Duo removes user logon locally

Re_Tech · ‎11-11-2021

I’m a long time sysadmin with RDS systems. Now decided to add duo for clients.

The issue is that in my dev lab, my RDS server works and works well.

Dev user can logon no issues and use applications.

I have now installed Duo and configured it. After doing this dev users start getting this error message Screenshot by Lightshot

As soon as I remove Duo my dev users can successfully login.

I know my gpo and security policies for “logon locally” and “allow logon through remote desktop” is properly configured.

How can I fix this and what is causing Duo to not bugger up my systems like this?

DuoKristina · ‎11-15-2021

Can’t view your screenshot, but if you receive “Logon failure: the user has not been granted the requested logon type at this computer” our advice is to double-check the two logon settings in both your local policy and any domain policies. Try running gpresult /r as one of the dev users if you didn’t already. This article has lots of details.

Duo, not DUO.

Re_Tech · ‎11-17-2021

Hi and thanks for replying.

The user is in the correct group.

As soon as I remove Duo, the user can logon via RDP.

DuoKristina · ‎11-17-2021

Well, clearly something is going on with that delegated permission (if that is in fact the error you get, unconfirmed as of yet in this thread because of the unviewable screenshot).

I invite you to open a case with Duo Support and the support engineer can review all your group policies and the delegated rights to the group(s) with you.

Duo, not DUO.