What is Remote Desktop Group Policy
Almost all users who are interested in building safe connections between computers on the internet might have heard about RDP or VPN. RDP stands for the Remote Desktop Protocol. It is a network of communications protocol developed by Microsoft, to allow users to connect to another computer.
With RDP, one can connect to any computer that runs Windows. With RDP, you can connect to the remote PC, view the same display and interact as if you are working on that machine locally.
Some instances where you may need to use RDP include;
- When traveling or when on vacation and you need to access your work computer
- When you can’t go to your office due to certain reasons and you still need to fulfill your daily tasks
- When you are a system admin and you need to perform administrative duties on your PC such as computer troubleshooting, tune-up, ID protection setting, printer set-up, software installation, email setup, virus and spyware removal, among others.
- When you need to give a demo and you need to access data from a private device
- When you want to personalize your remote desktop on experiences such as resolution, connection setting, screen setting, toolbar, start menu, icons among others.
How to Enable Remote Desktop Remotely on Windows 10
The easiest way to enable Remote Desktop on the Windows operating system family is to use a Graphical User Interface [GUI]. To do this, you need to;
Open the “System” control panel, go to “Remote Setting” and enable the “Allow remote connection to this computer” option in the Remote Desktop section.
However, performing the above process will need local access to the computer on which you want to enable the RD.
By default, remote desktop is disabled in both desktop versions of Windows and in Windows Server.
How to Enable Remote Desktop Remotely Using PowerShell
Suppose you want to remotely enable RDP on Windows Server 2012 R2/2016/2019. Here is the procedure to achieve the same;
- On your computer, open the PowerShell console and run the following commands to connect to your remote server.Enter-PSSession -ComputerName server.domain.local -Credential domain\administrator.
- You will have established a remote session with a computer and now you can execute PowerShell commands on it. To enable Remote Desktop, you need to change registry parameter fDenyTSConnections from 1 to 0 on the remote machine. Run the command;Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
- When RDP is enabled this way [as opposed to GUI method] the rule that allows remote RDP connections is not enabled in the Windows Firewall rules.
- To allow incoming RDP connections in Windows Firewall, run the command;Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
- If for some reason the firewall rule is deleted, you can create it manually using the following commands.netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
- In case you need to allow secure RDP authentication [NLA – Network Level Authentication] run the command;Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1
- Now from your computer, you can check the TCP 3389 port on the remote host to see if it has become available. To do so, run the command below’Test-NetConnection 192.168.1.11 -CommonTCPPort RDP.
- If successful, you should get results similar to what is shown below’
The above results mean RDP on the remote host is enables and you can establish a remote desktop connection using mstsc client.
How to Enable/Disable Remote Desktop Using Group Policy
You can enable or disable remote desktop using group policy. To do so, perform the following steps
- Search gpedit.msc in the Start menu. In the program list, click gpedit.msc as shown below;
- After Local Group Policy Editor opens, expand Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Connections.
- On the right-side panel. Double-click on Allow users to connect remotely using Remote Desktop Services. See below;
- Select Enabled and click Apply if you want to enable Remote Desktop. Select Disabled and click Apply if you need to disable it.
Now you will have enabled or disabled remote desktop using group policy
Network Level Authentication NLA on the remote RDP server
Network Level Authentication is a method used to enhance RD Session Host server security by requiring that a user be authenticated to RD session Host Server before a session can be created.
If you want to restrict who can access your PC, you can choose to allow access only with Network Level Authentication [NLA]. NLA is an authentication tool used in RDP Server. When a user tries to establish a connection to a device that is NLA enabled, NLA will delegate the user’s credentials from the client-side Security Support Provider to the server for authentication, before creating a session.
The advantages of Network Level Authentication is;
- It requires fewer remote computer resources initially.
- It can provide better security by reducing the risk of denial of service attacks.
To configure Network Level Authentication for a connection, follow the steps below.
- On the RD Session Host Server, open Remote Desktop Session Host Configuration. To do so, click Start>>Adminstrative Tools1>>Remote Desktop Services>> Remote Desktop Session Host Configuration.
- Under Connections, right-click the name of the connection and then click Properties.
