A common use-case for remote / WFH users is using RDP over VPN.
But RDP in a domain generally requires Domain Admin rights, opening up your critical servers to potential hazards. (Yes, I’m looking at you, Dan from Accounting.)
Thanks to this article from Windows OS Hub, though, it explains the atomic Windows permissions actually required:
- Member of RDP user group;
- AND! SeRemoteInteractiveLogonRight privileges.
There’s an entire gpedit.msc setup for this to be done correctly; and of course, maintaining clean OUs is not easy, especially with a backup Domain Controller that may not sync right. Not to mention the limit of 2 RDP sessions for non-RDS servers.
If you’re having any of these issues, just drop me a line and we’ll get you sorted!