Windows 7 Remote Desktop Policy

I want to configure Group Policy so that my users are enabled to connect to their computers remotely.  I have enabled Terminal services by default via Group Policy but for some reason, every 24 hours, if I manually enter a user on his Windows 7 computer, that user is then removed the following day and only Domain Admins remains.

Anyone know the setting I need to update to allow any user that I add manually to a computer, so that it stays there?

Active Directory is Windows Server 2008
HemisFearAsked:
Who is Participating?
 
crazyn3wfCommented:
This can be done in

Computer Config>Policies>Administrative Templates>Windows Config>Remote Desktop Services>Remote Desktop Session Host>Connections

With the following police

Allow users to connect remotely using Remote Desktop Services


0
 
kevinhsiehCommented:
The users should be added to the Remote Desktop Users local group of each PC. You can use group policy Restricted Groups to do that if you can accept multiple PCs having the same allowed users.
0
 
HemisFearAuthor Commented:
For some reason, after I have added a domain user to the Remote Desktop users group, within 24 hours, it gets removed automatically.  I'm not seeing anything in Group Policy that would force that to happen.  

Any assistance woudl be greatly appreciated.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
crazyn3wfCommented:
Are you adding them on the local PC or the AD Remote Desktop Users group?
0
 
HemisFearAuthor Commented:
To the Local PC group.  

I don't want my users being able to remotely log into any machine on the network.  I only want them to be able to Remote Desktop into their local computers.
0
 
kevinhsiehCommented:
You will need to manually add the domain user account to the local Remote Desktop Users account on the appropriate machine. Since it's a 1 to 1 mapping between user and PC, you can't do it via group policies unless you want to make a group policy for each user/pc pair. Might as well do it manually.
0
 
crazyn3wfCommented:
I agree with kevinhsieh, but we still havent answer why they are baing removed from the group everyday.
0
 
HemisFearAuthor Commented:
I think based on your comments above I have figured out what's going on.  Give your feedback though please.

I have Group Policy currently configured for \Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Server\Connections\Allow Users to connect remotely using Terminal Services = Enabled which states the following:

"This policy setting allows you to configure remote access to computers using Terminal Services.

If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer using Terminal Services.  

If you disable this policy setting, users cannot connect remotely to the target computer using Terminal Services. The target computer will maintain any current connections, but will not accept any new incoming connections.

If you do not configure this policy setting, Terminal Services uses the Remote Desktop setting on the target computer to determine whether remote connection is allowed. This setting is found on the Remote tab in System Properties. By default, remote connection is not allowed."

I think I basically need to rest that policy to "Not Configured" and map each one of the computers on the network manually.  

Oy.....ok...let's try that!
0
 
crazyn3wfCommented:
Give that a shot. I don’t think it should make a difference though if it is "Not Configured" or "Enabled" By enabling the GPO you just don’t have to configure it on a By PC Basis

I have setup a test on a few of my systems to see what happens.
0
 
HemisFearAuthor Commented:
As it turns out, I had multiple configurations on my Group Policy which was adding Domain Admins (and only that group) to the Remote Desktop users group on each machine.  Once I cleared that up and redeployed GP properly I was able to insert the appropriate users to each machine.  I will give credit to multiple people as the answers above were correct.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.