Look for point in the right direction

[bbbngowc]

Hi,

On our Windows 2003 Domain there seems to be a group policy or something that is disabling remote desktop connections to the servers. The option is disabled in the "Remote" tab of Computer Properties and so I have to go to the registry, manually changed the deny setting and then users can connect. But once the server updates it's locked out again.

I went through all of the GPs on the Domain and I can't find anything related to Remote Desktop or Terminal Services.

How can I find what is causing this to happen?

[cluberti]

Log into a server where the setting is disabled, and run rsop.msc to see what policies are being applied, and from where. If it's not a group policy, you'll probably have to use process monitor with a filter to watch that specific reg key to see who or what is overwriting it with the "bad" value (you can set it read only and remove everyone but your account's permission to the key holding the value as well, so that procmon catches an access denied rather than an overwrite - you catch the culprit, and the value doesn't get overwritten.

[PC_LOAD_LETTER]

I set the following in a GPo so youll wanna check these in rsop.msc

Computer Configuration->Windows Settings->Security Settings->System Services

Terminal Services (Startup Mode: Automatic)

Computer Configuration->Windows Settings->Security Settings->Restricted Groups

Group = USER/GROUP_YOU_WANT_TO_GRANT_ACCESS_REMOTELY

Member of=BUILTIN\Remote Desktop Users

Computer Configuration->Administrative Templates->Windows Components/Terminal Services

Allow users to connect remotely using Terminal Services->Enabled

[bbbngowc]

The problem is the "Local Group Policy" keeps setting the option to disabled. I went to gpedit.msc and changed the option back to "Not Configured" or "Enabled" however, in a matter of hours, this option is set to disabled again.

How can I find the Local Group Policy that's causing this?

[cluberti]

The problem is the "Local Group Policy" keeps setting the option to disabled. I went to gpedit.msc and changed the option back to "Not Configured" or "Enabled" however, in a matter of hours, this option is set to disabled again.

How can I find the Local Group Policy that's causing this?

Assuming after the setting is reset, your local group policy is still set to 'Enabled', run rsop.msc to see what policy is setting it. If the local policy isn't (or wasn't the only policy setting it), you should be able to use rsop.msc (as I mentioned previously) to find it. Otherwise, you can try to run gpresult /z to try and find the culprit once the setting is disabled again.