Group Policy settings for Remote Desktop Services in Windows Server 2016

Group Policy entry to allow remote administration to domain computers

I would like to configure the entries needed to create a GPO for my domain (Server 2012) that will allow me to do remote administration of the computers (Computer Management) from my own computer. So to put it another way, I want to be able to open Computer Management on my machine, and, while connected to the VPN, do a "connect to another computer" and be able configure devices and such. It seems I can do it with some computers and not others. So I want to create the GPO's necessary to have them all set up the same way. I am the domain admin.

Thanks.

windows-group-policy

Comment

Comment Show 0

Comment

5 |1600 characters needed characters left characters exceeded

  • Visible to all users
  • Visible to the original poster & Microsoft
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Visible to all users

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT answered Apr 26, '21 | FanFan-MSFT commented May 4, '21

Hi,
When you can't do it with some computers, what's the error message?
Based on my understanding, you want to user to have rights to RDP to other computers and at the same time, you want the user to have the administrative permission, right?
If i misunderstand you, please feel to let me know.

If you want to assign the RDP permission to a user on all the computers in the domain, you can configure the policy as following:
Create a GPO and link it to the domain level.
Right click the GPO and select edit.
Navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Add the administrators and users you want to assign the RDP permission. This policy will overwrite the default settings.

Group Policy settings for Remote Desktop Services in Windows Server 2016

Navigate to Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Connections.
On the right-side panel. Double-click on Allow users to connect remotely using Remote Desktop Services.
Select Enabled and click Apply if you want to enable Remote Desktop.

Group Policy settings for Remote Desktop Services in Windows Server 2016

For the administrative permission, you may consider the following method:
Add the user to the local administrators group
Or perform delegation control through DUC.

To add the user to the local administrators group:
Open the GPO and navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups.
Right click and choose Add Group. If you want to add users to the local administrators group enter Administrators.
In the next window under “Members of this group:” click Add and choose the users to add to the local administrators group.
Note that any users that are currently in the local administrators group will be removed and replaced with the users you select here. If that is what you want, click OK and close the GPO.

For the delegation control, you can refer to the following link:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/delegating-administration-by-using-ou-objects

Best Regards,



4261.jpg (147.7 KiB)

4262.jpg (136.3 KiB)

Comment

Comment · Show 1

Comment

5 |1600 characters needed characters left characters exceeded

  • Visible to all users
  • Visible to the original poster & Microsoft
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Visible to all users

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT · May 04, 2021 at 01:44 AM


Hi,
I am checking to see if the problem has been resolved.
If there's anything you'd like to know, don't hesitate to ask.

Best Regards,

0 Votes 0 ·

Enable Remote Desktop via Group Policy

The biggest problem you could be potentially faced with, is actual permissions to modify any GPOs. I’m going to assume you have the permissions so we’ll just continue on with a bullet list that’s easy peasy for you to understand.

  • Open up Group Policy Management Console (GPMC).
  • Create a New Group Policy Object and name it Enable Remote Desktop.
  • Navigate to: Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security -> Inbound Rules and Create a New Rule. Screenshot below.

Group Policy settings for Remote Desktop Services in Windows Server 2016

  • Select Port in the New Inbound Rule Wizard.
  • Ensure TCP and Specific Local Port :3389

Group Policy settings for Remote Desktop Services in Windows Server 2016

  • Allow the Connection and only select Domain and Private Profiles.
  • Name this rule –Inbound Rule for RDP Port 3389

Now that we have added the local ports, we’ll need to enable the Remote Desktop Session Host policies.

  • Go to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections
  • Allow users to connect remotely by using Remote Desktop ServicestoEnable.

Group Policy settings for Remote Desktop Services in Windows Server 2016

  • Now we’re going to enable Network Level Authentication. This is highly recommended and has many security advantages. However, that’s out of the scope of this article so I won’t go in to the details now.
  • Go toComputer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security
  • SetRequire user authentication for remote connections by using Network Level AuthenticationtoEnable.

Group Policy settings for Remote Desktop Services in Windows Server 2016

  • Last but certainly not least, we need to apply the newly created GPO to an Organizational Unit so it actually works.
  • Close out of GPMC. There aren’t any more settings to configure.

Group Policy settings for Remote Desktop Services in Windows Server 2012 R2

13 phút trước