Azure AD Users logging into Remote Desktop Server

azureazure-active-directoryremote-desktop-services

I have a Windows Server 2016 VM running on Azure. It is joined to an Azure Active Directory. Remote Desktop Services are installed and seem to be working properly.

I am trying to allow users from Azure AD to log into the server. The problem is that only users that are in the 'AAD DC Administrators' group can log in. All other users get this error message 'The requested session access is denied'

I've made sure that the AAD users are in the 'Remote Desktop Users' local group. I've also added those users to the Session Collection properties user groups in Remote Desktop Services.

I'm not really sure what other permissions user need to be able to log into the server. I obviously can't keep all of the users in the AAS DC Admins group.

Best Answer

Not sure if its documentation somewhere or supported (NOT TO BE DONE ON PRODUCTION) but i have been able to create my own group to manage RDP on Azure AD Domain service.

Steps

Created group in Azure AD and added members (MyRDPGroup), waited about 15 - 20 mins for replication.

On a already Azure AD Domain Service Joined VM using Group Policy management added the newly created group (MyRDPGroup) to the GPO policy that adds accounts to the Local Administrator group.

When added the GPO looked like below.

Waited about 15 - 20 mins for replication. Did a 'gpupdate /force' on member VM and reboot.

I was then able to login to any Azure AD Domain Service joined VM with credential for member of group (MyRDPGroup).

Just test right now and it still work. Hope this helps.

Related Solutions

Security – Remote Desktop Connection Denied because the user account is not authorized for remote login

Create a group policy that uses the restricted groups feature to place "Domain Users" in the "Remote Desktop Users" group. Apply that policy to your server, overriding the local policy. Log in as domain admin and make sure the policy refreshes. When you examine the remote desktop users group, verify that "domain users" has been placed in this group. Now, log off and test as one of your domain users.

Denying\Allowing Remote Desktop Users in Windows 2008 Server r2

Why if i deny Users group to remote desktop connection Administrators can't log in also?

This is the normal ACL behavior on Windows. DENY takes precedence over allows. If you deny all users, then all users will be denied. If you don't want some users to have access to something you need to remove the ACE that permits that group of users access.

As for maintenance i need for some hours to deny access to all users in the Remote Desktop Users and Allow Administrators only.

Instead of messing around with permissions, why not disable new connections by putting the terminal server into drain mode?

Adjust the drain-mode registry value with one of these options. Administrators will still be able to connect when using the /admin switch.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\TSServerDrainMode
0 = Allow all connections
1 = Allow reconnections, but prevent new logon until reboot
2 = Allow reconnections, but prevent new logon

You can also enable drain-mode through the GUI.

rdp drain mode

Best Answer

Related Solutions

Security – Remote Desktop Connection Denied because the user account is not authorized for remote login

Denying\Allowing Remote Desktop Users in Windows 2008 Server r2

Related Topic