Solved

Windows 7 Remote Desktop Policy

Posted on 2011-03-18
10
642 Views
Last Modified: 2012-05-11
I want to configure Group Policy so that my users are enabled to connect to their computers remotely.  I have enabled Terminal services by default via Group Policy but for some reason, every 24 hours, if I manually enter a user on his Windows 7 computer, that user is then removed the following day and only Domain Admins remains.

Anyone know the setting I need to update to allow any user that I add manually to a computer, so that it stays there?

Active Directory is Windows Server 2008
0
Comment
Question by:HemisFear
  • 4
  • 4
  • 2
10 Comments
 
LVL 1

Accepted Solution

by:
crazyn3wf earned 125 total points
ID: 35167569
This can be done in

Computer Config>Policies>Administrative Templates>Windows Config>Remote Desktop Services>Remote Desktop Session Host>Connections

With the following police

Allow users to connect remotely using Remote Desktop Services


0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 125 total points
ID: 35167819
The users should be added to the Remote Desktop Users local group of each PC. You can use group policy Restricted Groups to do that if you can accept multiple PCs having the same allowed users.
0
 

Author Comment

by:HemisFear
ID: 35181379
For some reason, after I have added a domain user to the Remote Desktop users group, within 24 hours, it gets removed automatically.  I'm not seeing anything in Group Policy that would force that to happen.  

Any assistance woudl be greatly appreciated.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 1

Expert Comment

by:crazyn3wf
ID: 35181536
Are you adding them on the local PC or the AD Remote Desktop Users group?
0
 

Author Comment

by:HemisFear
ID: 35182213
To the Local PC group.  

I don't want my users being able to remotely log into any machine on the network.  I only want them to be able to Remote Desktop into their local computers.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 35183406
You will need to manually add the domain user account to the local Remote Desktop Users account on the appropriate machine. Since it's a 1 to 1 mapping between user and PC, you can't do it via group policies unless you want to make a group policy for each user/pc pair. Might as well do it manually.
0
 
LVL 1

Expert Comment

by:crazyn3wf
ID: 35183570
I agree with kevinhsieh, but we still havent answer why they are baing removed from the group everyday.
0
 

Author Comment

by:HemisFear
ID: 35183704
I think based on your comments above I have figured out what's going on.  Give your feedback though please.

I have Group Policy currently configured for \Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Server\Connections\Allow Users to connect remotely using Terminal Services = Enabled which states the following:

"This policy setting allows you to configure remote access to computers using Terminal Services.

If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer using Terminal Services.  

If you disable this policy setting, users cannot connect remotely to the target computer using Terminal Services. The target computer will maintain any current connections, but will not accept any new incoming connections.

If you do not configure this policy setting, Terminal Services uses the Remote Desktop setting on the target computer to determine whether remote connection is allowed. This setting is found on the Remote tab in System Properties. By default, remote connection is not allowed."

I think I basically need to rest that policy to "Not Configured" and map each one of the computers on the network manually.  

Oy.....ok...let's try that!
0
 
LVL 1

Expert Comment

by:crazyn3wf
ID: 35183749
Give that a shot. I don’t think it should make a difference though if it is "Not Configured" or "Enabled" By enabling the GPO you just don’t have to configure it on a By PC Basis

I have setup a test on a few of my systems to see what happens.
0
 

Author Comment

by:HemisFear
ID: 35232540
As it turns out, I had multiple configurations on my Group Policy which was adding Domain Admins (and only that group) to the Remote Desktop users group on each machine.  Once I cleared that up and redeployed GP properly I was able to insert the appropriate users to each machine.  I will give credit to multiple people as the answers above were correct.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question