Monday, February 6, 2017

How to enable remote desktop protocol via Group Policy

It is deceptively challenging to enable Terminal Services / Remote Desktop Protocol / RDP in an automated fashion across an entire domain (or in an entire OU within a domain).  At least it was to me.  The task is pretty easy if you only want to grant this access to administrators; but we have IT interns at my office, and I want them to be able to get to the console of servers but have limited permissions once there.  In other words, they aren't administrators.

What makes this challenging is that there is a Group Policy setting for "Allow log on through Remote Desktop Services."  At first glance it appears this is all you need to set and you'll be done.  However, there is one more step that must be taken IF the user you wish to grant rights to is not a member of the local Administrators group (or the Remote Desktop Users group) on the computer they'll be connecting to.  This was my case. 

I created a new AD group called "Domain Admins (limited)" and added the intern's account to this group.  I configured this group to have the "Allow log on through Remote Desktop Services" user right (details below).  However, he could not establish a successful connection via RDP.  When he tried he got this message:

Error: The connection was denied because the user account is not authorized for remote login.

After some research I came across this excellent blog post that explained what was going on and got me most of the way to where I wanted to be.  After putting together a few more pieces I thought I'd create my own blog post that would provide complete step-by-step instructions for this setup.  

If you want to provide RDP access to all the computers on a domain (or OU) for an AD group that you've created, here's how to do it:
Create your AD group and add the desired members.  The group and its members are not required to have domain administrative or even local administrative privileges.
Specify the group created above in the following setting in the appropriate Group Policy Object (GPO): Computer Configuration| Policies | Windows Settings | Security Settings | Local Policies | User Rights Assignment | Allow log on through Remote Desktop Services.
Here's the part I had missed initially: Configure a Group Policy setting to add your new group to the local Remote Desktop Users group, as follows.  
  1. In the Group Policy Editor, locate and edit the appropriate GPO.
  2. Go to Computer Configuration | Preferences | Control Panel Settings | Local Users and Groups.  Click it (to highlight) on the left side.
  3. Right-click in the right pane and select New | Local Group...
  4. TYPE the name of the local group (DO NOT choose from the Group Name drop down list).  The group name should be Remote Desktop Users
  5. Click Add... at the bottom
  6. Click the "..." button and search for/choose the group to be added to the local Remote Desktop Users group and click OK.
  7. Click OK on the Local Group Member dialog.
  8. Click OK on the Remote Desktop Users Properties dialog.
  9. Close the Group Policy Management Editor
Now your desired group will be inserted into the Remote Desktop Users local group for all the computers in the Domain (or OU).

EDITED 2/23/17 to advise to not use the drop-down list for selecting the local group name.  If you do, the name of the group will be "Remote Desktop Users (built-in)", and a new group with that name will be created for you.  That's not what you want.