- On the General tab, select Allow the connection only from computers running Remote Desktop with Network Level Authentication checkbox
- Click OK
Note, under step 3, if the “Allow connections only from computers running a remote desktop with network-level authentication” checkbox is not enabled, the “Require user authentication for remote connections by using network-level authentication” Group Policy setting has to be enabled, and has been applied to the RD Session Host Server.
Enable Remote Desktop via Group Policy
The biggest problem you could be potentially faced with, is actual permissions to modify any GPOs. I’m going to assume you have the permissions so we’ll just continue on with a bullet list that’s easy peasy for you to understand.
- Open up Group Policy Management Console [GPMC].
- Create a New Group Policy Object and name it Enable Remote Desktop.
- Navigate to: Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security -> Inbound Rules and Create a New Rule. Screenshot below.
- Select Port in the New Inbound Rule Wizard.
- Ensure TCP and Specific Local Port :3389
- Allow the Connection and only select Domain and Private Profiles.
- Name this rule –Inbound Rule for RDP Port 3389
Now that we have added the local ports, we’ll need to enable the Remote Desktop Session Host policies.
- Go to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections
- Allow users to connect remotely by using Remote Desktop ServicestoEnable.
- Now we’re going to enable Network Level Authentication. This is highly recommended and has many security advantages. However, that’s out of the scope of this article so I won’t go in to the details now.
- Go toComputer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security
- SetRequire user authentication for remote connections by using Network Level AuthenticationtoEnable.
- Last but certainly not least, we need to apply the newly created GPO to an Organizational Unit so it actually works.
- Close out of GPMC. There aren’t any more settings to configure.
Problem
Rather than enabling on an ad-hoc basis, you want to turn on RDP for multiple machines via Group Policy.
16 Replies
· · ·
Habanero
OP
Oct 12, 2020 at 10:59 UTC
Active Directory & GPO expert
53 Best Answers
194 Helpful Votes
3 How-tos
Have you seen this?//softwarekeep.com/help-center/how-to-enable-remote-desktop-on-windows
0
· · ·
Thai Pepper
OP
Oct 12, 2020 at 11:14 UTC
Create a security group "Remote users" and add users that are allowed to work trough RDP.
Create a GPO to allow group to logon trogh GPO: Computer Configuration| Windows Settings| Security Settings| Local Policies| User Rights Assignment | Allow log on through RDS, add group "remote users". Publish this GPO to all computers that you want you users to have access -- you can create another security group "RDS Stations" and use security filter on GPO. IN GPO set:
Allow users to connect remotely by using Remote Desktop Services
Require user authentication for remote connections by using Network Level Authentication
Firewall inbound open port 3389
Above will enable all users to access all workstations!!
If you would like to have your hands who can conect where, than you'll need to setup RDC broaker and Gateway...
0
· · ·
Poblano
OP
Oct 12, 2020 at 11:41 UTC
EminentX,
i have installed a domain controller and want to enable remote desktop on all clients workstation through a group policy in domain controller.
EminentX
Habanero
0
· · ·
Poblano
OP
Oct 12, 2020 at 11:42 UTC
bucko thanks, let me follow the steps you have mentioned and if i have any issues i will get back to you. thanks for your concern.
bucko
Thai Pepper
0
· · ·
Poblano
OP
Oct 12, 2020 at 11:52 UTC
bucko , will these settings enable the remote desktop on the clients workstations or not. because my concern is, what if the remote desktop service is disable on the client computer, will this GPO setting enable the client remote desktop or not. please acknowledge. Thanks,.
bucko
Thai Pepper
0
· · ·
Poblano
OP
Oct 12, 2020 at 13:12 UTC
bucko
i have done all the steps according to your instructions, but the remote desktop is still disable in client machine, please check the attach files for your kind consideration. Thanks.
bucko
Thai Pepper
0
· · ·
Poblano
OP
Oct 12, 2020 at 13:14 UTC
bucko i missed one screen shot from client computer which shows that remote desktop is still disable even after applying the GPO.
bucko
Thai Pepper
0
· · ·
Cayenne
OP
Oct 12, 2020 at 13:16 UTC
Solution provided by bucko is correct and the answer you are looking for: Yes, It will enable remote desktop serivce if it is disabled om the client computer.
