Allow remote desktop from domain through GPO


I have a problem since machines on my network don't allow remote desktop connections. Users are connecting to their desktop pc on the network from a remote laptop and through a VPN connection. I believe the problem is within the Windows firewall, as remote dekstop is only allowed from home/work and not the domain (see my screendump). The option to allow it from the domain is greyed out, and I think it's a GPO issue, but where do I configure this on my Windows Server 2008 R2?

Thanks in advance,
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ronnie13Author Commented:
This is already enabled. The thing is that when I configure remote desktop on the pc it warns me that I must activate the exception for Windows Firewall in relation to remote desktop. This points to this solution but as you could see from my previous screendump I can't allow the connections from the network location types domain or public.
Daniel HelgenbergerCommented:
To allow users/groups to connect via RDP you need to do the following:

- Allow VPN access, verify users can connect the required workstations
- Create a AD group for users that you want to be able to connect to RDP. In your case the VPN group can be a member of this group. I call this group RDPUsers for this example.

Now, setup a GPO that does the following stuff:
- Open RDP firewall port.
- Allow users to connect via RDP
BUT to be able to connect to RDP, the user that wants to connect have to be in a local computer local group called Remote Desktop Users (BUILDIN).

Continue in your GPO setup:
- Under Computer Config/Security, setup a new restricted Group. Call this group Remote Desktop Users - make sure not to use the "browse" for this one.
- Now, add your RDPUsers AD Group to the restricted group.

Let the GPO replicate or do a gpupdate /force on one client. Try to connect via RDP to this Computer with a member of this group.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Is your issue resolved or still facing problem ?
ronnie13Author Commented:
I haven't had a chance to look at it today. I'll get back to you monday or tuesday.
ronnie13Author Commented:
Hi again,

the problem is not only related to VPN users. Even if I'm in the office and trying to rdp from one pc on the domain to another this is not possible. How can I open the RDP firewall port?
ronnie13Author Commented:
The problem is now solved by applying this policy:

Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Allow Remote Desktop Exception.

Thanks a lot for your help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.