This is a group policy that I use pretty often to enable Remote Desktop Connection on a group of PCs, add the proper users to the local Remote Desktop Users group, and enable RDP access on Windows Firewall. I’ve decided to post this here because there have been some slight changes in Group Policy Management on Windows 2008 R2 / SBS 2011 / Windows 7 (just for the actual enabling of RDP, the other things stay the same as they were with 2003 / XP)
Here is how I configure this when I need to enable RDP on a collection of machines:
- Create a new OU in Active Directory for all of the computers, or if one already exists make sure all of the computer accounts that need to be changed are in it.
- Open Group Policy Management Console and create and link a new GPO to this OU. I typically right click at the root of the GPO, select Properties, and disable the User Configuration Settings. (I do this to cut down on GPO processing time, if we know there will only be computer settings in this GPO, why process all of the unchanged User Policy Settings?)
- First we’ll need to add the firewall exception, expand Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > enable the policy “Windows Firewall: Allow inbound Remote Desktop Exceptions”
- Repeat the above for the Standard Profile as well.
- Next we Enable Remote Desktop Connectivity, expand Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > enable the policy “Allow Users to connect remotely using Remote Desktop Services” Note: this used to be > Windows Components > Terminal Services > “Allow users to connect remotely using Terminal Services”
- Next we need to add the proper users/groups to the Remote Desktop Users group on each PC, expand Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
- Right Click on “Restricted Groups” and select “Add Group…”
- Enter “Remote Desktop Users” Note: don’t click the “Browse” button because you’re on a Domain Controller (well more than likely anyway) and you don’t want to choose BUILTIN\Remote Desktop Users, which is where the browse button will take you, you want to edit the membership of the local “Remote Desktop Users” group on each PC) and click OK
- Click the “Add…” button next to “Members of this group:”, and now click the “Browse” button, enter “Domain Users” (or whichever group you created) and then click “Check Names”, once you’ve verified that you’ve got the right group click “OK”
- Click “OK” twice more and close the GPO, once all of the machines have rebooted you’ll now be able to remote into any of these PCs as a member of Domain Users.