Limit RDP to desktop for single user in AD

Posted on 2011-05-09
Medium Priority
Last Modified: 2012-05-11
WE are migrating from NT4 to AD. At the moment domain users are in the local administrators group. Due to the timescales for migration I have decided to use a restricted group and allow only intercative user to be in the admin group. So when the user logs off they will not be able to have admin rights on the PC from a remote location. We have serveral developers that work in a test area, they will need to RDP to their own PC and check email, docs etc. How can I only allow that user to RDP to his/her own desktop using GPO? Is it possible?

Question by:Sarah_Smith
LVL 43

Accepted Solution

Adam Brown earned 500 total points
ID: 35721842
It's possible, but probably preferrable to just set the groups manually on the computers, because you would need a different GPO for each computer. The Remote Desktop Users group that is on each local computer is used to control which users have Remote Desktop Access to the computer. Adding the user to that group will give them access. Having only that user in the group will set that up.

Assisted Solution

Lee_YCP earned 500 total points
ID: 35722497
You could just set the permission on their AD account to only allow login to 'their desktop machine' and whatever one they are connecting from.  Also, add them to the RD group in AD.  I assume the clients and machines are in AD.

Author Comment

ID: 35726588
@acbrown2010 : Yes I will try that, for some reason I was getting confused thinking the restricted group would overwrite the members of the RDP group. However if the RDP group is not specified in the GPO then it wont touch it. :) Ill give it a whirl...


Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question