In this article, we will show you how to enable Remote Desktop Protocol on computers in an Active Directory domain, and add domain users to the Remote Desktop Users access group using Group Policies.
Hint. We have previously covered how to enable RDP manually, locally or remotely.
- Open the Active Directory Users and Computers console (dsa.msc), and create a new group AllowRDPAccess. You need to add users to this domain security group who need to allow RDP access to computers;
- Open the domain GPO management mmc snap-in (gpedit.msc): Start > Control Panel > Administrative Tools > Group Policy Management;
- Right click on the Active Directory container (OU) with computers, and select “Create a GPO in this domain and link it here”;
- Specify the GPO name: AllowRDP;
- Right click on the new GPO object and select Edit;
- Allow RDP connections in the domain profile of Windows Defender Firewall with Advanced Security. Go to the following GPO section: Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall. Find and enable the option Windows Firewall: Allow Remote Desktop Exception. Here you can additionally specify from which IP subnets the RDP connection is allowed (it will increase the security of your computers). Specify your IP addresses or subnets, for example 192.168.1.0/24;
- Enable Remote Desktop Protocol on the computers. Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > Allow Users to connect remotely by using Remote Desktop Services = Enabled;
- Now you need to add the previously created domain group AllowRDPAccess to the local Remote Desktop Users group on all computers in the OU. Expand the following GPO section: Computer Configuration > Windows Settings > Security Settings > Restricted Groups. Right click and select Add Group. Specify the group name Remote Desktop Users > OK. Then in the Members of this group section add your domain security group AllowRDPAccess;
- It remains to update the Group Policy settings on computers (can be manually updated with the command gpupdate /force). Now check that RDP is enabled in the properties of the computer and the domain group AllowRDPAccess has now been added to the Remote Desktop Users local group (Computer > Manage, expand System Tools > Local Users and Groups > Groups > Remote Desktop Users).
Now users from the specified domain group will be able to connect to any computer in your organizational unit in the Active Directory via RDP.