17 Replies
· · ·
Jalapeno
OP
Jul 8, 2010 at 08:41 UTC
use Active Directory Users and computers to add your domain users to the remote desktop users....
Are you setting up a terminal server?
0
· · ·
Jalapeno
OP
Best Answer
Jul 8, 2010 at 08:47 UTC
If you need to add Domain users to the Remote Desktop Users group on an XP machine then you need to use restricted groups in GPO...
it is under Computer configuration/Windows settings/Security settings/restricted groups. Right click, add group, click browse to find domain users. Click ok and click add under This group is a member of... Type in Remote Desktop Users.
1
· · ·
Thai Pepper
OP
Jul 8, 2010 at 08:50 UTC
Have you tried the following GP [I'm currently using Group Policy Management from my Windows 7 system on a Server 2003 domain]:
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Remote Desktop Services
I haven't tried this myself as we don't have a need to yet, but the description seems to be related to what you are trying to accomplish.
1
· · ·
Thai Pepper
OP
Jul 8, 2010 at 08:59 UTC
You can also use:
Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups
- Within this setting, right-click in the empty white area and select "All Tasks" > "Add".
- Select "Update" in the "Action:" drop-down
- Select "Remote Desktop Users [built-in]" from the "Group name:" field
- Under the "Members:" section click the "Add..." button.
- Add Domain Users to the "Name:" field and select "Add to this group" from the "Action:" field
That should add Domain Users to the Remote Desktop Users group for any computer you apply this policy to.
2
· · ·
Habanero
OP
Jul 8, 2010 at 09:05 UTC
Well, when I researched it, RDP can't be turned on for WinXP pro desktops remotely, it requires a visit to the machine. Just add it then, as you'll have to be logged in as admin anyhoo.
I'd love to hear I was wrong.
0
· · ·
Serrano
OP
Jul 8, 2010 at 09:10 UTC
hi ,
you should look into Restricted Groups in The GPO.
This will make it possible for you to make a domain group a member of a local groups in the gpo effected computers
0
· · ·
Datil
OP
Jul 8, 2010 at 09:14 UTC
David1618 wrote:
Well, when I researched it, RDP can't be turned on for WinXP pro desktops remotely, it requires a visit to the machine. Just add it then, as you'll have to be logged in as admin anyhoo.
I'd love to hear I was wrong.
You can do this using remote registry by modifying the following key and value:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
"fDenyTSConnections"=dword:00000001 [RDP disabled]
"fDenyTSConnections"=dword:00000000 [RDP enabled]
Going on that you could also use the attached to enable across domain using a GPO by dropping it on a share and calling it from a batch script with the following command:
regedit /s \\servername\share\fDenyTSConnections.reg
0
· · ·
Datil
OP
Jul 8, 2010 at 09:23 UTC
spiceuser wrote:
David1618 wrote:
Well, when I researched it, RDP can't be turned on for WinXP pro desktops remotely, it requires a visit to the machine. Just add it then, as you'll have to be logged in as admin anyhoo.
I'd love to hear I was wrong.
You can do this using remote registry by modifying the following key and value:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
"fDenyTSConnections"=dword:00000001 [RDP disabled]
"fDenyTSConnections"=dword:00000000 [RDP enabled]
Going on that you could also use the attached to enable across domain using a GPO by dropping it on a share and calling it from a batch script with the following command:
regedit /s \\servername\share\fDenyTSConnections.reg
what about computer configuration >Administrative templates>Windows components>Terminal Services> Terminal services. Then enable terminal services. this should turn on remote desktop, i am pretty sure i have done this before.
0
· · ·
Thai Pepper
OP
Jul 8, 2010 at 09:25 UTC
Ralph, this worked.
Thank you everyone for your responses.
0
· · ·
Datil
OP
Jul 8, 2010 at 09:29 UTC
Yeah Kimbo, that works too. So 3 ways to enable/disable remotely:
- By remote registry
- By script
- By GPO
0
· · ·
Mace
OP
Jul 8, 2010 at 09:35 UTC
I'd highly suggest trying the group policy preferences, as gonefishing mentioned. I use GPP to map drives and printers, add users to groups [like my admin account to the RDP group, or my spiceworks user to local admin], and set some initial preferences. It works fantastically, and I haven't had to mess with a script in ages. Works in XP once you install the Client Side Extensions.
0
· · ·
Datil
OP
Jul 8, 2010 at 09:45 UTC
spiceuser wrote:
Yeah Kimbo, that works too. So 3 ways to enable/disable remotely:
- By remote registry
- By script
- By GPO
you forgot about
- By IT Magic!
