• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 692
  • Last Modified:

Adding group to remote desktop group

I want to create a group in Active Directory and then give that group the ability to remote desktop into machines. Whats the best and easiest way to do this? GPO?
0
Thomas N
Asked:
Thomas N
  • 3
  • 2
  • 2
  • +1
1 Solution
 
Santosh GuptaCommented:
Hi,
A default group is already exist in Active Directory, call "Remote desktop Users".  You can user that group.

Also if you want to create another group, create a security group and configure the following policies.
RDP
0
 
0xSaPx0Commented:
GPO:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.

“Allow Logon through Terminal Services”
0
 
MaheshArchitectCommented:
Default remote desktop users group in active directory will be limited to domain controllers only

You cannot use that group to logon to other machines remotely

You must create separate group and add that into above mentioned policy
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
Thomas NSystems Analyst - Windows System AdministratorAuthor Commented:
I created a security group and added it in GPO using "restricted groups". I added it to the local remote desktop group.

Does that sound right?
0
 
MaheshArchitectCommented:
What you have done is also right

But setting up allow logon through terminal services GPO is much simple and more effective as it will grant global rights to users who wanted to take RDP of client machines

Restricted group will be getting evaluated every time machine get rebooted which is according to me is more than required
0
 
Thomas NSystems Analyst - Windows System AdministratorAuthor Commented:
I only want access to a certain group though. Wont this allow anyone in that OU remote desktop rights?
0
 
0xSaPx0Commented:
Just create a sub OU and add the group into it and assign the GP at that level.
0
 
MaheshArchitectCommented:
those users who want access only need to be added to group and this group only need to grant logon through terminal services right
Also ensure that administrators and domain admins group will also be added in the allow logon through terminal services user right
Other wise your domain administrators and built-in administrators will face remote login issue on workstations
Also this GPO need to be applied to OU containing computers
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now