Solved

Windows 7 Remote Desktop Policy

Posted on 2011-03-18
10
632 Views
Last Modified: 2012-05-11
I want to configure Group Policy so that my users are enabled to connect to their computers remotely.  I have enabled Terminal services by default via Group Policy but for some reason, every 24 hours, if I manually enter a user on his Windows 7 computer, that user is then removed the following day and only Domain Admins remains.

Anyone know the setting I need to update to allow any user that I add manually to a computer, so that it stays there?

Active Directory is Windows Server 2008
0
Comment
Question by:HemisFear
  • 4
  • 4
  • 2
10 Comments
 
LVL 1

Accepted Solution

by:
crazyn3wf earned 125 total points
ID: 35167569
This can be done in

Computer Config>Policies>Administrative Templates>Windows Config>Remote Desktop Services>Remote Desktop Session Host>Connections

With the following police

Allow users to connect remotely using Remote Desktop Services


0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 125 total points
ID: 35167819
The users should be added to the Remote Desktop Users local group of each PC. You can use group policy Restricted Groups to do that if you can accept multiple PCs having the same allowed users.
0
 

Author Comment

by:HemisFear
ID: 35181379
For some reason, after I have added a domain user to the Remote Desktop users group, within 24 hours, it gets removed automatically.  I'm not seeing anything in Group Policy that would force that to happen.  

Any assistance woudl be greatly appreciated.
0
 
LVL 1

Expert Comment

by:crazyn3wf
ID: 35181536
Are you adding them on the local PC or the AD Remote Desktop Users group?
0
 

Author Comment

by:HemisFear
ID: 35182213
To the Local PC group.  

I don't want my users being able to remotely log into any machine on the network.  I only want them to be able to Remote Desktop into their local computers.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 35183406
You will need to manually add the domain user account to the local Remote Desktop Users account on the appropriate machine. Since it's a 1 to 1 mapping between user and PC, you can't do it via group policies unless you want to make a group policy for each user/pc pair. Might as well do it manually.
0
 
LVL 1

Expert Comment

by:crazyn3wf
ID: 35183570
I agree with kevinhsieh, but we still havent answer why they are baing removed from the group everyday.
0
 

Author Comment

by:HemisFear
ID: 35183704
I think based on your comments above I have figured out what's going on.  Give your feedback though please.

I have Group Policy currently configured for \Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Server\Connections\Allow Users to connect remotely using Terminal Services = Enabled which states the following:

"This policy setting allows you to configure remote access to computers using Terminal Services.

If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer using Terminal Services.  

If you disable this policy setting, users cannot connect remotely to the target computer using Terminal Services. The target computer will maintain any current connections, but will not accept any new incoming connections.

If you do not configure this policy setting, Terminal Services uses the Remote Desktop setting on the target computer to determine whether remote connection is allowed. This setting is found on the Remote tab in System Properties. By default, remote connection is not allowed."

I think I basically need to rest that policy to "Not Configured" and map each one of the computers on the network manually.  

Oy.....ok...let's try that!
0
 
LVL 1

Expert Comment

by:crazyn3wf
ID: 35183749
Give that a shot. I don’t think it should make a difference though if it is "Not Configured" or "Enabled" By enabling the GPO you just don’t have to configure it on a By PC Basis

I have setup a test on a few of my systems to see what happens.
0
 

Author Comment

by:HemisFear
ID: 35232540
As it turns out, I had multiple configurations on my Group Policy which was adding Domain Admins (and only that group) to the Remote Desktop users group on each machine.  Once I cleared that up and redeployed GP properly I was able to insert the appropriate users to each machine.  I will give credit to multiple people as the answers above were correct.
0

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now