How do I allow remote desktop connection via group policy?
What is Remote Desktop Group PolicyAlmost all users who are interested in building safe connections between computers on the internet might have heard about RDP or VPN. RDP stands for the Remote Desktop Protocol. It is a network of communications protocol developed by Microsoft, to allow users to connect to another computer. Show
With RDP, one can connect to any computer that runs Windows. With RDP, you can connect to the remote PC, view the same display and interact as if you are working on that machine locally. Some instances where you may need to use RDP include;
How to Enable Remote Desktop Remotely on Windows 10The easiest way to enable Remote Desktop on the Windows operating system family is to use a Graphical User Interface (GUI). To do this, you need to; Open the “System” control panel, go to “Remote Setting” and enable the “Allow remote connection to this computer” option in the Remote Desktop section. However, performing the above process will need local access to the computer on which you want to enable the RD. By default, remote desktop is disabled in both desktop versions of Windows and in Windows Server. How to Enable Remote Desktop Remotely Using PowerShellSuppose you want to remotely enable RDP on Windows Server 2012 R2/2016/2019. Here is the procedure to achieve the same;
How to Enable/Disable Remote Desktop Using Group PolicyYou can enable or disable remote desktop using group policy. To do so, perform the following steps
Now you will have enabled or disabled remote desktop using group policy Network Level Authentication NLA on the remote RDP serverNetwork Level Authentication is a method used to enhance RD Session Host server security by requiring that a user be authenticated to RD session Host Server before a session can be created. If you want to restrict who can access your PC, you can choose to allow access only with Network Level Authentication (NLA). NLA is an authentication tool used in RDP Server. When a user tries to establish a connection to a device that is NLA enabled, NLA will delegate the user’s credentials from the client-side Security Support Provider to the server for authentication, before creating a session. The advantages of Network Level Authentication is;
To configure Network Level Authentication for a connection, follow the steps below.
Note, under step 3, if the “Allow connections only from computers running a remote desktop with network-level authentication” checkbox is not enabled, the “Require user authentication for remote connections by using network-level authentication” Group Policy setting has to be enabled, and has been applied to the RD Session Host Server. Enable Remote Desktop via Group PolicyThe biggest problem you could be potentially faced with, is actual permissions to modify any GPOs. I’m going to assume you have the permissions so we’ll just continue on with a bullet list that’s easy peasy for you to understand.
Now that we have added the local ports, we’ll need to enable the Remote Desktop Session Host policies.
ProblemRather than enabling on an ad-hoc basis, you want to turn on RDP for multiple machines via Group Policy. 16 Replies
· · ·
Habanero OP
EminentX
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Active Directory & GPO expert
53 Best Answers 194 Helpful Votes 3 How-tos
Have you seen this?https://softwarekeep.com/help-center/how-to-enable-remote-desktop-on-windows 0
· · ·
Thai Pepper OP
bucko
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Create a security group "Remote users" and add users that are allowed to work trough RDP. Create a GPO to allow group to logon trogh GPO: Computer Configuration| Windows Settings| Security Settings| Local Policies| User Rights Assignment | Allow log on through RDS, add group "remote users". Publish this GPO to all computers that you want you users to have access -- you can create another security group "RDS Stations" and use security filter on GPO. IN GPO set:
Above will enable all users to access all workstations!! If you would like to have your hands who can conect where, than you'll need to setup RDC broaker and Gateway... 0
· · ·
Poblano OP
Cashif2106 Oct 12, 2020 at 11:41 UTC
EminentX, i have installed a domain controller and want to enable remote desktop on all clients workstation through a group policy in domain controller.
0
· · ·
Poblano OP
Cashif2106 Oct 12, 2020 at 11:42 UTC
bucko thanks, let me follow the steps you have mentioned and if i have any issues i will get back to you. thanks for your concern.
0
· · ·
Poblano OP
Cashif2106 Oct 12, 2020 at 11:52 UTC
bucko , will these settings enable the remote desktop on the clients workstations or not. because my concern is, what if the remote desktop service is disable on the client computer, will this GPO setting enable the client remote desktop or not. please acknowledge. Thanks,.
0
· · ·
Poblano OP
Cashif2106 Oct 12, 2020 at 13:12 UTC
bucko i have done all the steps according to your instructions, but the remote desktop is still disable in client machine, please check the attach files for your kind consideration. Thanks.
