Add Domain Users to local Remote Desktop Users group using Group Policy

Many times I had to configure a couple of users or admins to be able to do remote desktop on a bunch of machines, but I didn’t want to do this manually, so I turned to Group Policy. All I had to do, is create, configure and assign a Group Policy Object or GPO, and all those setting will replicate to the workstations affected by that GPO. Many admins believe that by adding those users to the Remote Desktop Users group in Active Directory Users and Computers their job is done, but when they try to connect is not working.

I’m going to show you how to do this in the right way, so let’s start. For this lab I already created five domain users and added those users to a Security Group in Active Directory called Remote Users. Now open Group Policy Management by going to Start > Administrative Tools > Group Policy Management. Here right click your domain name (in my case is vkernel.local), and choose Create a GPO in this domain, and link it here. Give your GPO a name and click OK. We are doing this for the hall domain, meaning all computers will be affected by this GPO.

Right click the new created GPO and choose Edit. The GPO Editor opens.

Expand Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups.

Again, right click Restricted Groups and choose Add Group. In the Group box type Remote Desktop Users. Do not, I repeat do not click the Browse button because you will select the domain Remote Desktop Users, and we need the local one, the one that resides on every Windows client (XP, Vista, 7); I know is bit misleading. When you are done click OK.

The Properties of the new Restricted Group opens. Now we need to make the domain Remote Users group that we created earlier, member of this group, so click the Add button from Members of this group option.

Be careful, because using this option (Members of this group) will remove all members that might already exist in your Remote Desktop Users group (the one that resides on every workstation/server). If you just want to modify the members use the second option This group is a member of.

Now you can click the Browse button and search for the Remote Users group. When you are done click OK ’till the end.

The result will be that the domain Remote Users group is now part of the local Remote Desktop Users group on every client. Click OK.

Now go to a client and force the new policy to apply, either by restarting the client or issue the command from a command line.

gpupdate /force


You can see the results by opening Remote Desktop Users on one of the clients. On a Windows 7 machine right click Computer > Manage, expand System Tools > Local Users and Groups > Groups. Open the Properties of the Remote Desktop Users and you can see that the domain group Remote Users is part of this local group.

Now if you need to give a domain user permission to make a remote desktop connection all you need to do is make that user part of the Remote Users group and you are good to go.

Want content like this delivered right to your

email inbox?

30 thoughts on “Add Domain Users to local Remote Desktop Users group using Group Policy

  • 17/03/2019 at 23:10


    Few years later, your solution is still up and running! Thank You!
    I am asking myself, if you have now other solution to this topic?

    Thanks again!

    • 22/03/2019 at 09:22

      Not right now, but I will write as they come along and hope I will have the time :). Let me known if you need anything specific and I will try to make it happen.

      Thanks for reading.

  • 25/10/2017 at 05:35

    Thanks a lot, it help me solving my problem.

  • 01/06/2017 at 17:12

    I added some users manually to Remote Desktop Group the GPO remove them, there are one way to maintain the current configuration just adding the new?

    • 06/06/2017 at 06:44

      Yes, it removes all the users from the local groups. If you still need those users or groups you will have to add them in the GPO.

  • 10/03/2017 at 11:42

    Hi Adrian,
    thanks to your HowTo it managed it 😉
    But can you explain why it must have a GPO and additionally to this the membership is inherited from Restricted Groups? Do you have a link to some useful docs from MS?
    Thanks! Alex


Leave a Reply

Your email address will not be published. Required fields are marked *