0
· · ·
Thai Pepper
OP
Oct 12, 2020 at 14:40 UTC
Cashif2106 wrote:
bucko i missed one screen shot from client computer which shows that remote desktop is still disable even after applying the GPO.
it should work...
open cmd as admin and run command: gpupdate /force
then you can restart computer: shutdown /r /f /t 0
then see what GPOs and groups you have applied to that workstation run command as admin: gpresult /R /SCOPE computer
to see what GPOs and groups you have applied to the user, run command as that user:
gpresult /R /SCOPE user
you can post the results [blur your information]... also, next time try to post screenshots with less realestate, as we can't read such small fonts :]
0
· · ·
Cayenne
OP
Oct 12, 2020 at 21:29 UTC
Alternate process if you so choose:
1] You have to apply a GPO policy for the firewall to allow RDP [or disable the windows firewall]. [Alternatively you could script a line for "netsh advfirewall firewall set rule group=”remote desktop” new enable=Yes" ]
2] Then setHKEY_LOCAL_MACHINE > System > CurrentControlSet > Control > Terminal Server. Change the value of “fDenyTSConnections” to “0”. You can do this with GPO [Alternatively, you could script a line for " reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f "] .
3] Then you need to start the remote desktop services service and set it to 'Auto' [This could be "sc config TermService start=auto" "sc start TermService"].
At this point you should be good to go.
Text
netsh advfirewall firewall set rule group=”remote desktop” new enable=Yes reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f sc config TermService start=auto sc start TermService0
· · ·
Ghost Chili
OP
Best Answer
Oct 13, 2020 at 07:01 UTC
Active Directory & GPO expert
10 Best Answers
105 Helpful Votes
An excellent guide that completely covers the matter of remotely enabling the Remote Desktop can be found here //www.hyper-v.io/remotely-enable-remote-desktop-another-computer/. I would recommend you follow the described steps on one of the PCs [remotely] and if you succeed, wrap all the actions within a small Powershell script that will cycyle through all the computers in the domain.
0
· · ·
Poblano
OP
Oct 13, 2020 at 08:41 UTC
Supaplex
thanks for your concern, remote connection is enabled on client computer through the steps mentioned in the link above, but i am facing an issue now, when i am trying to login with the user accounts in created in domain who are only domain users, the error pop up "The connection was denied because the user account is no t authorized for remote login"
my concern is i want to allow all domain users to login on remote desktop sessions. is there any option where i can add users who i want to allow to connect remotely or only users with administrator rights are allowed to log in ?
Supaplex
Ghost Chili
1
· · ·
Poblano
OP
Oct 13, 2020 at 09:10 UTC
bucko sorry for the inconvenience, the issue is resolve now i was missing one settings in gpo, now the security settings is enabled and its working now. remote desktop is enabled. thanks for your concern :]
bucko
Thai Pepper
2
· · ·
Poblano
OP
Oct 14, 2020 at 08:56 UTC
i want to allow all domain users to login on remote desktop sessions. is
there any option where i can add users who i want to allow to connect
remotely or only users with administrator rights are allowed to log in ?
please let me know how can i allow all domain users to log in through remote desktop. right now only users with administrator rights are allowed to log in but i want all domain users to be allowed to login remotely. thanks.
0
· · ·
Poblano
OP
Oct 14, 2020 at 08:59 UTC
Supaplex
i want to allow all domain users to login on remote desktop sessions. is
there any option where i can add users who i want to allow to connect
remotely or only users with administrator rights are allowed to log in ?
please let me know how can i allow all domain users to log in through remote desktop. right now only users with administrator rights are allowed to log in but i want all domain users to be allowed to login remotely. thanks.
please check and acknowledge. thanks.
Supaplex
Ghost Chili
0
· · ·
Thai Pepper
OP
Oct 14, 2020 at 11:34 UTC
It's written above, where you add security group of users who can connect... But you can't do it that way if you wish to link one user to one machine, this has to be done manually or with gateway.
You can try comman on each station: NET LOCALGROUP "Remote Desktop Users" domain\username /ADD
If you don't have many, you can create a simple bat and use psexec to run command on each machine. This way you can add user1 to machine1 and user2 to machine2, etc...
Edit: or add a script to your network share and gpo run on bootup - script deletes everything from group and then you add whomever you want, script just checks from the list which users are linked on its hostname
1
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.
Equipment list
The following section presents the list of equipment used to create this tutorial.
Server
Network Switch
Laptop
As an Amazon Associate, I earn from qualifying purchases.