0
· · ·
Poblano OP
Cashif2106 Oct 12, 2020 at 13:14 UTC
bucko i missed one screen shot from client computer which shows that remote desktop is still disable even after applying the GPO.
0
· · ·
Cayenne OP
C.J.R.
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Solution provided by bucko is correct and the answer you are looking for: Yes, It will enable remote desktop serivce if it is disabled om the client computer. 0
· · ·
Thai Pepper OP
bucko
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
it should work... open cmd as admin and run command: gpupdate /force you can post the results (blur your information)... also, next time try to post screenshots with less realestate, as we can't read such small fonts :) 0
· · ·
Cayenne OP
thelanranger
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Alternate process if you so choose: 1) You have to apply a GPO policy for the firewall to allow RDP (or disable the windows firewall). (Alternatively you could script a line for "netsh advfirewall firewall set rule group=”remote desktop” new enable=Yes" ) 2) Then setHKEY_LOCAL_MACHINE > System > CurrentControlSet > Control > Terminal Server. Change the value of “fDenyTSConnections” to “0”. You can do this with GPO (Alternatively, you could script a line for " reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f ") . 3) Then you need to start the remote desktop services service and set it to 'Auto' (This could be "sc config TermService start=auto" "sc start TermService"). At this point you should be good to go.
Text netsh advfirewall firewall set rule group=”remote desktop” new enable=Yes reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f sc config TermService start=auto sc start TermService0
· · ·
Ghost Chili OP
Best Answer
Supaplex
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Active Directory & GPO expert
10 Best Answers 105 Helpful Votes
An excellent guide that completely covers the matter of remotely enabling the Remote Desktop can be found here http://www.hyper-v.io/remotely-enable-remote-desktop-another-computer/. I would recommend you follow the described steps on one of the PCs (remotely) and if you succeed, wrap all the actions within a small Powershell script that will cycyle through all the computers in the domain. 0
· · ·
Poblano OP
Cashif2106 Oct 13, 2020 at 08:41 UTC
Supaplex thanks for your concern, remote connection is enabled on client computer through the steps mentioned in the link above, but i am facing an issue now, when i am trying to login with the user accounts in created in domain who are only domain users, the error pop up "The connection was denied because the user account is no t authorized for remote login" my concern is i want to allow all domain users to login on remote desktop sessions. is there any option where i can add users who i want to allow to connect remotely or only users with administrator rights are allowed to log in ?
1
· · ·
Poblano OP
Cashif2106 Oct 13, 2020 at 09:10 UTC
bucko sorry for the inconvenience, the issue is resolve now i was missing one settings in gpo, now the security settings is enabled and its working now. remote desktop is enabled. thanks for your concern :)
2
· · ·
Poblano OP
Cashif2106 Oct 14, 2020 at 08:56 UTC
i want to allow all domain users to login on remote desktop sessions. is
there any option where i can add users who i want to allow to connect
remotely or only users with administrator rights are allowed to log in ? please let me know how can i allow all domain users to log in through remote desktop. right now only users with administrator rights are allowed to log in but i want all domain users to be allowed to login remotely. thanks. 0
· · ·
Poblano OP
Cashif2106 Oct 14, 2020 at 08:59 UTC
Supaplex
i want to allow all domain users to login on remote desktop sessions. is
there any option where i can add users who i want to allow to connect
remotely or only users with administrator rights are allowed to log in ? please let me know how can i allow all domain users to log in through remote desktop. right now only users with administrator rights are allowed to log in but i want all domain users to be allowed to login remotely. thanks. please check and acknowledge. thanks.
0
· · ·
Thai Pepper OP
bucko
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
It's written above, where you add security group of users who can connect... But you can't do it that way if you wish to link one user to one machine, this has to be done manually or with gateway. You can try comman on each station: NET LOCALGROUP "Remote Desktop Users" domain\username /ADD If you don't have many, you can create a simple bat and use psexec to run command on each machine. This way you can add user1 to machine1 and user2 to machine2, etc... Edit: or add a script to your network share and gpo run on bootup - script deletes everything from group and then you add whomever you want, script just checks from the list which users are linked on its hostname 1
This topic has been locked by an administrator and is no longer open for commenting. To continue this discussion, please ask a new question. Equipment listThe following section presents the list of equipment used to create this tutorial.
As an Amazon Associate, I earn from qualifying purchases. |