Edit: How did you do the bullet points, appaently HTML wasn't the way :]
0
· · ·
Tabasco
OP
Jul 8, 2010 at 09:46 UTC
If the computers are on the domain, then you can use a group policy to enable Terminal Services:
Computer Configuration =? Administrative Templates => Windows Components => Terminal Services =>
Allow users to connect remotely using Terminal Services
Also, enable Restricted Groups to add the users you want to permit access to over Remote Desktop
Computer Configuration => Windows Settings => Security Settings => Restricted Groups
Right click on Restricted Groups, and click Add group
At the first prompt, type Domain users
A second dialog box will open
If you want to give your users the ability to modify the Remote Desktop Users group, add "Remote Desktop Users" to the box that says "This group is a member of" If you want to restrict access to only the Domain Users group, add "Remote Desktop Users" to "Members of this group"
Click OK
When you apply the policy, Apply it to the domain level, remove Authenticated Users from Security Filtering, and add your group of computers to the Security Filtering box. This will restrict the policy to only the computers in that group
Once the policy is applied, run a gpupdate /force on the notebooks, and you should be good to go
0
· · ·
Jalapeno
OP
Jul 8, 2010 at 09:50 UTC
Cool, BTW the first post was for Terminal Services
0
· · ·
Datil
OP
Jul 8, 2010 at 09:58 UTC
Kimberlin wrote:
Edit: How did you do the bullet points, appaently HTML wasn't the way :]
- By IT Magic! LOL ;D
0
· · ·
Ghost Chili
OP
Jul 9, 2010 at 08:29 UTC
- I have to throw my 2 cents in - this is a great post - I learned some new things from this post and I have been using TS for years! thanks guys!
0
· · ·
· · ·
Jalapeno
OP
Sep 16, 2016 at 08:30 UTC
Thank's, very helpfull
0
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.
Add Domain Users to local Remote Desktop Users group using Group Policy
17/12/201107/11/2014 30 Comments Active Directory, Windows Domains
Many times I had to configure a couple of users or admins to be able to do remote desktop on a bunch of machines, but I didn’t want to do this manually, so I turned to Group Policy. All I had to do, is create, configure and assign a Group Policy Object or GPO, and all those setting will replicate to the workstations affected by that GPO. Many admins believe that by adding those users to theRemote Desktop Users group in Active Directory Users and Computerstheir job is done, but when they try to connect is not working.
I’m going to show you how to do this in the right way, so let’s start. For this lab I already created five domain users and added those users to a Security Group in Active Directory called Remote Users. Now open Group Policy Managementby going to Start > Administrative Tools > Group Policy Management. Here right click your domain name [in my case is vkernel.local], and choose Create a GPO in this domain, and link it here. Give your GPO a name and click OK. We are doing this for the hall domain, meaning all computers will be affected by this GPO.
Right click the new created GPO and choose Edit. The GPO Editor opens.
Expand Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups.
Again, right click Restricted Groups and choose Add Group. In the Group box type Remote Desktop Users. Do not, I repeat do not click the Browse button because you will select the domain Remote Desktop Users, and we need the local one, the one that resides on every Windows client [XP, Vista, 7]; I know is bit misleading. When you are done click OK.
The Properties of the new Restricted Group opens. Now we need to make the domain Remote Users group that we created earlier, member of this group, so click the Add button from Members of this group option.
Be careful, because using this option [Members of this group] will remove all members that might already exist in your Remote Desktop Users group [the one that resides on every workstation/server]. If you just want to modify the members use the second option This group is a member of.
Now you can click the Browse button and search for the Remote Users group. When you are done click OK ’till the end.
The result will be that the domain Remote Users group is now part of the local Remote Desktop Users group on every client. Click OK.
Now go to a client and force the new policy to apply, either by restarting the client or issue the command from a command line.
gpupdate /forceYou can see the results by opening Remote Desktop Userson one of the clients. On a Windows 7 machine right click Computer > Manage, expand System Tools > Local Users and Groups > Groups. Open the Propertiesof the Remote Desktop Users and you can see that the domain group Remote Users is part of this local group.
Now if you need to give a domain user permission to make a remote desktop connection all you need to do is make that user part of the Remote Users group and you are good to go.
Want content like this delivered right to your
email inbox?
More similar articles
- Steps to check if Domain Controller was properly promoted
- Domain Controller promotion fails with “Access is denied”
- Promoting Domain Controllers using Install From Media [IFM]
- How to Publish the CRL and AIA on a Separate Web Server
- Configure Certification Authority Distinguished Name
- Configure DC to synchronize time with external NTP server
How to add "Domain Users/Group" to Remote Desktop Users group on Servers using Group Policy ?
