In this post, I will show you how to allow Active Directory users that are not domain administrators access to Remote Desktop to servers without giving them privileges’ permissions.
While looking into this issue, I have seen so many blog post on the internet that give the wrong guide which will lead to the users not being to log in. This post will sort this and help you.
How Does it Work?
To allow non-domain admin users Remote Desktop Access using Group Policy we need to do the following two things:
- Create a GPO that allows the users to RDP (by default only domain admins are allowed)
- Add the users to the local Remote Desktop Users group on the target machine or machines.
The above two steps are done using group policy without applying doing anything on the target machine. The classic use case for this is giving users access to a remote desktop without needing to give them domain admin permissions. The problem that I have seen during the last 15 years is that many admins give up and end up giving domain admin rights to users.
Allow Log On Using RDP
Let get started and create a GPO with go to the following location. Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Right Assignment
From the User Right Assignment page, locate the Allow log on through Remote Desktop Services settings and double click on it.
Tick the Define these policy settings and add your AD Group.
Now that we have completed the first step it is time to add our users to the local Remote Desktop Users group on each machine we will apply the policy to. This setting is critical and without it, nothing will work.
Note: Make sure you use the same AD group you used in the above step. The two settings need to use the same group.
Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups.
From the Restricted Groups page, right-click and select Add Group… Select the group from the first step.
In the Configure Membership screen, leave the top section blank and in the lower section click add and type Remote Desktop Users as shown below.
The last and final part is to link the GPO to the OU you have your users in and wait for the GPO to apply. To speed the process you can restart the servers.
Hope you get it right, as many admins get lost doing this task.