Add users to Group with additional group

Hello there,

I am on windows 2003 and have users with remote desktop access. Sometimes I need to take away remote desktop access from them. I tried creating a group and added my users in that group but then I could not add the group to the remote desktop,so that when I remote my group from the remote desktop all my users will have no access to RDP. How can i do this. Now I have to go into the RDP group and select each users manually to remove them or to add them back. I want to know some easy way.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zolfAuthor Commented:
thanks for your comments. But this will also disable me as administrator. I want to disable RDP for a set of users for e.g. if i have 10 users then i want to disable 8 of them and let the other 2 work
Marwan OsmanCommented:

you have to create an AD security group and add to it the accounts of the users which you want to disable RDP for them.

and go to the group policy in AD and disable the RDP on that group:

"Windows Settings/Security Settings/Local Policies/User Rights Assignments/Deny Log on through Terminal Services." Add the groups you wish to deny
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Marwan OsmanCommented:
once you configured the GPO, next time you want to disable RDP for a user you only have to add it to the AD group, and when you want to again enable it for him you simply remove his account from the group, and to force the change you go to the user PC and run gpupdate.exe /force from a cmd prompt as administrator
zolfAuthor Commented:
thanks for your comments. I dont have a active directory on my server. Can I still be able to get this done what you told me
Not sure why you are looking for a complicated way when a direct one exists, you want the user to no longer have access, either remove them from the Remote Desktop group,

Since you are on a single stand alone server, nesting group is completely unnecessary and complicates matters.
The group has to be a security group to work.

You can mange members of a group by looking at the group's properties member tab where you can kick users out or add users.

For your 10 user example to work, you would need two or multiple security groups and each group will have the users that you know in the future will need to be disabled at the same time.
John, Jane and Jim group1, Janet,Nancy, Amy group2 and Toby, Michael, tony group3
You now need to disabled Jane, Toby and Amy.  Instead of going through removing the three users from the Remote Desktop group membership, you now have to go to each group and removing a user at a time, or going through the properties of each user and removing the group.

You can script the addition/removal users from the Remote Desktop using vbscript.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NVITEnd-user supportCommented:
Expanding Arnold's suggestion " can script the addition/removal..."

If you are logged on the server as admin... add a user:
net localgroup “Remote Desktop Users” domain\username /add

Open in new window remove a user:
net localgroup “Remote Desktop Users” domain\username /delete

Open in new window

To add/remove users remotely via command line, e.g. from your desk, use psexec from Microsoft... add a user:
psexec -u domain\adminname -p password net localgroup “Remote Desktop Users” domain\username /add

Open in new window remove a user:
psexec -u domain\adminname -p password net localgroup “Remote Desktop Users” domain\username /delete

Open in new window

If you don't want to pass the password, remove the -p option. Instead, you will be prompted for the adminname password.

After doing the above if affected user is logged on, either logoff then logon the user, or reboot the user's station
NVITEnd-user supportCommented:
If you make a script AdminRDC.bat:
@echo off
if [%2] equ [] (
  echo Syntax: %0 {username}  {Add^|Del}
  goto :eof
set username=%1
set option=%2
psexec \\servername -u domain\adminname net localgroup "Remote Desktop Users" %username% /%option%

Open in new window

NVITEnd-user supportCommented:
My prior post has an error:
Change all occurences of psexec -u domain\adminname to psexec \\servername -u domain\adminname
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.