Allow Non-Domain Admin Active Directory Users Remote Desktop Access To Servers Using Group Policy

In this post, I will show you how to allow Active Directory users that are not domain administrators access to Remote Desktop to servers without giving them privileges’ permissions.

While looking into this issue, I have seen so many blog post on the internet that give the wrong guide which will lead to the users not being to log in. This post will sort this and help you.

How Does it Work?

To allow non-domain admin users Remote Desktop Access using Group Policy we need to do the following two things:

  1. Create a GPO that allows the users to RDP (by default only domain admins are allowed)
  2. Add the users to the local Remote Desktop Users group on the target machine or machines.

The above two steps are done using group policy without applying doing anything on the target machine. The classic use case for this is giving users access to a remote desktop without needing to give them domain admin permissions. The problem that I have seen during the last 15 years is that many admins give up and end up giving domain admin rights to users.

Allow Log On Using RDP

Let get started and create a GPO with go to the following location. Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Right Assignment

From the User Right Assignment page, locate the Allow log on through Remote Desktop Services settings and double click on it.

Tick the Define these policy settings and add your AD Group.

jj.ÄAdd to domain 
æwy q utt" for 
Allow log cn 
Back up files and 
Bypass traverse checking 
the system 
Cunge the 
Crete a pagéi e

Restricted Group

Now that we have completed the first step it is time to add our users to the local Remote Desktop Users group on each machine we will apply the policy to. This setting is critical and without it, nothing will work.

Note: Make sure you use the same AD group you used in the above step. The two settings need to use the same group.

Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups.

jj:l POI 
Software Settings 
Settings 
POE cy 
Scripts (Sta 
Deployed Printw 
Security Settings 
Policie 
Policiæ 
Event Log 
Rztricted Gmups 
Systern Sewices 
Registry 
File 
Wired Network (IEEE 02.3) Policies 
Defender with S«wity 
Network List Manager policies 
(IEEE 02.11) 
Public Key Policies

From the Restricted Groups page, right-click and select Add Group… Select the group from the first step.

In the Configure Membership screen, leave the top section blank and in the lower section click add and type Remote Desktop Users as shown below.

The last and final part is to link the GPO to the OU you have your users in and wait for the GPO to apply. To speed the process you can restart the servers.

Hope you get it right, as many admins get lost doing this task.

Processing…
Success! You're on the list.

Posted

in

by