Dec 17 2011

Add Domain Users to local Remote Desktop Users group using Group Policy

Many times I had to configure a couple of users or admins to be able to do remote desktop on a bunch of machines, but I didn’t want to do this manually, so I turned to Group Policy. All I had to do, is create, configure and assign a Group Policy Object or GPO, and all those setting will replicate to the workstations affected by that GPO. Many admins believe that by adding those users to the Remote Desktop Users group in Active Directory Users and Computers their job is done, but when they try to connect is not working.

I’m going to show you how to do this in the right way, so let’s start. For this lab I already created five domain users and added those users to a Security Group in Active Directory called Remote Users. Now open Group Policy Management by going to Start > Administrative Tools > Group Policy Management. Here right click your domain name (in my case is vkernel.local), and choose Create a GPO in this domain, and link it here. Give your GPO a name and click OK. We are doing this for the hall domain, meaning all computers will be affected by this GPO.

Right click the new created GPO and choose Edit. The GPO Editor opens.

Expand Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups.

Again, right click Restricted Groups and choose Add Group. In the Group box type Remote Desktop Users. Do not, I repeat do not click the Browse button because you will select the domain Remote Desktop Users, and we need the local one, the one that resides on every Windows client (XP, Vista, 7); I know is bit misleading. When you are done click OK.

The Properties of the new Restricted Group opens. Now we need to make the domain Remote Users group that we created earlier, member of this group, so click the Add button from Members of this group option.

Be careful, because using this option (Members of this group) will remove all members that might already exist in your Remote Desktop Users group (the one that resides on every workstation/server). If you just want to modify the members use the second option This group is a member of.

Now you can click the Browse button and search for the Remote Users group. When you are done click OK ’till the end.

The result will be that the domain Remote Users group is now part of the local Remote Desktop Users group on every client. Click OK.

Now go to a client and force the new policy to apply, either by restarting the client or issue the command from a command line.


You can see the results by opening Remote Desktop Users on one of the clients. On a Windows 7 machine right click Computer > Manage, expand System Tools > Local Users and Groups > Groups. Open the Properties of the Remote Desktop Users and you can see that the domain group Remote Users is part of this local group.

Now if you need to give a domain user permission to make a remote desktop connection all you need to do is make that user part of the Remote Users group and you are good to go.

Want content like this delivered right to your

email inbox?


Skip to comment form

  1. Kathy

    Awesome, thanks so much! Saved me a lot time =)

    1. Adrian Costea

      I’m glad it helped 🙂

  2. Marco

    It worked.


    1. Adrian Costea

      You’re welcome.

  3. Frank Man

    Thank you so much this is really helpful

  4. Sandy

    Awesome… Thank you, it worked

    1. Adrian Costea

      You’re welcome 🙂

  5. Alireza

    Thanks for this helpful tutorial.
    It solved my problem.

  6. Andrew

    Hi Adrian,

    I have a couple things to comment on this.

    Firstly, the “Restricted Groups” GP method does not work in Server 2012.

    Secondly when using the “Add button from Members of this group option” you are modifying the local security group on all clients, meaning any previous membership you have added manually to clients, will be stripped out with whatever you use above.

    A better way to achieve what you want to do, is either use group policy preferences, which does not strip away existing groups membership, or if you must use “Restricted Groups”, use the Add button from This group is a member of option, so that you end up with your custom group a member of the “Remote Desktop Users” group.

    I hope this helps.

    1. Adrian Costea

      Hi Andrew,
      To answer your questions:

      Firstly, the “Restricted Groups” GP method does not work in Server 2012.
      Is not just working, but is working flawlessly. If is not working for you is because you did something wrong.

      …when using the “Add button from Members of this group option” you are modifying the local security group on all clients…
      Yes, you are right, but this is how Microsoft made it to work. Plus you have to test this in a lab and see how is going for you, not put it in a production from the start.

      A better way to achieve what you want to do, is either use group policy preferences…
      You are right here too. But what if you have older clients, like XP or 2000? GPO Preferences are not working on XP unless you install the Client Side Extension package, and that’s another step for admins to do. I’m working on an article that describes this process.

      Let me know if you have any other questions. Cheers…

      1. Emil

        Hi Adrian , thanks for this post.Very Helpful. I want to say something. I did 3 times but it did not work for me because i linked GPO to my OU where no computers reside.In 3 time a got it, and linked it do Domain. I think Andrew may be did it how i did by linking it to OU.
        Thanks again.For you work.

        1. Adrian Costea

          Well yeahh… you need to have some computers in the OU for it to work. ‘Glad you figure it out.

  7. Antonio

    Hi! It’s work…

    Thank you guy. I solved my problem

    1. Adrian Costea

      You’re welcome…

  8. Oli

    Hi in the 2nd paragraph you say you added the 5 users to the group Remote Users but the screen shot shows the built-in group Remote Desktop Users. Is it the build in group you add the users too or do you make a new group simply called Remote Users?

    1. Adrian Costea


      Yes, I created a group named Remote Users because I did not want to add those five users directly to the Remote Desktop Users group, is just not my way of work. When I have more than two users I always create a group, and add those users to the group.

  9. Nick

    I have been searching the web for a very long time looking for the correct way to do this. I have made a ton of GPO changes and nothing worked. I gave your method a try and BINGO!! I am in business. Thank you.

    1. Adrian Costea

      I’m glad it worked out.

  10. Thibault

    I check several articles and a lot was imprecise / not relevant…
    Here is the good solution ! Thank you guy, I solved my problem thanks to your article.

    1. Adrian Costea

      I’m glad it helped.

Leave a Reply

Your email address will not be published. Required fields are marked *