Solved

Windows 7 Remote Desktop Policy

Posted on 2011-03-18
10
646 Views
Last Modified: 2012-05-11
I want to configure Group Policy so that my users are enabled to connect to their computers remotely.  I have enabled Terminal services by default via Group Policy but for some reason, every 24 hours, if I manually enter a user on his Windows 7 computer, that user is then removed the following day and only Domain Admins remains.

Anyone know the setting I need to update to allow any user that I add manually to a computer, so that it stays there?

Active Directory is Windows Server 2008
0
Comment
Question by:HemisFear
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
10 Comments
 
LVL 1

Accepted Solution

by:
crazyn3wf earned 125 total points
ID: 35167569
This can be done in

Computer Config>Policies>Administrative Templates>Windows Config>Remote Desktop Services>Remote Desktop Session Host>Connections

With the following police

Allow users to connect remotely using Remote Desktop Services


0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 125 total points
ID: 35167819
The users should be added to the Remote Desktop Users local group of each PC. You can use group policy Restricted Groups to do that if you can accept multiple PCs having the same allowed users.
0
 

Author Comment

by:HemisFear
ID: 35181379
For some reason, after I have added a domain user to the Remote Desktop users group, within 24 hours, it gets removed automatically.  I'm not seeing anything in Group Policy that would force that to happen.  

Any assistance woudl be greatly appreciated.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 1

Expert Comment

by:crazyn3wf
ID: 35181536
Are you adding them on the local PC or the AD Remote Desktop Users group?
0
 

Author Comment

by:HemisFear
ID: 35182213
To the Local PC group.  

I don't want my users being able to remotely log into any machine on the network.  I only want them to be able to Remote Desktop into their local computers.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 35183406
You will need to manually add the domain user account to the local Remote Desktop Users account on the appropriate machine. Since it's a 1 to 1 mapping between user and PC, you can't do it via group policies unless you want to make a group policy for each user/pc pair. Might as well do it manually.
0
 
LVL 1

Expert Comment

by:crazyn3wf
ID: 35183570
I agree with kevinhsieh, but we still havent answer why they are baing removed from the group everyday.
0
 

Author Comment

by:HemisFear
ID: 35183704
I think based on your comments above I have figured out what's going on.  Give your feedback though please.

I have Group Policy currently configured for \Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Server\Connections\Allow Users to connect remotely using Terminal Services = Enabled which states the following:

"This policy setting allows you to configure remote access to computers using Terminal Services.

If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer using Terminal Services.  

If you disable this policy setting, users cannot connect remotely to the target computer using Terminal Services. The target computer will maintain any current connections, but will not accept any new incoming connections.

If you do not configure this policy setting, Terminal Services uses the Remote Desktop setting on the target computer to determine whether remote connection is allowed. This setting is found on the Remote tab in System Properties. By default, remote connection is not allowed."

I think I basically need to rest that policy to "Not Configured" and map each one of the computers on the network manually.  

Oy.....ok...let's try that!
0
 
LVL 1

Expert Comment

by:crazyn3wf
ID: 35183749
Give that a shot. I don’t think it should make a difference though if it is "Not Configured" or "Enabled" By enabling the GPO you just don’t have to configure it on a By PC Basis

I have setup a test on a few of my systems to see what happens.
0
 

Author Comment

by:HemisFear
ID: 35232540
As it turns out, I had multiple configurations on my Group Policy which was adding Domain Admins (and only that group) to the Remote Desktop users group on each machine.  Once I cleared that up and redeployed GP properly I was able to insert the appropriate users to each machine.  I will give credit to multiple people as the answers above were correct.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question