Enable POP3 and IMAP access in Exchange 2010 »

Add Domain Users to local Remote Desktop Users group using Group Policy

Many times I had to configure a couple of users or admins to be able to do remote desktop on a bunch of machines, but I didn’t want to do this manually, so I turned to Group Policy. All I had to do, is create, configure and assign a Group Policy Object or GPO, and all those setting will replicate to the workstations affected by that GPO. Many admins believe that by adding those users to the Remote Desktop Users group in Active Directory Users and Computers their job is done, but when they try to connect is not working.

I’m going to show you how to do this in the right way, so let’s start. For this lab I already created five domain users and added those users to a Security Group in Active Directory called Remote Users. Now open Group Policy Management by going to Start > Administrative Tools > Group Policy Management. Here right click your domain name (in my case is vkernel.local), and choose Create a GPO in this domain, and link it here. Give your GPO a name and click OK. We are doing this for the hall domain, meaning all computers will be affected by this GPO.

Right click the new created GPO and choose Edit. The GPO Editor opens.

Expand Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups.

Again, right click Restricted Groups and choose Add Group. In the Group box type Remote Desktop Users. Do not, I repeat do not click the Browse button because you will select the domain Remote Desktop Users, and we need the local one, the one that resides on every Windows client (XP, Vista, 7); I know is bit misleading. When you are done click OK.

The Properties of the new Restricted Group opens. Now we need to make the domain Remote Users group that we created earlier, member of this group, so click the Add button from Members of this group option.

Now you can click the Browse button and search for Remote Users group. When you are done click OK ’till the end.

The result will be that domain Remote Users group is now part of the local Remote Desktop Users on every client. Click OK.

Now go to a client and force the new policy to apply, either by restarting the client or issue the command from a console prompt.

gpupdate /force

You can see the results by opening Remote Desktop Users on one of the clients. On a Windows 7 machine right click Computer > Manage, expand System Tools > Local Users and Groups > Groups. Open the Properties of the Remote Desktop Users and you can see that the domain group Remote Users is part of this local group.

Now if you need to give a domain user permission to make a remote desktop connection all you need to do is make that user part of the Remote Users group and you are good to go.

Edit/p

Active Directory Users and Computersem

Active Directory Windows Domains

This entry was posted by Adrian Costea on 12/17/2011 at 14:31, and is filed under Active Directory, Microsoft. Follow any responses to this post through RSS 2.0.You can leave a response or trackback from your own site.

Comments (0)
Related Posts

Type your comment
You may use these HTML tags: <a> <abbr> <acronym> <b> <blockquote> <cite> <code> <del> <em> <i> <q> <strike> <strong>
Comment Feed for this Post