I followed this little guide to get RDP working on my servers:
http://www.dannyeckes.com/server-2012-enable-remote-desktop-rdp-group-policy-gpo/
I'm wondering what exactly the A. and B. steps are doing.
Let's compare it to how I would manually enable Remote Desktop on a Windows machine:
Start -> Control Panel -> System -> Remote Settings -> Remote -> Allow connections -> Select Users
So here I would a security group I have created, for example: mydomain\RDP.Users
Now, let's look at steps A. and B.
A. Group Policy -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Allow log on through Remote Desktop Services
This part makes sense. It seems like I am doing the same thing as above, simply adding "mydomain\RDP.Users" to the Allowed Users list. One strange unexpected behavior though: I had to specifically allow the "Administrators" group as well. I thought they were always allowed by default to connect to an RDP enabled host?
B. Group Policy -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups
This part I don't understand at all. Why am I editing "Restricted" goups? Secondly, I add the "Remote Desktop Users" group here. Technically this shows up in the GPO summary as "BUILTIN\Remote Desktop Users".
Then I have to add "mydomain\RDP.Users" (and "Administrators") to the "BUILTIN\Remote Desktop Users" group? Why do I have to authorize these groups to connect, again? In two separate places? Why do I have to add
them to this BUILTIN group?
Is this BUILTIN to the domain, or BUILTIN to the local host? Is "Remote Desktop Users" a local group that is built into every Windows machine that I have to populate with this AD group?