In our SOE, Remote Desktop is disabled by default and by design we only want to enable it for machine that are joined to the domain and receiving our Computer policies. Those policies also define specific Domain Security Groups that are member of the "BUILTIN\Remote Desktop Users" group allowing only specific users to use Remote Desktop Connections.
We asked some of the affected users to take note of the time when the issue occurred.
By looking at the event log at the given times no error nor warning where found, but we did notice that this was a large number of SceCli informational events taking place. As per this MS Knowledge Article the processing of the Security Setting Extension is how the Security policies are implemented on the machine.
This drove us to think that this issue was caused by the GPO refresh cycles.
When the refresh takes place the security policies registry key gets deleted to then be rewritten which leaves the machines - for a brief moment of time - without policy settings which in turn causes the user to loose their remote desktop connection. This can actually be seen in the GPSVC.log.
Since the registry key that control the Remote Desktop feature are written in two different locations when applied by the Policies than when applied by the Operating System, the refresh mecanism would cause the O.S. settings to be the only one present and enforced at the time when the users were getting disconnected.
Here are both locations for the fDenyTsConnections value:
O.S value location.:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
\fDenyTSConnections
Group Policies value location:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections
After manually setting the O.S. registry key to 0 the problem disappeared.
To permanently automate this fix across the whole platform we added this registry entry to our policies.
As a result when the policy refresh occurs RDC rights are no longer lossed and our restricted group policy setting still ensure that only users of the "BUILTIN\Remote Desktop Users" are authorized to RDC.
No comments:
Post a Comment