How to allow other domain users to RDP to certain servers (Read problem)

I have the InfoSec team who would like to have Remote Desktop access to all machines of the domain. But, i have a group of software engineers, with regular accounts who would like to have RDP access to certain servers. I am kinda stuck on here. Let me lay out for what i have:

I have this GPO called CORP_RDP_SEC_AllServers linked into domain, this GPO enables the InfoSec team to RDP into any machine in the domain by adding the InfoSec team into the "Remote Desktop Users" on every computer in the domain

Ok, so it looks like certain domain users,  need to have RDP access into some servers under the Servers OU. How do i allow those users to have RDP access knowing the fact I have already the GPO "CORP_RDP_SEC_AllServers" for the InfoSec team ?

CORP_RDP_SwEng_Servers this gpo contains all the users to have to have RDP access into the Servers OU.

See attachment. Global Policy Management Thanks for your help
namergSystems AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
There is no attachment, but you also didn't lay out the issue you are having. It seems a pretty straightforward new GPO linked to the server OU. But I assume you can't or don't want to do that for some reason.

As an aside, you'll need to be careful regarding engineers remoting into a server. If they aren't doing admin tasks on the server itself, but are using it to compile, test, or otherwise do application tasks, thay triggers remote desktop licensing needs. And enabling and licensing RDS on the serve effectively means you won't need a GPO at all, as RDS inherently would let you define group access by the RDS deployment. Bringing it full circle back to your original question.
namergSystems AdministratorAuthor Commented:
Hello Cliff, I just added the attachment. I you read the description along the the attachment. It might give you a better understanding of what i am facing. Thanks for your help
Cliff GaliherCommented:
Still not understanding the problem. Usual GPO precedence means the policy in the Pi will apply, so I see no reason the the image as pictured  won't work. You haven't stated what the problem is with the design you pictured or what failure/issue you are having.  Seems like you posted your own solution, and had described it before that.
Price Your IT Services for Profit

Managed service contracts are great - when they're making you money. Yes, you’re getting paid monthly, but is it actually profitable? Learn to calculate your hourly overhead burden so you can master your IT services pricing strategy.

namergSystems AdministratorAuthor Commented:
CORP_RDP_SEC_AllServers -> This guys contains the infosec team to rdp access all servers. Good. But, this guy CORP_RDP_SwEng_Servers contains the sofware engineers to RDP certain servers which is the goal.

But, i have link CORP_RDP_SwEng_Servers to the Servers OU, it will remove the guys on CORP_RDP_SEC_AllServers from the Remote Desktop Users group and replaced by the guys from CORP_RDP_SwEng_Servers

How can i have the guys from CORP_RDP_SEC_AllServers and CORP_RDP_SwEng_Servers to remote into the servers of the Servers OU ?

Cliff GaliherCommented:
Well, hopefully you are doing this by security group. Add/remove members to the security group so you aren't re-edit ing the group policy with every staff change.

Then, add BOTH security groups to your heated OU GPO.  Yes, the GPO supercedes the domain GPO. But since that GPO now has the infkswc AND developer security groups, members of either group have access.
namergSystems AdministratorAuthor Commented:
Yes, i am doing security groups.
Well, that is one way but i do not want the guys from CORP_RDP_SwEng_Servers to access all servers if i add its security group into this guy CORP_RDP_SEC_AllServers. Thanks
Cliff GaliherCommented:
It sounds like your you're confusing security groups, OU's, and GPOs.  If you add both groups to OU-linked GPO.and only add the info sec-group to the domain linked GPO then members of the other group would only have access to the serves in the OU since only servers in that OU would get the GPO with them granted that set of permissions. Servers not in that OU don't get that OU GPO, but would get the domain GPO. Which doesn't have the developers in the remote desktop users setting.

Infosec would have access to all servers in the domain because the serves get those permissions from both GPOs.

In short. I'm either missing a part of your explanation or I'm not sure why you think it'd work differently. Maybe using more distinct names would help you see it more visually.
Cliff GaliherCommented:
Put another way, you have two security groups:


Then you have the two GPOs above.

Add InfoSec_users to the remote desktop users security setting to Corp_RDP_Sec_AllServers GPO
Add InfoSec_users *AND* SwEng_users to the Corp_RDP_SwEng_Servers GPO

SwEng_users won't have access to servers that don't get that GPO, which is determined by where the server is in the OU structure.

I'm *NOT* saying to add Sweng_useres to the RDP_Sec_AllServers GPO.  I *am* saying to add both groups to the SwEng_Servers group (so that InfoSec_users doesn't get replaced-out with the superceding GPO.)

Make sense?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
namergSystems AdministratorAuthor Commented: got it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.