://support.microsoft.com/kb/2477176
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• Remote desktop users lost overnight on windows server 2008 R2

  We set up a group in active directory to allow certain users access to this Virtual Machine.
  I am able to go into the the remote Users of the VM and add this group from active directory.
  Every Morning i have to re-add this group as it has gone at some point. There is nothing i can see that would cause this.
  Would anyone have any suggestions?
  Thank you,

  Hi,
  According to your description, it seems that the domain Users added in the remote desktop users group disappeared after the reboot, right? What are the operating systems of the clients and server?
  In addition, you can try to add domain users to the Remote Desktop Users Group via Group Policy to see if the issue persists. For more detailed information, please refer to the link below:
  How to add "Domain Users/Group" to Remote Desktop Users group on Servers using
  Group Policy ?
  Best regards,
  Susie

• My remote Desktop Users service is disabled

  Dear all,
  i need your help i have a windows server 2008 and when i restart i get my "allow users remote desktop" disabled and when i change it and then restart i get it disabled again i suspected there is a GPO that is doing that but when i run the gpresult i did
  not get any GPO changing the local group policy then i suspected that there is a start up script that is doing changes to the registry but still not
  i really what to know whats making this policy disabled
  thank you  

  Hi,
  Please try to use rsop.msc to see the following policy setting configured correctly:
  For details:
  Allow users to connect remotely using remote desktop Services
  ===========================================
  1.  Computer Configuration ->Policies ->Administrative Templates ->Windows Components ->remote desktop Services ->remote desktop Session Host ->Connections ->Allow users to connect remotely using Remote Desktop Services
  Restrict Group
  ==========
  1. Computer Configuration -> Policies -> Windows Settings -> Security Settings
  2. Right-click Restricted Groups, and then click Add Group.
  3. Click Browse, add Remote Desktop Users, click Ok.
  4. Add the members  what you want.
  Allow log on through Terminal Services(RDS on DC)
  ==========================
  Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Allow log on through Terminal Services
  Hope this helps!
  Best Regards
  Elytis Cheng
  Please remember to click “Mark as Answer” on the post that
  Elytis Cheng
  TechNet Community Support

• How to programmatically manage Remote Desktop Users?

  Hi,
  I want to know if it esists a method to programmatically set/get the Remote Desktop Users list, such as add/remove an user and so on.
  Thank you all in advance
  Best Regards
  Antonino

  Hi,
  first of all, I want to thank you for reply. But, what I'm looking for is to programmatically view the list of the users for the Remote Desktop Control. With Remote Desktop Control I mean the way I let some other users over the network to operate with my own desktop in Windows XP (that is what you find in system->properties->remote desktop->advanced...and so on).
  Antonino

• Popularity Trends Report - Zero Hits and Zero Unique Users

  Popularity Trends Report - Zero Hits and Zero Unique Users.  Search Service is working and returning results for generic look-ups.  I have read numerous postings on this subject, but non that define a step-by-step trouble shooting method such
  as what services/checks should be identified as running and so on.  Any help would be appreciated.  Would like to see what people are actually viewing on my site.  Thanks in advance.

  Hi,
  According to your post, my understanding is that Popularity Trends Report return zero Hits and zero Unique Users.
  I recommend to run some PowerShell scripts that added receivers to start data showing again.
  For more information, you can refer to:
  PowerShell Script to Workaround No Data in SharePoint 2013 Usage Reports
  Here are some similar threads for your reference:
  http://social.technet.microsoft.com/Forums/en-US/51c96873-de7e-4f38-ab2a-9f5a5efc8dd8/popularity-trends-report-always-zero?forum=sharepointadmin
  http://social.technet.microsoft.com/Forums/en-US/b94d2114-48a2-4ac8-aa10-b32762275611/popularity-trends-report-is-empty?forum=sharepointsearch
  Best Regards,
  Linda Li
  Linda Li
  TechNet Community Support

• Remote Desktop user configuration

  My client is having users login to a terminal server to access SBO.  I was able to setup the users with login access, but upon logging into SBO as manager on the terminal server they can't see any of the company databases.  how do i fix this?  And will it be the same solution once I create a user for them in SBO.  I obviously can't have them logging in as manager.

  Dear Robert,
  Could you please check if the Windows username for the affected users contain any special characters (such as apostrophe, accentuation or other ASCII characters) as described in Notes [1158771|https://websmp130.sap-ag.de/sap(bD1odSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1158771], [1128109|https://websmp130.sap-ag.de/sap(bD1odSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1128109]?
  Could you please also verify if roaming profiles are in use for the affected users?
  Please also verify the security settings on the folder
  C:\Documents and Settings\<userid>\Local Settings\Application Data\SAP\SAP Business One
  and let the user have unrestricted access to it.                                                  
  Please refer to note [1153036|https://websmp130.sap-ag.de/sap(bD1odSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1153036] for your reference.  
  hope it helps,
  Regards,
  Ladislav
  SAP Business One Forum Team

• How to report on sessions from Remote Desktop Services

  I want to run a historical report for (in)active / total sessons from a group of 2008 R2 servers.  I found that I had to import the RDS MP just to even get the terminal server\(in)active sessions counters visible in the performance view, and the metrics
  are being collected but I cannot figure out what object/class/counter combination to use in order to run a report from the SCOM 2012 Reporting console.  The TS 2003/2008 report templates do not work at all which were perfect from my TS 2003 farms, but
  now I can't get a birds eye view of a 2008 R2 RDS farm of 100 'terminal servers'.  What gives?
  B. Wright

  Unfortunately, I've been there and done that.  However not of the 2008R2 servers that are running "Remote Desktop Services" are available when I try to search for a group/objects in the chart/series.  If I point it to a group that contains the
  computers in question, and use any of the "terminal services 200x" counters/performance collection rules no data shows up in the report.  It's like they aren't avaliable as Windows Computers/Servers anymore because SCOM/MS considers them as a "Remote
  Desktop Services Host", and the only way I can see (in)active session information is in the performance view of that management pack's folder in the monitoring pane. 
  Seems to me that there is a major flaw in the RDS management pack for SCOM 2012.
  B. Wright