Many times I had to configure a couple of users or admins to be able to do remote desktop on a bunch of machines, but I didn’t want to do this manually, so I turned to Group Policy. All I had to do, is create, configure and assign a Group Policy Object or GPO, and all those setting will replicate to the workstations affected by that GPO. Many admins believe that by adding those users to the Remote Desktop Users group in Active Directory Users and Computers their job is done, but when they try to connect is not working.
I’m going to show you how to do this in the right way, so let’s start. For this lab I already created five domain users and added those users to a Security Group in Active Directory called Remote Users. Now open Group Policy Management by going to Start > Administrative Tools > Group Policy Management. Here right click your domain name (in my case is vkernel.local), and choose Create a GPO in this domain, and link it here. Give your GPO a name and click OK. We are doing this for the hall domain, meaning all computers will be affected by this GPO.
Right click the new created GPO and choose Edit. The GPO Editor opens.
Expand Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups.
Again, right click Restricted Groups and choose Add Group. In the Group box type Remote Desktop Users. Do not, I repeat do not click the Browse button because you will select the domain Remote Desktop Users, and we need the local one, the one that resides on every Windows client (XP, Vista, 7); I know is bit misleading. When you are done click OK.
The Properties of the new Restricted Group opens. Now we need to make the domain Remote Users group that we created earlier, member of this group, so click the Add button from Members of this group option.
Be careful, because using this option (Members of this group) will remove all members that might already exist in your Remote Desktop Users group (the one that resides on every workstation/server). If you just want to modify the members use the second option This group is a member of.
Now you can click the Browse button and search for the Remote Users group. When you are done click OK ’till the end.
The result will be that the domain Remote Users group is now part of the local Remote Desktop Users group on every client. Click OK.
Now go to a client and force the new policy to apply, either by restarting the client or issue the command from a command line.
You can see the results by opening Remote Desktop Users on one of the clients. On a Windows 7 machine right click Computer > Manage, expand System Tools > Local Users and Groups > Groups. Open the Properties of the Remote Desktop Users and you can see that the domain group Remote Users is part of this local group.
Now if you need to give a domain user permission to make a remote desktop connection all you need to do is make that user part of the Remote Users group and you are good to go.
Want content like this delivered right to your