none
Delegate permissions for non-admins to manage users of local computer group: Remote Desktop Users

    Question

  • Is there a way to give users without local Administrator rights on a PC, the ability to add user to the PCs local Remote Desktop Administrators group?

    Our User Admin group needs this ability while setting up AD accounts, but they do not need Local Administrator rights.  Only the ability to remote manage the local Remote Desktop Users group.

    Thanks,

    -Matt


    There's no place like 127.0.0.1

    Wednesday, January 25, 2017 7:18 PM

Answers

  • Hi Matt! Here's what you can do rather quickly using Windows built-in tools:

    1. Create a startup script which will look for a group with a specifically formatted name in the AD. 1.1. The name of such group should include a computer's name. For example the script may search for a group named like this: PC-RemoteDesktopAccess-%COMPUTERNAME%.

    1.2. If the group is found, the script adds it into the local "Remote Desktop Users" group.

    2. When needed, your User Admin specialists can just create a group in AD named by that template, replacing %COMPUTERNAME% with an actual computer's name, then populate this group with users which need remote access to the PC.


    https://exchange12rocks.org/ | http://about.me/exchange12rocks

    • Marked as answer by Matt5150 Wednesday, January 25, 2017 9:50 PM
    Wednesday, January 25, 2017 9:36 PM
  • Hi Matt! Here's what you can do rather quickly using Windows built-in tools:

    1. Create a startup script which will look for a group with a specifically formatted name in the AD. 1.1. The name of such group should include a computer's name. For example the script may search for a group named like this: PC-RemoteDesktopAccess-%COMPUTERNAME%.

    1.2. If the group is found, the script adds it into the local "Remote Desktop Users" group.

    2. When needed, your User Admin specialists can just create a group in AD named by that template, replacing %COMPUTERNAME% with an actual computer's name, then populate this group with users which need remote access to the PC.


    https://exchange12rocks.org/ | http://about.me/exchange12rocks

    Well that didn't work.  Not sure if because of the %ComputerName% variable or what.  But that got me thinking about using GPP.

    First I confirmed I was't able to login to computer WKTEST01 with user domain\TSTUSER1

    Then I created a new OU for Remote Desktop Users.

    Then created a new GPO and set a Computer GPP to add "domain\%ComputerName%" to the local Remote Desktop Users group.


    To test the process, I created a new group in that OU, named WKTEST01, and added TSTUSER1 as a member.

    Then after a reboot, I was successfully able to RDP using that non-admin account.

    I wish it was a bit simpler for the User Admin folks (I thought about scripting something to create the groups when a computer joins the domain or something), but it will work!

    -Matt


    There's no place like 127.0.0.1

    • Marked as answer by Matt5150 Wednesday, January 25, 2017 10:50 PM
    Wednesday, January 25, 2017 10:50 PM

All replies

  • Hi

     You can configure "restricted group policy" for add these users to remote desktop users group;

    http://www.vkernel.ro/blog/add-domain-users-to-local-remote-desktop-users-group-using-group-policy

    https://social.technet.microsoft.com/wiki/contents/articles/17671.how-to-add-domain-usersgroup-to-remote-desktop-users-group-on-servers-using-group-policy.aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, January 25, 2017 7:40 PM
  • Hi

     You can configure "restricted group policy" for add these users to remote desktop users group;

    http://www.vkernel.ro/blog/add-domain-users-to-local-remote-desktop-users-group-using-group-policy

    https://social.technet.microsoft.com/wiki/contents/articles/17671.how-to-add-domain-usersgroup-to-remote-desktop-users-group-on-servers-using-group-policy.aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Unfortunately that won't work.  We won't want to give all users added, access to every PC subject to this GPO.

    We need a group of users to have rights on all PC's to add specific users to the Remote Desktop Users group on that user's everyday PC only.  Without giving this support group local admin rights.


    There's no place like 127.0.0.1


    • Edited by Matt5150 Wednesday, January 25, 2017 8:03 PM
    Wednesday, January 25, 2017 8:00 PM
  • Hi Matt! Here's what you can do rather quickly using Windows built-in tools:

    1. Create a startup script which will look for a group with a specifically formatted name in the AD. 1.1. The name of such group should include a computer's name. For example the script may search for a group named like this: PC-RemoteDesktopAccess-%COMPUTERNAME%.

    1.2. If the group is found, the script adds it into the local "Remote Desktop Users" group.

    2. When needed, your User Admin specialists can just create a group in AD named by that template, replacing %COMPUTERNAME% with an actual computer's name, then populate this group with users which need remote access to the PC.


    https://exchange12rocks.org/ | http://about.me/exchange12rocks

    • Marked as answer by Matt5150 Wednesday, January 25, 2017 9:50 PM
    Wednesday, January 25, 2017 9:36 PM
  • That's not a bad idea!

    Thanks!


    There's no place like 127.0.0.1

    Wednesday, January 25, 2017 9:52 PM
  • Hi Matt! Here's what you can do rather quickly using Windows built-in tools:

    1. Create a startup script which will look for a group with a specifically formatted name in the AD. 1.1. The name of such group should include a computer's name. For example the script may search for a group named like this: PC-RemoteDesktopAccess-%COMPUTERNAME%.

    1.2. If the group is found, the script adds it into the local "Remote Desktop Users" group.

    2. When needed, your User Admin specialists can just create a group in AD named by that template, replacing %COMPUTERNAME% with an actual computer's name, then populate this group with users which need remote access to the PC.


    https://exchange12rocks.org/ | http://about.me/exchange12rocks

    Well that didn't work.  Not sure if because of the %ComputerName% variable or what.  But that got me thinking about using GPP.

    First I confirmed I was't able to login to computer WKTEST01 with user domain\TSTUSER1

    Then I created a new OU for Remote Desktop Users.

    Then created a new GPO and set a Computer GPP to add "domain\%ComputerName%" to the local Remote Desktop Users group.


    To test the process, I created a new group in that OU, named WKTEST01, and added TSTUSER1 as a member.

    Then after a reboot, I was successfully able to RDP using that non-admin account.

    I wish it was a bit simpler for the User Admin folks (I thought about scripting something to create the groups when a computer joins the domain or something), but it will work!

    -Matt


    There's no place like 127.0.0.1

    • Marked as answer by Matt5150 Wednesday, January 25, 2017 10:50 PM
    Wednesday, January 25, 2017 10:50 PM
  • Somehow I didn't think that GPP can accept environment variables in group names. Of course GPP is a much better solution. Well done!

    https://exchange12rocks.org/ | http://about.me/exchange12rocks

    Wednesday, January 25, 2017 11:39 PM
  • > Then created a new GPO and set a Computer GPP to add "*domain\%ComputerName%*" to the local *Remote Desktop Users* group.
     
     
    Thursday, January 26, 2017 9:42 AM