How to Add User to Remote Desktop Group?

In this article, we will show you how to enable Remote Desktop Protocol on computers in an Active Directory domain, and add domain users to the Remote Desktop Users access group using Group Policies.

Hint. We have previously covered how to enable RDP manually, locally or remotely.

  1. Open the Active Directory Users and Computers console (dsa.msc), and create a new group AllowRDPAccess. You need to add users to this domain security group who need to allow RDP access to computers;
    add user to remote desktop group
  2. Open the domain GPO management mmc snap-in (gpedit.msc): Start > Control Panel > Administrative Tools > Group Policy Management;
  3. Right click on the Active Directory container (OU) with computers, and select “Create a GPO in this domain and link it here”;
  4. Specify the GPO name: AllowRDP;
  5. Right click on the new GPO object and select Edit;
    add users to remote desktop users group
  6. Allow RDP connections in the domain profile of Windows Defender Firewall with Advanced Security. Go to the following GPO section: Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall. Find and enable the option Windows Firewall: Allow Remote Desktop Exception. Here you can additionally specify from which IP subnets the RDP connection is allowed (it will increase the security of your computers). Specify your IP addresses or subnets, for example;
    add to remote desktop users group
  7. Enable Remote Desktop Protocol on the computers. Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > Allow Users to connect remotely by using Remote Desktop Services = Enabled;
    add domain user to remote desktop group
  8. Now you need to add the previously created domain group AllowRDPAccess to the local Remote Desktop Users group on all computers in the OU. Expand the following GPO section: Computer Configuration > Windows Settings > Security Settings > Restricted Groups. Right click and select Add Group. Specify the group name Remote Desktop Users > OK. Then in the Members of this group section add your domain security group AllowRDPAccess;
    windows add user to remote desktop group
  9. It remains to update the Group Policy settings on computers (can be manually updated with the command gpupdate /force). Now check that RDP is enabled in the properties of the computer and the domain group AllowRDPAccess has now been added to the Remote Desktop Users local group (Computer > Manage, expand System Tools > Local Users and Groups > Groups > Remote Desktop Users).

Now users from the specified domain group will be able to connect to any computer in your organizational unit in the Active Directory via RDP.

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Latest posts by Cyril Kardashevsky (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.