Remote Desktop Users group permissions Active Directory

In this article, we will show you how to enable Remote Desktop Protocol on computers in an Active Directory domain, and add domain users to the Remote Desktop Users access group using Group Policies.

Hint. We have previously covered how to enable RDP manually, locally or remotely.

1. Open the Active Directory Users and Computers console [dsa.msc], and create a new group AllowRDPAccess. You need to add users to this domain security group who need to allow RDP access to computers;
   
2. Open the domain GPO management mmc snap-in [gpedit.msc]: Start > Control Panel > Administrative Tools > Group Policy Management;
3. Right click on the Active Directory container [OU] with computers, and select Create a GPO in this domain and link it here;
4. Specify the GPO name: AllowRDP;
5. Right click on the new GPO object and select Edit;
   
6. Allow RDP connections in the domain profile of Windows Defender Firewall with Advanced Security. Go to the following GPO section: Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall. Find and enable the option Windows Firewall: Allow Remote Desktop Exception. Here you can additionally specify from which IP subnets the RDP connection is allowed [it will increase the security of your computers]. Specify your IP addresses or subnets, for example 192.168.1.0/24;
   
7. Enable Remote Desktop Protocol on the computers. Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > Allow Users to connect remotely by using Remote Desktop Services = Enabled;
   
8. Now you need to add the previously created domain group AllowRDPAccess to the local Remote Desktop Users group on all computers in the OU. Expand the following GPO section: Computer Configuration > Windows Settings > Security Settings > Restricted Groups. Right click and select Add Group. Specify the group name Remote Desktop Users > OK. Then in the Members of this group section add your domain security group AllowRDPAccess;
   
9. It remains to update the Group Policy settings on computers [can be manually updated with the command gpupdate /force]. Now check that RDP is enabled in the properties of the computer and the domain group AllowRDPAccess has now been added to the Remote Desktop Users local group [Computer > Manage, expand System Tools > Local Users and Groups > Groups > Remote Desktop Users].

Now users from the specified domain group will be able to connect to any computer in your organizational unit in the Active Directory via RDP.

Related Post

• How to Restore Domain Controller From Backup?

  In the previous article, we covered how to backup an Active Directory domain controller using

• Enable External Email Forwarding in Microsoft 365 [Office 365]

  By default, Microsoft 365 tenant [formerly referred to as Office 365] prevents users from configuring

• How to Sync Client Time with Domain Controller on Windows?

  For properly functioning in a domain, a Windows computers time must be synchronized with the

• Active Directory
• Windows

How to Restore Domain Controller From Backup?

In the previous article, we covered how to backup an Active Directory domain controller using

• Miscellaneous

Installing Active Directory Users and Computers MMC Snap-in on Windows 10/11

One of the main Active Directory domain management tools is the MMC [Microsoft Management Console]

• PowerShell

How to Run PowerShell Script on Remote Computer?

You can use PowerShell Remoting [appeared in PowerShell 2.0] to run commands on one or

• Active Directory
• Windows

Join Domain and Login over a VPN Connection

This is a short tutorial on how to join a computer to a domain over

• PowerShell

Configuring Domain Password Expiration Policy

In the Active Directory domain, a password expiration policy can be configured. It forces the

• Office 365
• Windows

Enable External Email Forwarding in Microsoft 365 [Office 365]

By default, Microsoft 365 tenant [formerly referred to as Office 365] prevents users from configuring