GPO to enable RDP on Windows XP and add the user to the local Remote Desktop Users Group

I know how to enable RDP on an XP pc via GPO but my issue is the users are all Power Users therefore they do not become a memeber of the local Remote Desktop Users Group therefore they can launch RDP but cannot log onto their session. My question is how can I make JUST the USER of the pc a member of Remote Desktop Users group through GPO?
GPO being created on Windows Server 2008 R2 64b
Thanks
Bobbyjgr63Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vinchenzo-the-SecondCommented:
Restricted Groups
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cbmmCommented:
Restricted groups is def. the way to manage adding domain user accounts to local groups.
0
Bobbyjgr63Author Commented:
can you elaborate?  I don't want just anyone to have the ability to RDP to another users pc and logon I just want the users to be able to RDP to their own PC
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Bobbyjgr63Author Commented:
With that said can you direct me on where in GP the restricted groups setting is and can it be set so just the user of his or her pc can only RDP into their own pc?
0
c0sCommented:
local security settings -> local policies -> user rights assignment.

You can find it in there. If you are looking to do it on the domain level do it in the domain security policy.
0
Vinchenzo-the-SecondCommented:
its under computer settings, windows settings, security settings.  If its Win2k8 under policies


You need to add in the group name, then u add the groups or users to that group
0
Vinchenzo-the-SecondCommented:
If ur setting it from a GPO using GPMC
0
Bobbyjgr63Author Commented:
ok I found it but I do not want say JDoe to be able to RDP to JSmith's pc only JDoe to JDoe and so on.
there fore who goes into the group?
0
Vinchenzo-the-SecondCommented:
Create GPO's for each machine, and only give permission in the GPO to only apply to that machine.
0
Bobbyjgr63Author Commented:
Hi c0s thanks but our users from home log onto citrix and have the RDP app published to them so no need to setup remote web......because we have 400 XP pc's not all of them have Remote checked off and they are power users so they cannot check it themselves, i can check allow Remote using the GPO but users still cannot logon with RDP because they are not part of the local Remote Desktop Users group and like I said I don't want everyone to be able to logon to just anyone's pc, and I am not going to create 400 GPO's for each machine like Vinchenzo suggests.  
0
Vinchenzo-the-SecondCommented:
No you wouldn't because I wouldn't either
0
c0sCommented:
There is a check in AD by the user that allows the user to do remote log on, did you try that? I believe you can script the change to make it for all users, but try it out see if it works in your environment. Also how do you define what users are allowed to log on where? It depends on case by case basis
0
c0sCommented:
You can assign a specific GPO to multiple machines if needed just an FYI
0
Bobbyjgr63Author Commented:
Yes that is checked I think it's because they are Windows XP pc's RDP does not support Network Level Authentication like Windows 7 RDP does..........Oh well was just trying to lock this down like I said I only wanted users to be able to RDP to their own pc and not anyone else
0
Bobbyjgr63Author Commented:
Ok so I decided I will Allow users to connect remotely using terminal Services that will at least enable Remote Desktop on their pc then if a user needs RDP our staff can Manage computer and add the user to the Remote Desktop Group.

Thanks for your help all
0
c0sCommented:
Good luck :)
0
Bobbyjgr63Author Commented:
Good Ideas but not restrictive enough for what I wanted
0
Bobbyjgr63Author Commented:
Seeing you both responded and got me halfway there I awarded points to both
Thanks guys
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.