Use Group Policy to enable Remote Desktop Connection on a group of PCs

This is a group policy that I use pretty often to enable Remote Desktop Connection on a group of PCs, add the proper users to the local Remote Desktop Users group, and enable RDP access on Windows Firewall. I’ve decided to post this here because there have been some slight changes in Group Policy Management on Windows 2008 R2 / SBS 2011 / Windows 7 (just for the actual enabling of RDP, the other things stay the same as they were with 2003 / XP)

Here is how I configure this when I need to enable RDP on a collection of machines:

  1. Create a new OU in Active Directory for all of the computers, or if one already exists make sure all of the computer accounts that need to be changed are in it.
  2. Open Group Policy Management Console and create and link a new GPO to this OU. I typically right click at the root of the GPO, select Properties, and disable the User Configuration Settings. (I do this to cut down on GPO processing time, if we know there will only be computer settings in this GPO, why process all of the unchanged User Policy Settings?)
  3. First we’ll need to add the firewall exception, expand Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > enable the policy “Windows Firewall: Allow inbound Remote Desktop Exceptions”
  4. Repeat the above for the Standard Profile as well.
  5. Next we Enable Remote Desktop Connectivity, expand Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > enable the policy “Allow Users to connect remotely using Remote Desktop Services” Note: this used to be  > Windows Components > Terminal Services > “Allow users to connect remotely using Terminal Services”
  6. Next we need to add the proper users/groups to the Remote Desktop Users group on each PC, expand Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
  7. Right Click on “Restricted Groups” and select “Add Group…”
  8. Enter “Remote Desktop Users” Note: don’t click the “Browse” button because you’re on a Domain Controller (well more than likely anyway) and you don’t want to choose BUILTIN\Remote Desktop Users, which is where the browse button will take you, you want to edit the membership of the local “Remote Desktop Users” group on each PC) and click OK
  9. Click the “Add…” button next to “Members of this group:”, and now click the “Browse” button, enter “Domain Users” (or whichever group you created) and then click “Check Names”, once you’ve verified that you’ve got the right group click “OK”
  10. Click “OK” twice more and close the GPO, once all of the machines have rebooted you’ll now be able to remote into any of these PCs as a member of Domain Users.

16 thoughts on “Use Group Policy to enable Remote Desktop Connection on a group of PCs

  1. Łukasz

    Polish: Dzięki twojemu rozwiązaniu nie trzeba dodawać użytkowników pulpitu zdalnego lokalnie na każdej maszynie wszystko robimy przez GPO. Dziękuję bardzo, wałczyłem z tym od bardzo długiego czasu.
    English 🙂 (can be hard): You resolve problem adding remote desktop users on each computer, all you do by GPO. Thank you very much, i was dilling with this problem for long time.

    keywords: GPO, Remote desktop users, Remote desktop, Pulpit zdalny, odmówiono nawiązania połączenia, standard user, can’t connect RDP

  2. Abdul

    Short, sweet and to the point. Thanks to this article, I was able to Remote Desktop enable a selected OU in under five minutes.

  3. Nishant Rapate


    Great article for beginners, I have implemented the same some time ago, however it will help everyone.

    -Nishant Rapate

  4. Question

    It seems that this is cyclic; it looks like you added the group ‘Domain users’ to the group ‘Remote desktop users’, thus granting RDP permission to the whole domain users group

    I don’t understand why you don’t have a remote desktop users group, granting perms to that, and adding users to it. Perhaps I misunderstood the article.

    Ah yes, firewall wasn’t where it was listed on 2011. The enabled setting was where mentioned, which was good for me.

  5. Francesco

    Thanks a lot for this post, i was drowning in a lot of outdated (if not plainly wrong) KBs and blog posts 🙂

  6. Tomax Li

    Only you point out the difference between Wind0ws 2008 & Windows 2003 in group policy after I have searched at least 30 articles.

    [ Note: this used to be > Windows Components > Terminal Services > “Allow users to connect remotely using Terminal Services”. ]


Leave a Reply

Your email address will not be published. Required fields are marked *