Please clarify RDP

Hi there, could someone please clarify this point of RDP, i have seen conflicting information from transcender/MSPress and Sybex.

On member servers, adding to the remote desktop group also adds the right to logon terminal servers.
But on Domain Controllers, the right to logon terminal servers must added manually to the remote desktop group.

is this right? if not, could one of you enlightened people please shed some light on this?

cheers one and all

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Everlife

Hi Jon,

Here's how I understand it:

Member Servers: Once RD is enabled, by default, the Administrators group and Remote Desktop Users group have the right to logon through terminal services. When you add a user to the Remote Desktop Users group, he/she is inheriting the right.

Domain Controllers: Once RD is enabled, by default, only members of the Administrators group have the right to logon through terminal services. Remember, there isn't a local security database for a domain controller so no local Remote Desktop Users group exists for the DC. You would have to manually create the group in Active Directory then grant that group the right to logon through terminal services in the Default Domain Controllers Policy which you would edit through Active Directory.

If you checked your User Rights section of the policies you would see the following:

Member Server - Allow Logon Through Terminal Services: Administrators, Remote Desktop Users
Domain Controllers - Allow Logon Through Terminal Services: Administrators

I hope that clears that up. If I'm mistaken on anything, I'm sure one of the real experts will catch it, but I'm pretty sure I'm right about it.