(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'

caslacapo · April 2, 2026, 2:00pm

I’m currently working on a hardening policy for:
(L1) Ensure “Allow log on through Remote Desktop Services” is set to “Administrators, Remote Desktop Users”.
Reference:

The recommended state for this setting is:
Administrators, Remote Desktop Users
I already have a GPO in place that enforces this configuration. However, when I create a Fixlet to remediate this setting, the Fixlet still shows as applicable even on machines where the policy is already configured exactly as recommended.

My relevance to detect if the recommendation is present is this:

not exists 1 whose (exists (concatenation ", " of (it as string) of ((number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0) of concatenation ", " of (it as string) of (exist matches (regex "S-1-5-32-(544|555)") of it) of component strings of sids of it) of accounts with privilege "SeRemoteInteractiveLogonRight") whose (number of substrings separated by ", " whose (it is not "") of it > 0 and number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0))

Am I interpreting this correctly, or does the NOT at the beginning of the relevance cause it to evaluate the opposite of the recommendation?
In other words, is this relevance effectively checking that Administrators and Remote Desktop Users are NOT granted the “Allow log on through Remote Desktop Services” right, rather than confirming that they are set as recommended?

Appreciate any feedback.

JasonWalker · April 2, 2026, 2:06pm

I'm afraid the generated relevance on the checklists can be difficult to troubleshoot and to explain.

Rather than got through all the check logic, can you run these queries in the Fixlet Debugger, using "Local Client Evaluation Mode" on one of the affected machines? That should show which accounts our client sees with that right, and then we can check whether the machine is configured some way we don't expect.

(component strings of sids of it) of accounts with privilege "SeRemoteInteractiveLogonRight"

(sids of it) of accounts with privilege "SeRemoteInteractiveLogonRight"

As for the "NOT" at the front of the relevance, yes that can be confusing too. Remember that we want the statement to return True ("The Fixlet Is Relevant") of the system does not meet the required configuration. This check should be relevant of the list of accounts with Remote Desktop rights does not match the expected account list exactly

Edit: fixed extra closing parentheses

caslacapo · April 2, 2026, 2:14pm

Thank you for your response. I ran the query on one of the affected machines, and it worked as expected. When there are more than the 2 SSID 544 and 555, it returns TRUE, but if only the ones that the relevance looks for are present, the relevance is FALSE.

orbiton · April 2, 2026, 2:35pm

Do you have license for the Compliance product?

You can subscribe to CIS Checklist that contains those checks and remediations

caslacapo · April 2, 2026, 3:04pm

Yes, but for some reason I wouldn’t understand the logic. It’s all good! thank you all!

orbiton · April 2, 2026, 3:26pm

@caslacapo to which operating system you are trying to apply that setting?