We are going to give access to a Group of people to RDP to Workstations and have local administrators rights.
In order for RDP to work we also need to open firewall.
While reading you might want to consider to split up this (monolithic) GPO and single Security Group into 2 Security Groups and 3 smaller GPOs :
(1) Local Admin Security Group + Give Local Admin rights GPO
(2) RDP access Security Group + Give RDP rights GPO
(3) Open RDP firewall ports.
To accomplish this, we will be doing the following:
- Create a new Security Group containing the people who needs local admin and rdp access
- Create Group Policy to grant the RDP and local administrator rights to our group of people.
- Enable Allow users to connect remotely by using Remote Desktop Services in our GPO
- Allow Inbound Remote Desktop exceptions GPO
- Testing our new Security Group / GPO setup.
- Verify Group membership
- Verify RDP Settings
- Create new Security Group named Local Administrators
On your DC open Active Directory Users and Computers (dsa.msc
)
- Give it a name – Note the Group Scope and Group Type.
- Right-click the new Group and select properties. Go to the Members tab and click Add…
- Add the Names or Groups you wish to add. You can browse using the Advanced… button. Click OK and OK when done.
- Give it a name – Note the Group Scope and Group Type.
- Create a new Group Policy named Local Administrators.
- Open the Group Policy Management (
gpmc.msc
)
Browse to the OU where you want the GPO to be placed, right-click it and choose Create a GPO in this domain, and Link it here…
Note: you can’t link it to the default Computers container. So either create a new OU for your computers, or link the GPO in the root of the domain, just be aware of security risks regarding hitting your servers with these permissions as well.
- Name it Local Administrators and click
- Right-click your new GPO and select Edit
- Browse through:
Computer Configuration - Policies - Windows Settings - Security Settings - Restricted Groups
Right-click the Restricted Groups folder and click Add Group…, click Browse … enter the name of the Security Group we created in step 1: Local Administrators, and click Chek Names, then OK and OK.
Note: We have now added the Group from step 1 to the Restricted Groups.
- Right-click the Group and select Properties
- Next to the This Group is member of: click Add…
- Click Browse in the small Group Membership window, enter Remote Desktop Users and Administrators and Check Names, OK and OK.
Note: Members of this Group should be specified directly in the Security Group from step 1 and not here.
- Review the membership you just configured and click OK.
- Open the Group Policy Management (
- Enable Allow users to connect remotely by using Remote Desktop Services in our GPO
- If not open, open Group Policy Management (gpmc.msc), browse to and right-click your GPO and select Edit
- Navigato to:
Computer Configuration - Policies - Administrative Templates - Windows Components - Remote Desktop Services - Remote Desktop Session Host - Connections
. Set: Allow users to connect remotely by using Remote Desktop Services Enabled
- Select Enabled and Apply/OK
- Prevent Local Administrators from making changes to our new setting:
Computer Configuration - Policies - Administrative Templates - Windows Components - Remote Desktop Services - Remote Desktop Session Host - Security
. Do not allow local administrators to customize permissions: Enabled Note: this is to prevent local admin turning off our other RDP GPO settings.
Set it to Enabled and Apply/OK - Enable Require user authentication for remote connections by using Network Level Authentication
Computer Configuration - Policies - Administrative Templates - Windows Components - Remote Desktop Services - Remote Desktop Session Host - Security
. Set Require user authentication for remote connections by usining Network Level Authenticaion Enabled Be sure your environment meets this requirment.
- Allow Inbound Remote Desktop exceptions GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
\ Edit: Windows Firewall: Allow Inbound Remote Desktop exceptions: Enabled - Testing our new Security Group / GPO setup.
Either restart you PC or typegpupdate /force
in cmd or similar - Verify Group membership
Open Local Users and Groups (lusrmgr.msc
) go to Groups, right-click Administrators and choose Properties
- Verify out Local Administrators Group we created in step 1 is listed in Members
Verify RDP settings:
- Open the Control Panel – System and Security – System (SystemPropertiesRemote.exe) and click Remote Settings.
- Enter credentials for one of our now-enabled Local Admininistrators in the UAC popup and click Yes
- Verify the settings and click Select Users…
Note: Notice the greyed out settings which is due to our GPO
- Notice our Local Administrators Group and how it says TEST\morten already has access (via the Group, so no need to add myself Again).
Got a project that needs expert IT support?
From Linux and Microsoft Server to VMware, networking, and more, our team at CR Tech is here to help.
Get personalized support today and ensure your systems are running at peak performance or make sure that your project turns out to be a successful one!
CONTACT US NOW