Remote Desktop Services permissions
- Article
- 08/19/2020
- 2 minutes to read
- 3 contributors
Is this page helpful?
Yes No
Any additional feedback?
Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy.
Submit
Thank you.
In this article
You can use the permissions provided for Remote Desktop Services to control how users and groups access the server. For a description of the default permission types and more detailed information about Remote Desktop Services permissions in general, see the documentation that accompanies the Remote Desktop Services Configuration administrative tool. For information about configuring these permissions for Windows Server 2008, see Configure Permissions for Remote Desktop Services Connections.
Following is a list of the permissions that you can set and the tasks the permissions allow.
| Query Information |
Query sessions and servers for information. |
| Set Information |
Configure connection properties. |
| Remote Control |
View or actively control another user's session. |
| Logon |
Log on to a session on the server. |
| Logoff |
Log off a user from a session. Be aware that logging off a user without warning can result in loss of data at the client. |
| Message |
Send a message to another user's sessions. |
| Connect |
Connect to another session. |
| Disconnect |
Disconnect a session. |
| Virtual Channels |
Use virtual channels. Be aware that turning off virtual channels disables some Remote Desktop Services features such as clipboard and printer redirection. |
| Reset |
End a session. Be aware that ending a session without warning can result in loss of data at the client. |
The Logon permission is required for a user to log on to a new Remote Desktop Services session. All other Remote Desktop Services permissions apply to controlling another user's Remote Desktop Services session.
Remote Desktop Services permissions can be granted, or set, for individual users or groups. Users can also inherit permissions as a result of being a group member. The denial of a permission, however, overrides an inherited permission. For example, members of the Remote Desktop Users [RDU] group are granted the Query permission by default. If an Administrator sets the Query permission to "Deny" for that user, the user will not be able to query another user's session. After a user logs on to a session, the user is granted all other Remote Desktop Services permissions for his or her session.
How to add a user to Terminal Services RDP permissions by using WMI
- Article
- 09/24/2021
- 2 minutes to read
- 2 contributors
Is this page helpful?
Yes No
Any additional feedback?
Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy.
Submit
Thank you.
In this article
This article describes three methods to add users or groups to Terminal Services Remote Desktop Protocol [RDP] permissions.
Applies to: Windows Server 2012 R2
Original KB number: 290720
Managing Local Users and Groups
Users and groups on Windows servers are managed in a number of different ways, but the most user-friendly way is through the Local Users and Groups interface. There are several ways to open the interface. However, the easiest is to run “lusrmgr.msc”. Lusrmgr.msc can be launched by searching the start menu, command line, or through a run dialog. These methods allow you to find users and groups easily.
To manage local users and groups, you will need to be logged in with a user that has the proper permissions to do so. This is most commonly a user that is already a member of the Administrators group.
Once you open the Local Users and Groups interface, you will see two folders on the left, one for Users, and one for Groups. By selecting Users, you will see a full list of local users on the server. You can also see a variety of related tasks by right-clicking Users, Groups, a user’s name, or a blank area of the middle pane.
There are several ways to add a new user through the Local Users and Groups interface. These methods all result in the same “New User” dialog box opening where you can then configure a Username, Password, and other options. Choose one of the options below to create a new user:
- With the Users folder selected in the left pane, click the Action menu, then select “New User…”.
- With the Users folder selected in the left pane, click “More Actions” from the right- hand pane, then select “New User…”.
- Right-click the Users folder, then select “New User…”.
- With the Users folder selected in the left pane, right-click in a blank area of the middle page, then select “New User…”.
Once you have created a new user, or have identified the usernameof the existing user, you are ready to assign that user to a Group. Users assigned to a group are known as group members.
As with user management, group management can also be performed in several ways. The options below cover several of the most common ways to assign a new member tothe Remote Desktop Users group:
- Select the Users folder from the left pane of the Local Users and Groups interface, open the Users Properties window by double-clicking the user, select the “Member Of” tab, then click “Add…”. Now type “Remote Desktop Users” in the text box and click OK.
- Select the Groups folder from the left pane of the Local Users and Groups interface, double-click the “Remote Desktop Users” group, click “Add…”, enter the user'sname in the text box and click OK.
- Open the system settings by right-clicking the start menu and selecting “System”, choose “Advanced system settings”, select the “Remote” tab, click the “Select Users…” button then click the “Add” button. Now enter the user'sname in the text box and click OK.
- Open the “Server Manager”, select “Local Server” from the left pane, click the blue text next to “Computer Name”, select the “Remote” tab, click the “Select Users…” button then click the “Add” button. Now enter the user'sname in the text box and click OK.
When selecting users or groups, it is recommended to click the “Check Names” button after typing in the user or group name. If the name is underlined after clicking the “Check Names” button, then the name was identified correctly.
