Solved

Windows 7 Remote Desktop Policy

Posted on 2011-03-18
10
645 Views
Last Modified: 2012-05-11
I want to configure Group Policy so that my users are enabled to connect to their computers remotely.  I have enabled Terminal services by default via Group Policy but for some reason, every 24 hours, if I manually enter a user on his Windows 7 computer, that user is then removed the following day and only Domain Admins remains.

Anyone know the setting I need to update to allow any user that I add manually to a computer, so that it stays there?

Active Directory is Windows Server 2008
0
Comment
Question by:HemisFear
  • 4
  • 4
  • 2
10 Comments
 
LVL 1

Accepted Solution

by:
crazyn3wf earned 125 total points
ID: 35167569
This can be done in

Computer Config>Policies>Administrative Templates>Windows Config>Remote Desktop Services>Remote Desktop Session Host>Connections

With the following police

Allow users to connect remotely using Remote Desktop Services


0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 125 total points
ID: 35167819
The users should be added to the Remote Desktop Users local group of each PC. You can use group policy Restricted Groups to do that if you can accept multiple PCs having the same allowed users.
0
 

Author Comment

by:HemisFear
ID: 35181379
For some reason, after I have added a domain user to the Remote Desktop users group, within 24 hours, it gets removed automatically.  I'm not seeing anything in Group Policy that would force that to happen.  

Any assistance woudl be greatly appreciated.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 1

Expert Comment

by:crazyn3wf
ID: 35181536
Are you adding them on the local PC or the AD Remote Desktop Users group?
0
 

Author Comment

by:HemisFear
ID: 35182213
To the Local PC group.  

I don't want my users being able to remotely log into any machine on the network.  I only want them to be able to Remote Desktop into their local computers.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 35183406
You will need to manually add the domain user account to the local Remote Desktop Users account on the appropriate machine. Since it's a 1 to 1 mapping between user and PC, you can't do it via group policies unless you want to make a group policy for each user/pc pair. Might as well do it manually.
0
 
LVL 1

Expert Comment

by:crazyn3wf
ID: 35183570
I agree with kevinhsieh, but we still havent answer why they are baing removed from the group everyday.
0
 

Author Comment

by:HemisFear
ID: 35183704
I think based on your comments above I have figured out what's going on.  Give your feedback though please.

I have Group Policy currently configured for \Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Server\Connections\Allow Users to connect remotely using Terminal Services = Enabled which states the following:

"This policy setting allows you to configure remote access to computers using Terminal Services.

If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer using Terminal Services.  

If you disable this policy setting, users cannot connect remotely to the target computer using Terminal Services. The target computer will maintain any current connections, but will not accept any new incoming connections.

If you do not configure this policy setting, Terminal Services uses the Remote Desktop setting on the target computer to determine whether remote connection is allowed. This setting is found on the Remote tab in System Properties. By default, remote connection is not allowed."

I think I basically need to rest that policy to "Not Configured" and map each one of the computers on the network manually.  

Oy.....ok...let's try that!
0
 
LVL 1

Expert Comment

by:crazyn3wf
ID: 35183749
Give that a shot. I don’t think it should make a difference though if it is "Not Configured" or "Enabled" By enabling the GPO you just don’t have to configure it on a By PC Basis

I have setup a test on a few of my systems to see what happens.
0
 

Author Comment

by:HemisFear
ID: 35232540
As it turns out, I had multiple configurations on my Group Policy which was adding Domain Admins (and only that group) to the Remote Desktop users group on each machine.  Once I cleared that up and redeployed GP properly I was able to insert the appropriate users to each machine.  I will give credit to multiple people as the answers above were correct.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question