Add users to Group with additional group

Hello there,

I am on windows 2003 and have users with remote desktop access. Sometimes I need to take away remote desktop access from them. I tried creating a group and added my users in that group but then I could not add the group to the remote desktop,so that when I remote my group from the remote desktop all my users will have no access to RDP. How can i do this. Now I have to go into the RDP group and select each users manually to remove them or to add them back. I want to know some easy way.

Who is Participating?
Not sure why you are looking for a complicated way when a direct one exists, you want the user to no longer have access, either remove them from the Remote Desktop group,

Since you are on a single stand alone server, nesting group is completely unnecessary and complicates matters.
The group has to be a security group to work.

You can mange members of a group by looking at the group's properties member tab where you can kick users out or add users.

For your 10 user example to work, you would need two or multiple security groups and each group will have the users that you know in the future will need to be disabled at the same time.
John, Jane and Jim group1, Janet,Nancy, Amy group2 and Toby, Michael, tony group3
You now need to disabled Jane, Toby and Amy.  Instead of going through removing the three users from the Remote Desktop group membership, you now have to go to each group and removing a user at a time, or going through the properties of each user and removing the group.

You can script the addition/removal users from the Remote Desktop using vbscript.
zolfAuthor Commented:
thanks for your comments. But this will also disable me as administrator. I want to disable RDP for a set of users for e.g. if i have 10 users then i want to disable 8 of them and let the other 2 work
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

Marwan OsmanCommented:

you have to create an AD security group and add to it the accounts of the users which you want to disable RDP for them.

and go to the group policy in AD and disable the RDP on that group:

"Windows Settings/Security Settings/Local Policies/User Rights Assignments/Deny Log on through Terminal Services." Add the groups you wish to deny
Marwan OsmanCommented:
once you configured the GPO, next time you want to disable RDP for a user you only have to add it to the AD group, and when you want to again enable it for him you simply remove his account from the group, and to force the change you go to the user PC and run gpupdate.exe /force from a cmd prompt as administrator
zolfAuthor Commented:
thanks for your comments. I dont have a active directory on my server. Can I still be able to get this done what you told me
Expanding Arnold's suggestion " can script the addition/removal..."

If you are logged on the server as admin... add a user:
net localgroup “Remote Desktop Users” domain\username /add

Open in new window remove a user:
net localgroup “Remote Desktop Users” domain\username /delete

Open in new window

To add/remove users remotely via command line, e.g. from your desk, use psexec from Microsoft... add a user:
psexec -u domain\adminname -p password net localgroup “Remote Desktop Users” domain\username /add

Open in new window remove a user:
psexec -u domain\adminname -p password net localgroup “Remote Desktop Users” domain\username /delete

Open in new window

If you don't want to pass the password, remove the -p option. Instead, you will be prompted for the adminname password.

After doing the above if affected user is logged on, either logoff then logon the user, or reboot the user's station
If you make a script AdminRDC.bat:
@echo off
if [%2] equ [] (
  echo Syntax: %0 {username}  {Add^|Del}
  goto :eof
set username=%1
set option=%2
psexec \\servername -u domain\adminname net localgroup "Remote Desktop Users" %username% /%option%

Open in new window

My prior post has an error:
Change all occurences of psexec -u domain\adminname to psexec \\servername -u domain\adminname
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.