Solved

Adding group to remote desktop group

Posted on 2014-03-20
8
651 Views
Last Modified: 2014-03-28
I want to create a group in Active Directory and then give that group the ability to remote desktop into machines. Whats the best and easiest way to do this? GPO?
0
Comment
Question by:Thomas N
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 13

Accepted Solution

by:
Santosh Gupta earned 500 total points
ID: 39943344
Hi,
A default group is already exist in Active Directory, call "Remote desktop Users".  You can user that group.

Also if you want to create another group, create a security group and configure the following policies.
RDP
0
 
LVL 10

Expert Comment

by:0xSaPx0
ID: 39943346
GPO:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.

“Allow Logon through Terminal Services”
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39943395
Default remote desktop users group in active directory will be limited to domain controllers only

You cannot use that group to logon to other machines remotely

You must create separate group and add that into above mentioned policy
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 

Author Comment

by:Thomas N
ID: 39943405
I created a security group and added it in GPO using "restricted groups". I added it to the local remote desktop group.

Does that sound right?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39943425
What you have done is also right

But setting up allow logon through terminal services GPO is much simple and more effective as it will grant global rights to users who wanted to take RDP of client machines

Restricted group will be getting evaluated every time machine get rebooted which is according to me is more than required
0
 

Author Comment

by:Thomas N
ID: 39943431
I only want access to a certain group though. Wont this allow anyone in that OU remote desktop rights?
0
 
LVL 10

Expert Comment

by:0xSaPx0
ID: 39943460
Just create a sub OU and add the group into it and assign the GP at that level.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39943464
those users who want access only need to be added to group and this group only need to grant logon through terminal services right
Also ensure that administrators and domain admins group will also be added in the allow logon through terminal services user right
Other wise your domain administrators and built-in administrators will face remote login issue on workstations
Also this GPO need to be applied to OU containing computers
0

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question