none
I want to understand what this group policy is doing (remote desktop)

    Question

  • I followed this little guide to get RDP working on my servers:

    http://www.dannyeckes.com/server-2012-enable-remote-desktop-rdp-group-policy-gpo/

    I'm wondering what exactly the A. and B. steps are doing.

    Let's compare it to how I would manually enable Remote Desktop on a Windows machine:

    Start -> Control Panel -> System -> Remote Settings -> Remote -> Allow connections -> Select Users

    So here I would a security group I have created, for example: mydomain\RDP.Users

    Now, let's look at steps A. and B.

    A. Group Policy -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Allow log on through Remote Desktop Services

    This part makes sense.  It seems like I am doing the same thing as above, simply adding "mydomain\RDP.Users" to the Allowed Users list.  One strange unexpected behavior though: I had to specifically allow the "Administrators" group as well.  I thought they were always allowed by default to connect to an RDP enabled host?

    B. Group Policy -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups

    This part I don't understand at all.  Why am I editing "Restricted" goups?  Secondly, I add the "Remote Desktop Users" group here.  Technically this shows up in the GPO summary as "BUILTIN\Remote Desktop Users". 

    Then I have to add "mydomain\RDP.Users" (and "Administrators") to the "BUILTIN\Remote Desktop Users" group?  Why do I have to authorize these groups to connect, again?  In two separate places?  Why do I have to add them to this BUILTIN group?

    Is this BUILTIN to the domain, or BUILTIN to the local host?  Is "Remote Desktop Users" a local group that is built into every Windows machine that I have to populate with this AD group?

    Friday, August 21, 2015 5:11 AM

Answers

  • Hi,

    The second one (B) is just using restricted groups GPO settings to publish that group as member to another group or controlling membership of the group, but it has nothing top do with the RDP settings and allowing users/group to RDP to machines. This settings is mostly being used to control membership of Administrators (or other groups) on your domain computers for example.

    Administrators group membership should be allowed to have RDP on the computer even if they are not listed there, unless they are specific denied.

    Hope this helps.

    Regards,

    Calin

    Friday, August 21, 2015 9:27 AM

All replies

  • Hi,

    The second one (B) is just using restricted groups GPO settings to publish that group as member to another group or controlling membership of the group, but it has nothing top do with the RDP settings and allowing users/group to RDP to machines. This settings is mostly being used to control membership of Administrators (or other groups) on your domain computers for example.

    Administrators group membership should be allowed to have RDP on the computer even if they are not listed there, unless they are specific denied.

    Hope this helps.

    Regards,

    Calin

    Friday, August 21, 2015 9:27 AM
  • Hi,

    Thanks for your post.

    The Remote Desktop Users group is one of the built-in users groups available when you install one of the Windows Server 2003 operating systems(and later). Members of this group are able to log on remotely to a terminal server on which Remote Desktop is enabled.

    Please also refer to the articles for details.

    https://technet.microsoft.com/en-us/library/Cc781509(v=WS.10).aspx

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 24, 2015 5:46 AM
    Moderator