Monthly Archives: June 2011

Use Group Policy to enable Remote Desktop Connection on a group of PCs

This is a group policy that I use pretty often to enable Remote Desktop Connection on a group of PCs, add the proper users to the local Remote Desktop Users group, and enable RDP access on Windows Firewall. I’ve decided to post this here because there have been some slight changes in Group Policy Management on Windows 2008 R2 / SBS 2011 / Windows 7 (just for the actual enabling of RDP, the other things stay the same as they were with 2003 / XP)

Here is how I configure this when I need to enable RDP on a collection of machines:

  1. Create a new OU in Active Directory for all of the computers, or if one already exists make sure all of the computer accounts that need to be changed are in it.
  2. Open Group Policy Management Console and create and link a new GPO to this OU. I typically right click at the root of the GPO, select Properties, and disable the User Configuration Settings. (I do this to cut down on GPO processing time, if we know there will only be computer settings in this GPO, why process all of the unchanged User Policy Settings?)
  3. First we’ll need to add the firewall exception, expand Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > enable the policy “Windows Firewall: Allow inbound Remote Desktop Exceptions”
  4. Repeat the above for the Standard Profile as well.
  5. Next we Enable Remote Desktop Connectivity, expand Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > enable the policy “Allow Users to connect remotely using Remote Desktop Services” Note: this used to be  > Windows Components > Terminal Services > “Allow users to connect remotely using Terminal Services”
  6. Next we need to add the proper users/groups to the Remote Desktop Users group on each PC, expand Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
  7. Right Click on “Restricted Groups” and select “Add Group…”
  8. Enter “Remote Desktop Users” Note: don’t click the “Browse” button because you’re on a Domain Controller (well more than likely anyway) and you don’t want to choose BUILTIN\Remote Desktop Users, which is where the browse button will take you, you want to edit the membership of the local “Remote Desktop Users” group on each PC) and click OK
  9. Click the “Add…” button next to “Members of this group:”, and now click the “Browse” button, enter “Domain Users” (or whichever group you created) and then click “Check Names”, once you’ve verified that you’ve got the right group click “OK”
  10. Click “OK” twice more and close the GPO, once all of the machines have rebooted you’ll now be able to remote into any of these PCs as a member of Domain Users.

Remote Web Workplace 2008 Users can only see one or few computers in the list of computers to connect to (RDP)

I just noticed that some of my users that use Remote Web Workplace (on SBS 2008) don’t have the ability to connect to certain computers within the network when they attempt to view a list of all computers. To be honest, I’m not quite certain how the list was originally created for each user, and I’m far to lazy to spend any time trying to figure that out.

I’m already certain that users have the right to connect to each PC because there is already a group policy in place that grants Domain Users RDP permissions to each computer in the domain (You can read about how to do that here), it’s just that when they click to view a list of computers to connect to on the RWW website, they only see one computer, or at best a few computers.

I’ve tried to find a more eloquent way to do this, but failed. The only way I could change this list was to make individual changes to each User’s or Computer’s properties within the Windows SBS Console, this is fine for networks with 5 computers, but if you’ve got 50 computers this could become painful.

Here are the steps to add computers to a user’s list:

  1. Open the Windows SBS Console
  2. Click on “Users and Groups” at the top
  3. on the “Users” tab, Right click the user in question and select “Edit user account properties”
  4. Select “Computers” on the left
  5. Highlight each computer individually, and then check the box labeled “Can remotely access this computer”
  6. Click Apply when done, and have the user log off of the RWW site, and log back on
  7. They should now be able to see all computers when they view the list of computers to connect to.

This can also be performed on a computer basis by following these steps:

  1. Open the Windows SBS Console
  2. Click on “Network” at the top
  3. on the “Computers” tab, Right click the computer in question and select “View computer properties”
  4. Select “User Access” on the left
  5. Highlight each user individually, and then check the box labeled “Can log on remotely to this computer”
  6. Click Apply when done, and have the user log off of the RWW site, and log back on
  7. They should now be able to see all computers when they view the list of computers to connect to

That should do it, if anyone knows of a faster/better/easier way to do this please let me know.