Exam MD-100 topic 4 question 1 discussion

B is correct

I agree that the answer is D. In the link suggested by the moderator (https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services) in the Counter Measure section near the bottom it actually states "For domain controllers, assign the Allow log on through Remote Desktop Services user right only to the Administrators group. For other server roles and devices, add the Remote Desktop Users group." Which is the exact explaination of the differences between B and D

B. From the local Group Policy, modify the Allow log on through Remote Desktop Services user right. Explanation: By modifying the local Group Policy on Computer1 and adding [email protected] to the "Allow log on through Remote Desktop Services" user right, you grant the user the necessary permission to connect to Computer1 using Remote Desktop. This allows the user to establish a Remote Desktop session to the computer. Option D, creating a local user account and adding it to the Remote Desktop Users group, is not the most appropriate solution in an Azure AD joined scenario. While it could potentially work, modifying the Group Policy is the recommended method to manage Remote Desktop access permissions on Windows 10 computers joined to Azure AD.

Deez nuts

B cannot be correct you can not add an AzureAD user to a policy. However you can add an AzureAD account to the Remote Desktop Groups, which should be the preffered method see https://learn.microsoft.com/en-us/windows/client-management/client-tools/connect-to-remote-aadj-pc#add-users-to-remote-desktop-users-group This should be the correct answer for D instead of creating an additional account. If I get this question on my exam against my will I'll go for D...

CHATGPT group. Explanation: By default, Azure AD users do not have the necessary permissions to log on to a Windows 10 computer using Remote Desktop. To enable remote desktop access for a user in Azure AD, you must first create a local user account on the Windows 10 computer and add that user to the Remote Desktop Users group.

I would go with D. I can't assume that the user has been added to the remote desktop group because the question does not state this. Therefore the first thing I would do is to add the user to the RD group. My next step would be to then modify the user right to allow remote desktop login through local group policy. I tried so hard to find some type of material to back this up but failed greatly. I simply can't assume the user has already been added.. can someone PLEASE give a solid answer. Article included perhaps? This is killing me.

The answer is correct. Allow log on through Remote Desktop Services user right is assigned to Administrators and Remote Desktop Users group by Default. "To use Remote Desktop Services to successfully log on to a remote device, the user or group must be a member of the Remote Desktop Users or Administrators group and be granted the Allow log on through Remote Desktop Services right." (https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services). If you open gpedit.msc and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment, you can add user or group directly in that policy. In this case you would add cantoso.com/[email protected] (domain/username)

B is correct, it ok to add an Azure AD account to Allow log on through Remote Desktop Services user right from local group policy as I tested.

Added a user to "Allow log..." and in the RDP allowed users it does not show up. Added same user to RD users group and in the RDP allowed users it does show up. According to this, the answer is D.

What would be the final answer and justification?

Answer is D : User1 didn't join the computer1 to Azure AD . 'You' did it. Si User1 is not a member of admin Group (rights given if he joined the computer to Azure AD). SO you have to add his Account to Remote Desktop user manually to allow him to use RDP.

Since D is the closest to net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user", that would be my choice.

None of these answers seem right, the user needs to be a member of the RD users group and it doesnt say if they are or not, adding a local user makes no sense. Modifying the log on through Remote Desktop Services shouldnt be needed either, that could mess things up for ADmins and RD users and I see no need to modify it anyway. Anyone got any more news on how this question is answered?

It's written that "You join Computer1 to Azure AD. You enable Remote Desktop on Computer1" meaning that 1. it's not user1 who join the computer but "you" and 2. that Remote Desktop has been enabled. For it to work, the RDP user must have rights. You do that by adding him to the Remote Desktop Users group (D). You MUST NOT "modify the Allow log on through Remote Desktop Services user right" since it contains already administrators and the Remote Desktop User group. You also do not have to create a new user (typo in the answer D) because the user is already created in AzureAD (first sentence). So you only have to add it to the group. Something like : net localgroup "Remote Desktop Users" /add "AzureAD\[email protected]". It worked for me in a test lab. But I could not find any way to do the same using graphical tools like Computer Manager / groups... So the best (not the good) answer is "D" for me.

B is correct as you can simply modify the Local group policy to add the user and allow RDP on the machine for the user.

B is the answer.