我在LAN上有一个Windows Server 2012 R2域控制器,具有从Windows 2000到Windows 10以及IOS和Linux的各种操作系统版本。
我正在尝试解决这个问题,其中一部分是创建AD策略,以在已经安装了RDP的系统上启用RDP。但这并不总是有效。
似乎总是有什么不对劲,并且收到通常的RDP“空白错误”消息:Remote desktop can't connect to the remote computer for one of these reasons...。即使在可以正常运行的计算机上,它也没有任何明显的原因停止工作,例如在重新启动后重新安装驱动程序。机器可以ping通,但RDP服务无法响应。
所以我的问题是:使用策略启用RDP的最佳实践是什么??
下面是该策略的“保存报告...”,但已进行了清洁以供公众查看。我还有什么可以添加的,以使RDP发挥其持续工作所需的作用。?
注意:这是基于计算机对象的策略。安全筛选器组中目前有三台测试机,如上所述,RDP的可靠性是间歇性的。
Enable RDP Policy
Data collected on: 4/12/2019 2:33:22 PM
General
Details
Domain WidgetsInc.local
Owner WidgetsInc\Domain Admins
Created 4/11/2019 3:59:38 PM
Modified 4/12/2019 2:33:16 PM
User Revisions 0 (AD), 0 (SYSVOL)
Computer Revisions 24 (AD), 24 (SYSVOL)
Unique ID {12345678-1234-1234-1234-123456789012}
GPO Status Enabled
Links
Location Enforced Link Status Path
WidgetsInc No Enabled WidgetsInc.local
Security Filtering
Name
WidgetsInc\Enable RDP Group
NT AUTHORITY\Authenticated Users
Delegation
Name Allowed Permissions Inherited
WidgetsInc\Domain Admins Edit settings, delete, modify security No
WidgetsInc\Enable RDP Group Read (from Security Filtering) No
WidgetsInc\Enterprise Admins Edit settings, delete, modify security No
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
Windows Firewall with Advanced Security
Global Settings
Policy Setting
Policy version 2.22
Disable stateful FTP Not Configured
Disable stateful PPTP Not Configured
IPsec exempt Not Configured
IPsec through NAT Not Configured
Preshared key encoding Not Configured
SA idle time Not Configured
Strong CRL check Not Configured
Inbound Rules
Name Description
Enable port 3389 for RDP
Enabled True
Program Any
Action Allow
Security Require authentication
Authorized computers
Authorized users
Protocol 6
Local port 3389
Remote port Any
ICMP settings Any
Local scope Any
Remote scope Any
Profile Domain
Network interface type All
Service All programs and services
Allow edge traversal False
Group
Connection Security Settings
Administrative Templates
Policy definitions (ADMX files) retrieved from the local computer.
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections
Policy Setting Comment
Allow users to connect remotely by using Remote Desktop Services Enabled
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security
Policy Setting Comment
Require user authentication for remote connections by using Network
Level Authentication Enabled
Preferences
Control Panel Settings
Services
Service (Name: TermService)
TermService (Order: 1)
General
Service name TermService
Action Start service
Startup type: Automatic
Wait timeout if service is locked: 30 seconds
Service Account
Log on service as: NT AUTHORITY\Network Service
Recovery
First failure: Restart the service
Second failure: No change
Subsequent failures: No change
Reset fail count after: 0 days
Restart service after: 1 minute
Common
Options
Stop processing items on this extension if an error occurs on this item No
Apply once and do not reapply No
User Configuration (Enabled)
No settings defined.