Print Friendly
Show Extras

Since my ESX lab is all virtual I don’t have any monitors connected to my servers. The best way to manage these servers is by connecting remotely. I want to be able to remote onto all my computers but limit which users can remote onto these machines. The best way to do this is through a group policy that sets this up on all machines.

My GPO will need to do the following:

  • Enable Remote Desktop Service
  • Open the Firewall to allow Remote Desktop
  • Disallow local admins from making changes
  • Only allow certain users to logon remotely.

Create a Security Group

I want only members of a specific security group to use remote desktop. I need to create a group for these users to be a member of.

  1. Open up Active Directory Users and Computers
  2. Create an Organizational Unit (OU) called “DOMAIN – Groups”
  3. Under your Groups OU create another OU called “Security”. This is where we will hold all of our security groups.
  4. Right click Security and select New > Group.
  5. Give the group a name. I used “SG – Remote Desktop Users”.

Screen Shot 2013-10-05 at 12.26.22 PM

Create the GPO

Now that we have a security group, we need to enable RDP and allow only members of this group to connect to our systems.

  1. Log into your Domain Controller.
  2. On the Start Screen type: gpmc.msc. This will pull up the Group Policy Management Console.
  3. Right click on your domain and select “Create a GPO in this domain, and Link it here…”. I am creating this GPO at the root of my domain to allow access to all servers and computers in my domain. This might not be exactly what you want to do, if your situation is different then select the OU you want this policy to apply to instead of your domain.
  4. Name the GPO. I used “Enable RDP” to keep it simple. This will create a blank GPO and a link to it.
  5. Right click the GPO or the Link and select “Edit…”
  6. This will pull up a the Group Policy Editor.
    Screen Shot 2013-10-05 at 12.32.38 PM
  7. We are only going to be modifying Computer Settings. We need to enable RDP, open the Firewall, and allow the security group members. Set the following:
    1. Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow Log on through Remote Desktop Services.
      1. Add Users or Group…
      2. Browse and search for your Security Group. In my case it was SG – Remote Desktop users
    2. Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups
      1. Right Click in the blank area and select Add Group…
      2. Browse and find “Remote Desktop Users”
      3. Select OK
      4. Double Click Remote Desktop Users
      5. Select Add for “Members of this Group”
      6. Browse and find your Security group.
    3. Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Inbound Remote Desktop exceptions: Enabled
    4. Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow user to connect remotely by using Remote Desktop Services: Enabled
    5. Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Do not allow local administrators to customize permissions: Enabled
    6. Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using NLA: Disabled

Screen Shot 2013-10-05 at 1.05.52 PM

 

Screen Shot 2013-10-05 at 1.06.26 PM

 

That should be it! Just wait for or force your computers to update Group Policy. Now any users that are a member of your security group can RDP to your computers.

Series Navigation<< Powershell Bulk User Import in Server 2012Create Local Administrator Account through Group Policy (GPO) >>

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*


18 thoughts on “Server 2012 Enable Remote Desktop (RDP) through Group Policy (GPO)

  1. Reply Arun February 6, 2014 at 11:46 pm

    Worked like a Champ 😉 Thanks a lot!

  2. Reply Shako June 4, 2014 at 5:21 am

    Very helpful

    Thanks a lot

  3. Reply Ethioman September 17, 2014 at 1:29 am

    wonderful

  4. Reply stevenuwm November 13, 2014 at 10:35 am

    Why did you explicitly disable the NLA? It’s my understanding that running RDP without NLA puts your servers at greater risk of compromise. It’s OK for the lab -but not necessary.

    • Daniel Eckes
      Daniel Eckes November 23, 2014 at 11:29 am

      Because I am using a Mac and like to use 3rd party RDP clients instead of the Microsoft App. This is why.

  5. Reply Lawrence December 17, 2014 at 1:29 pm

    Thank you very much. Ive searched and searched and searched. Finally one that worked!! lol

    • Alexy January 26, 2015 at 8:35 pm

      I have configured correctly. But i can’t connect my server. Pls help me.
      ERROR:
      “To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Remote Desktop Users group have this right. If the group you’re in doesn’t have this right, or -f the right has been removed from the Remote Desktop Users group, you need to be granted this right manually.”

  6. Reply phil July 7, 2015 at 10:20 am

    Thank you so much:-))!!! I am excited to solve so complicated RDP problem thanks your easy precious guide! Thanks so much Danny! A vary smart man!

  7. Reply allan August 19, 2015 at 11:20 pm

    Wow that worked perfectly! This page is going into my ‘Godly Bookmark’ folder.

  8. Reply JakubWz September 11, 2015 at 11:19 pm

    Hi there,

    It works like a charm! Thank you! Locked my self out from the server but luckily had secondary backup connection via logmein. Once the restricted group is in place, it blocks even administrators not only on the machines but also on the server, which is excellent. Thank you! Will be attempting to setup the Local Administrator next. 🙂

  9. Reply Kiril Stankov October 7, 2015 at 9:43 am

    Thanks!!!

  10. Reply sohail October 24, 2015 at 6:46 am

    One of the best tutorials. Worked without any problems. Thanks alot. Going to print it to pdf and for future references.

  11. Reply TGOD December 30, 2015 at 6:59 am

    after reading through, i know its going to work, cause all my questions are answered in it.
    thanks!

  12. Reply Tom Gordon January 29, 2016 at 9:22 am

    Great Tutorial!

    Just one query. I’ve noticed that users can only connect through RDP if they have access to ‘All computers’ checked in their 2012 user account. Ideally I would like them to just have access to their computer. Any ideas?

  13. Reply Lewis February 11, 2016 at 2:25 pm

    Just to clarify:
    – Do not allow local administrators to customize permissions
    and
    – Turn off NLA
    are optional.

  14. Reply Blaine March 3, 2016 at 3:57 pm

    Do you know if this works for windows 10?

  15. Reply Darryl March 9, 2016 at 3:37 pm

    Thanks for the guide.

    I have a question. How do you prevent a “user” from logging on to the RDP Host server while allowing them and everyone else the ability to logon to the published applications with remote desktop services?

    Thanks

  16. Reply Daren July 27, 2016 at 12:30 pm

    I love it but I expected the group I added ‘Domain Users’ to be added to the Remote Desktop Users when I click ‘Select Users’ from ‘Remote Settings’ on the System page?

Copyright © 2013 DannyEckes.com. All rights reserved. | Site design by Daniel J. Eckes | Privacy