Dec 17 2011

Add Domain Users to local Remote Desktop Users group using Group Policy

Many times I had to configure a couple of users or admins to be able to do remote desktop on a bunch of machines, but I didn’t want to do this manually, so I turned to Group Policy. All I had to do, is create, configure and assign a Group Policy Object or GPO, and all those setting will replicate to the workstations affected by that GPO. Many admins believe that by adding those users to the Remote Desktop Users group in Active Directory Users and Computers their job is done, but when they try to connect is not working.

I’m going to show you how to do this in the right way, so let’s start. For this lab I already created five domain users and added those users to a Security Group in Active Directory called Remote Users. Now open Group Policy Management by going to Start > Administrative Tools > Group Policy Management. Here right click your domain name (in my case is vkernel.local), and choose Create a GPO in this domain, and link it here. Give your GPO a name and click OK. We are doing this for the hall domain, meaning all computers will be affected by this GPO.

Right click the new created GPO and choose Edit. The GPO Editor opens.

Expand Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups.

Again, right click Restricted Groups and choose Add Group. In the Group box type Remote Desktop Users. Do not, I repeat do not click the Browse button because you will select the domain Remote Desktop Users, and we need the local one, the one that resides on every Windows client (XP, Vista, 7); I know is bit misleading. When you are done click OK.

The Properties of the new Restricted Group opens. Now we need to make the domain Remote Users group that we created earlier, member of this group, so click the Add button from Members of this group option.

Be careful, because using this option (Members of this group) will remove all members that might already exist in your Remote Desktop Users group (the one that resides on every workstation/server). If you just want to modify the members use the second option This group is a member of.

Now you can click the Browse button and search for the Remote Users group. When you are done click OK ’till the end.

The result will be that the domain Remote Users group is now part of the local Remote Desktop Users group on every client. Click OK.

Now go to a client and force the new policy to apply, either by restarting the client or issue the command from a command line.


You can see the results by opening Remote Desktop Users on one of the clients. On a Windows 7 machine right click Computer > Manage, expand System Tools > Local Users and Groups > Groups. Open the Properties of the Remote Desktop Users and you can see that the domain group Remote Users is part of this local group.

Now if you need to give a domain user permission to make a remote desktop connection all you need to do is make that user part of the Remote Users group and you are good to go.

Want content like this delivered right to your

email inbox?


Skip to comment form

  1. Mihai


    Few years later, your solution is still up and running! Thank You!
    I am asking myself, if you have now other solution to this topic?

    Thanks again!

    1. Adrian Costea

      Not right now, but I will write as they come along and hope I will have the time :). Let me known if you need anything specific and I will try to make it happen.

      Thanks for reading.

  2. Ling Tao

    Thanks a lot, it help me solving my problem.

    1. Adrian Costea

      Yes, I did it again!
      I’m glad the article helped you man.

  3. Michael

    I added some users manually to Remote Desktop Group the GPO remove them, there are one way to maintain the current configuration just adding the new?

    1. Adrian Costea

      Yes, it removes all the users from the local groups. If you still need those users or groups you will have to add them in the GPO.

  4. Alex

    Hi Adrian,
    thanks to your HowTo it managed it 😉
    But can you explain why it must have a GPO and additionally to this the membership is inherited from Restricted Groups? Do you have a link to some useful docs from MS?
    Thanks! Alex

    1. Adrian Costea

      Hi Alex,
      This is just the way it goes.

Leave a Reply to Oli Cancel reply

Your email address will not be published. Required fields are marked *