- Article
- History
Allow Domain Users to Use Remote Desktop
I can't get get working RDP for users in domain...
Users added to "Remote Desktop Users":
User group also added here
And i'm still getting this error:
What i'm missing?
windows-active-directoryremote-desktop-servicesimage.png [120.0 KiB]
image.png [15.5 KiB]
Comment
Comment Show 0
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
DSPatrick answered • Nov 8, '21 | KatherineMMoss-0910 commented • Nov 24, '21
Read on here.
//techcommunity.microsoft.com/t5/ask-the-performance-team/8220-allow-logon-through-terminal-services-8221-group-policy-and/ba-p/374961
--please don't forget to upvote and Accept as answer if the reply is helpful--
Comment
Comment · Show 9
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
DangerD-9009 · Nov 08, 2021 at 09:21 PM
Didn't helped...Permissions for the RDP-TCP listener can be set using the Tsconfig.msc - that's not available in Windows 2019
Users are in Remote Desktop Users group.
![147487-image.png][1]
Added here group also, but it still doesn't work...
What else should i do?
[1]: /answers/storage/attachments/147487-image.png
0 Votes 0 ·
image.png [52.5 KiB]
DSPatrick DangerD-9009 · Nov 08, 2021 at 10:46 PM
Also check they're not in Deny log on through Remote Desktop Services or Deny access to this computer from the network
0 Votes 0 ·
DangerD-9009 DSPatrick · Nov 08, 2021 at 11:17 PM
it's empty, it's a new windows installation
0 Votes 0 ·
Show more commentsKatherineMMoss-0910 DangerD-9009 · Nov 24, 2021 at 06:28 PM
I would recommend creating a specific group that has the user right of remote logon assigned and then adding your users to that group; it's better practice to create your own groups for AD rather than using the built in ones.
0 Votes 0 ·
DSPatrick answered • Nov 9, '21 | DangerD-9009 commented • Nov 10, '21
Maybe it's a AD dns issue, all pcs connected to one router which is using google dns 8.8.8.8
Please run;
Dcdiag /v /c /d /e /s:%computername% >C:\dcdiag.log
repadmin /showrepl >C:\repl.txt
ipconfig /all > C:\dc1.txt
ipconfig /all > C:\dc2.txt
ipconfig /all > C:\problemworkstation.txt
then put unzipped text files up on OneDrive and share a link.
Comment
Comment · Show 1
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
DangerD-9009 · Nov 10, 2021 at 11:50 AM
Done:
//1drv.ms/u/s!AlsIiKKz7uaTjXlp2IrWlI5-DVFz?e=hzWySl
1 Vote 1 ·
DSPatrick answered • Nov 10, '21 | DangerD-9009 commented • Nov 18, '21
srv3 is multi-homed, do not install the domain controller on hypervisor. Multi-homing a domain controller will always cause no end to grief for active directory DNS
There may be an IPv6 DHCP server on network. IPv6 if not configured correctly will be problematic so I'd suggest turning off the router IPv6 DHCP server
Domain controller and all members should have static ip address of DC listed for DNS and no others such as or public DNS [router?]
I did not look further because these are all show stoppers.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Comment
Comment · Show 2
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
DSPatrick · Nov 15, 2021 at 01:24 PM
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
0 Votes 0 ·
DangerD-9009 · Nov 18, 2021 at 10:57 AM
I'm a bit confused i'm a bit new to windows administrating, what should i change?srv3 is multi-homed, do not install the domain controller on hypervisor.
TThere's no way to disable IPv6 DHCP on it, so i've disabled it manually on all pcs and set static ip address.here may be an IPv6 DHCP server on network.
Just realized that i have to specify domain in user while connecting from rdp... "domain\user" this way it works, is there any way to not specify domain?
0 Votes 0 ·
DSPatrick answered • Nov 18, '21 | DSPatrick commented • Nov 24, '21
Please put up a new set of files to look at.
Dcdiag /v /c /d /e /s:%computername% >C:\dcdiag.log
repadmin /showrepl >C:\repl.txt
ipconfig /all > C:\dc1.txt
ipconfig /all > C:\dc2.txt
ipconfig /all > C:\problemworkstation.txt
then put unzipped text files up on OneDrive and share a link.
Comment
Comment · Show 4
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
DSPatrick · Nov 19, 2021 at 10:07 AM
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
0 Votes 0 ·
DangerD-9009 DSPatrick · Nov 22, 2021 at 12:12 PM
I can't post link here...
