- New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
- Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
- Switch between Windows Terminal and the legacy console - Thu, Nov 16 2023
The Remote Desktop feature is disabled by default and needs to be enabled. On Windows 10 or 11 workstations, a single user can connect via RDP, while on Windows Server, two simultaneous sessions are allowed.
RDP access restricted to admins
In both cases, access is restricted by default to administrators only. If a standard user attempts to establish a Remote Desktop connection, they will receive the following error message:
"The connection was denied because the user account is not authorized for remote login."
By default standard users cannot establish RDP connections
To circumvent this, you can configure the allowed users and groups during the activation of Remote Desktop via the applet in the Control Panel (sysdm.cpl). The accounts selected there will then be added to the built-in Remote Desktop Users group.
Authorize users when enabling Remote Desktop
If you choose to activate Remote Desktop using alternative methods, such as Group Policies, or if you need to grant RDP connection permissions later on, you will need to manage membership in this local group through different means.
Adding members to the local group with PowerShell
For individual computers, you can use MMC-based computer management or PowerShell.
PowerShell offers several cmdlets for managing local groups. For instance, you can add an AD group, such as RDPUser, to the local Remote Desktop Users group using the following command:
Add-LocalGroupMember -Name "Remote Desktop Users" -Member contoso\RDPUser
Adding users to remote desktop users via GPO
In centrally managed environments, the preferred way to manage members of the local Remote Desktop Users group is through Group Policy. There are two options for this.
Restricted groups
Restricted groups allow you to control which members should be part of a local group and which groups they should be added to. You can find this setting under Computer Configuration > Policies > Windows Settings > Security Settings.
From there, select the Add Group command from the context menu. It opens a dialog box in which you can enter the name of a local group. To do so, click the Browse button.
It's important to note that Microsoft has translated group names on localized systems. Therefore, you should search for the respective terms in the local language. In linguistically mixed environments, it doesn't matter which of the two names you choose; the assignment is based on the SID and will work on all systems, regardless.
Create a new restricted group for Remote Desktop users
After that, two Add buttons are available. The first lets you specify which members should belong to the group.
Add members to the local Remote Desktop Users group
This group policy aligns group members on the target PCs with the entries in the GPO. As a result, any users not listed in the GPO will be automatically removed from the groups.
Group Policy Preferences
Alternatively, you can use the Local Users and Groups setting under Computer Configuration > Preferences > Control Panel Settings for this task.
Select New > Local Group to manage the members of user groups. You can use the corresponding checkboxes to remove all existing users and groups so that the Remote Desktop group includes only members explicitly assigned to it by the GPO.
Assign members to the local Remote Desktop Users group using GPP
The default Update action keeps the list of members in the desired state so you can leave it as is.
Remote Desktop Users group in Active Directory
The methods described above pertain to membership in the local Remote Desktop Users group. However, there is also a group with the same name in Active Directory. Wouldn't it be easier to simply include the desired accounts in this AD group to grant them access to Remote Desktop on every PC in an OU?
This AD group refers only to domain controllers, and its members do not gain RDP access to member servers or workstations.
Generally, you should not link a GPO like the ones described above with Domain Controllers. Otherwise, users who normally become members of only the local group will also be added to the Remote Desktop Users AD group, which is typically not desired for security reasons.
If you assign accounts to the local RDP group via GPO and link that GPO at the domain level those accounts will also be added to the AD group
But users in the AD group Remote Desktop Users will still not be able to open a Remote Desktop session on a DC because they do not have the permission to connect. They also need the permission Allow log on through Remote Desktop Services setting. This setting can be found under Computer Configuration > Policies > Windows Settings > Local Policies > User Rights Assignment.
Summary
By default, only administrative accounts are allowed to establish a Remote Desktop connection. If you want standard users to be able to do this as well, you need to add them to the local Remote Desktop Users group on the target host.
You can do this interactively for individual computers using tools like Computer Management or PowerShell. However, in managed environments, Group Policy is the preferred method.
Group Policy offers two alternatives for this purpose. When linking the GPO, be careful not to affect the Domain Controllers. If this were to happen, the selected accounts would also become members of the AD group Remote Desktop Users, which is typically undesirable.
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
