Grant Remote Desktop access to domain user

In this article, we will show you how to enable Remote Desktop Protocol on computers in an Active Directory domain, and add domain users to the Remote Desktop Users access group using Group Policies.

Hint. We have previously covered how to enable RDP manually, locally or remotely.

1. Open the Active Directory Users and Computers console [dsa.msc], and create a new group AllowRDPAccess. You need to add users to this domain security group who need to allow RDP access to computers;
   
2. Open the domain GPO management mmc snap-in [gpedit.msc]: Start > Control Panel > Administrative Tools > Group Policy Management;
3. Right click on the Active Directory container [OU] with computers, and select Create a GPO in this domain and link it here;
4. Specify the GPO name: AllowRDP;
5. Right click on the new GPO object and select Edit;
   
6. Allow RDP connections in the domain profile of Windows Defender Firewall with Advanced Security. Go to the following GPO section: Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall. Find and enable the option Windows Firewall: Allow Remote Desktop Exception. Here you can additionally specify from which IP subnets the RDP connection is allowed [it will increase the security of your computers]. Specify your IP addresses or subnets, for example 192.168.1.0/24;
   
7. Enable Remote Desktop Protocol on the computers. Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > Allow Users to connect remotely by using Remote Desktop Services = Enabled;
   
8. Now you need to add the previously created domain group AllowRDPAccess to the local Remote Desktop Users group on all computers in the OU. Expand the following GPO section: Computer Configuration > Windows Settings > Security Settings > Restricted Groups. Right click and select Add Group. Specify the group name Remote Desktop Users > OK. Then in the Members of this group section add your domain security group AllowRDPAccess;
   
9. It remains to update the Group Policy settings on computers [can be manually updated with the command gpupdate /force]. Now check that RDP is enabled in the properties of the computer and the domain group AllowRDPAccess has now been added to the Remote Desktop Users local group [Computer > Manage, expand System Tools > Local Users and Groups > Groups > Remote Desktop Users].

Now users from the specified domain group will be able to connect to any computer in your organizational unit in the Active Directory via RDP.

Related Post

• How to Check CPU Temperature in Windows?

  You need to monitor CPU temperatures in Windows to prevent your system from overheating and

• HTTP/HTTPS Requests via Invoke-WebRequest PowerShell Cmdlet

  The Invoke-WebRequest cmdlet allows you to send HTTP/HTTPS/FTP requests, receive and process responses, and return

• How to Reserve IP Address on Windows Server DHCP?

  DHCP reservation is the creation of a special entry on the DHCP server. Thanks to

• Active Directory

Enable/Disable MFA in Azure Active Directory

It used to be that username and password were the most secure way to authenticate

• Operating System
• Windows

How to Delete COM Port In Use?

Every time you plug in a COM or USB device to your computer, Plug-n-Play service

• Active Directory

ADSI Edit: How to View and Change Active Directory Object Properties?

The ADSI Edit tool [Active Directory Service Interface Editor] is a special mmc snap-in. It

• Office 365

How to Disable Multi Factor Authentication [MFA] in Office 365?

Multi Factor Authentication [MFA] in Microsoft 365 [Office 365] is an authentication method that requires

• Miscellaneous

Configure NTP Time Sync Using Group Policy

The Windows Time service is the basis for the normal functioning of the Active Directory

• Active Directory

Active Directory Organizational Unit [OU]: Ultimate Guide

Organizational Unit [OU] is a container in the Active Directory domain that can contain different