//1drv.ms/u/s!AlsIiKKz7uaTjgTnbhjuFSHKDWO8?e=bYJbEj
after posting some text i'm able to add link, that's a bug...
0 Votes 0 ·
DSPatrick DangerD-9009 · Nov 22, 2021 at 02:02 PM
srv3 is multi-homed. Multi-homing a domain controller will always cause no end to grief for active directory DNS [do not install active directory domain services on hypervisor]
Domain controller and all members must use the static ip address of DC listed for DNS and no others such as router or public DNS [remove google DNS]
I did not look further since these two are show stoppers.
--please don't forget to upvote and Accept as answer if the reply is helpful--
0 Votes 0 ·
Show more commentspiaudonn answered • Nov 23, '21
Note that "Remote Desktop Users" group in the AD console [since you have the windows-active-directory tag] is only used to give RDP access to the domain controllers.
Just make sure you keep this group empty. You don't want non-admin opening interactive sessions on your domain controllers [it's a no-no-no].
To allow a user to open an RDP session on a member server the user will need the "Allow log on through Remote Desktop Services" privilege on the target system. This is given by default on member server to the users member of the local group "Remote Desktop Users" [the group on the local server, not the AD group]. Or you can specify your own through group policy. Everything is explained in the post @DSPatrick mentioned. I just tried it on my different labs, it works fine on Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019.
When Network Level Authentication is enabled [which should be the case by default, and stay that way], you will also need the privilege "Access this computer from the network" which is by default is given to the "Users" group [which by default contain the AD group "Domain Users" group, so everyone unless you played with that group in AD].
When you got the following error message, you should see on an event id 4625 on the the target server telling you why it failed [likely lack of the privileges aforementioned].
Comment
Comment Show 0
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
How to Add User to Remote Desktop Group?
In this article, we will show you how to enable Remote Desktop Protocol on computers in an Active Directory domain, and add domain users to the Remote Desktop Users access group using Group Policies.
Hint. We have previously covered how to enable RDP manually, locally or remotely.
- Open the Active Directory Users and Computers console [dsa.msc], and create a new group AllowRDPAccess. You need to add users to this domain security group who need to allow RDP access to computers;
- Open the domain GPO management mmc snap-in [gpedit.msc]: Start > Control Panel > Administrative Tools > Group Policy Management;
- Right click on the Active Directory container [OU] with computers, and select “Create a GPO in this domain and link it here”;
- Specify the GPO name: AllowRDP;
- Right click on the new GPO object and select Edit;
- Allow RDP connections in the domain profile of Windows Defender Firewall with Advanced Security. Go to the following GPO section: Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall. Find and enable the option Windows Firewall: Allow Remote Desktop Exception. Here you can additionally specify from which IP subnets the RDP connection is allowed [it will increase the security of your computers]. Specify your IP addresses or subnets, for example 192.168.1.0/24;
- Enable Remote Desktop Protocol on the computers. Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > Allow Users to connect remotely by using Remote Desktop Services = Enabled;
- Now you need to add the previously created domain group AllowRDPAccess to the local Remote Desktop Users group on all computers in the OU. Expand the following GPO section: Computer Configuration > Windows Settings > Security Settings > Restricted Groups. Right click and select Add Group. Specify the group name Remote Desktop Users > OK. Then in the Members of this group section add your domain security group AllowRDPAccess;
- It remains to update the Group Policy settings on computers [can be manually updated with the command gpupdate /force]. Now check that RDP is enabled in the properties of the computer and the domain group AllowRDPAccess has now been added to the Remote Desktop Users local group [Computer > Manage, expand System Tools > Local Users and Groups > Groups > Remote Desktop Users].
Now users from the specified domain group will be able to connect to any computer in your organizational unit in the Active Directory via RDP.
Cyril Kardashevsky
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Next Fix: Connection to Microsoft Exchange is Unavailable in Outlook »
Previous « Using Tnsnames.ora File in SQL Developer
Share
Published by
Cyril Kardashevsky
Tags: Group PolicyRemote Desktop
How to Restore Domain Controller From Backup?
In the previous article, we covered how to backup an Active Directory domain controller using…
Enable External Email Forwarding in Microsoft 365 [Office 365]
By default, Microsoft 365 tenant [formerly referred to as Office 365] prevents users from configuring…
How to Sync Client Time with Domain Controller on Windows?
For properly functioning in a domain, a Windows computer’s time must be synchronized with the…
Related Post
Recent Posts
- PowerShell