You can also use the “Advanced...” button when selecting users or groups instead of typing its name. Clicking the “Advanced...” button followed by the “Find Now” button will result in a list of users to select.
Add an Administrator
1
Log in to Windows with an administrator account. Click "Start," "Control Panel" and then click "User Accounts."
2
Click "Manage Another Account" and select "Create New Account." Enter a name for the new administrator account in the "New Account Name" field. Select the "Administrator" option and click "Create Account."
3
Click the name of the new administrator account in the "Choose the Account You Would Like to Change" window. After the Make Changes window opens, click "Create a Password." Enter a temporary password for the new administrator and confirm it in the subsequent fields. Click the "Create Password" button to save the new password. After the new administrator logs on to the machine, he can change the password by clicking the "Change Password" link in the Make Changes window for his user account.
Manage Local Users and Groups
Users and groups on Windows servers are managed in a number of different ways. The most user-friendly way is through the Local Users and Groups interface.
There are several ways to open the interface. The easiest is to run lusrmgr.msc. Lusrmgr.msc can be launched by searching the start menu, command line, or through a run dialog.
These methods allow you to find users and groups easily.
*
User Management
Once you open the Local Users and Groups interface, you will see two folders on the left, one for Users, and one for Groups. By selecting Users, you will see a full list of local users on the server.
You can also see a variety of related tasks by right-clicking Users, Groups, a user’s name, or a blank area of the middle pane.
There are several ways to add a new user through the Local Users and Groups interface. These methods all result in the same New User dialog box opening where you can then configure a Username, Password, and other options.
Choose one of the options below to create a new user:
The first way to create a new user
1. Select the Users folder from the left side of the screen.
2. Click the Action menu.
3. Select New User….
The second method to create a new user
1. Select the user folder from the left
2. Click More Actions from the right-hand pane.
3. Select New User… .
The third method to create a new user
1. Right-click on the Users folder.
2. Select New User….
The fourth method to create a new user
1. Select the users folder from the left side of the screen.
2. Right-click in a blank area of the middle page
3. Select New User….
Once you have created a new user, or have identified the username of the existing user, you are ready to assign that user to a Group.
Note: Users assigned to a group are known as group members.
Group Management
Group management can be done in several ways. The options below cover several of the most common ways to assign a new member to the Remote Desktop Users group:
The first way to Group Management
1.Select the Users folder from the left pane of the Local Users and Groups interface.
2.Open the Users Properties window by double-clicking the user.
3.Select the Member Of tab.
4.Click Add….
5.Type Remote Desktop Users in the text box and click OK.
The second way to Group Management
1.Select the Groups folder from the left pane of the Local Users and Groups interface.
2.Double-click the Remote Desktop Users group.
3.Click Add… .
4.Enter the user’s name in the text box and click OK.
The third way to Group Management
1.Open the system settings by right-clicking the start menu.
2.Select System.
3.Choose Advanced system settings.
4.Select the Remote tab.
5.Click the Select Users… button.
6.Click the Add button.
7.Enter the user’s name in the text box and click OK.
The fourth way to Group Management
1.Open the Server Manager.
2.Select Local Server from the left pane.
3.Click the blue text next to Computer Name.
4.Select the Remote tab.
5.Click the Select Users… button.
6.Click the Add button.
7.Now enter the user’s name in the text box and click OK.
You can also use the “Advanced…” button when selecting users or groups instead of typing its name.
Clicking the “Advanced…” button followed by the Find Now button will result in a list of users to select.
By default, there are no members of the Remote Desktop Users group and only members of the Administrators group are allowed to connect through RDP.
Members added to the Remote Desktop Users group are considered non-Administrative users. These users will be unable to perform most management tasks such as installing software, managing IIS, or rebooting the server.
If a user requires management abilities, the user will need explicit access to that task or will need to be a member of the Administrators.
Test Group Membership
When configuring new user and group memberships, you should always review group membership once complete.
Reviewing group membership is most commonly performed through the Local Users and Groups interface. In addition to verifying membership, we also recommend attempting a remote desktop connection with your newest Remote Desktop Users group member.
Once you have logged in with your newest member of the Remote Desktop Users group, you can further verify that groups are set up correctly by running the command “whoami /groups” from a command line.
The output of this command lists the username and its associated Group names.
Also, see:
How to transfer file using RDP to Windows Server
Learn how to change the default RDP port simply
4 Ways to enable remote desktop in windows 10
How to Set the RDP limit on Windows Server
Tutorial enable RDP on Windows Server 2019
Dear user, we hope you would enjoy thistutorial, you can ask questions about this training in the comments section, or to solve other problems in the field ofEldernode training, refer to theAsk pagesection and raise your problem in it as soon as possible. Make time for other users and experts to answer your questions.
Goodluck.