Server 2012 Enable Remote Desktop (RDP) through Group Policy (GPO)
2014-08-06 14:55
585 查看
http://www.dannyeckes.com/server-2012-enable-remote-desktop-rdp-group-policy-gpo/
Since my ESX lab is all virtual I don’t have any monitors connected to my servers. The best way to manage these servers is by connecting remotely. I want to be able to remote onto all my computers but limit which users can remote onto these machines. The best way to do this is through a group policy that sets this up on all machines.
My GPO will need to do the following:
Enable Remote Desktop Service
Open the Firewall to allow Remote Desktop
Disallow local admins from making changes
Only allow certain users to logon remotely.
Open up Active Directory Users and Computers
Create an Organizational Unit (OU) called “DOMAIN – Groups”
Under your Groups OU create another OU called “Security”. This is where we will hold all of our security groups.
Right click Security and select New > Group.
Give the group a name. I used “SG – Remote Desktop Users”.
Log into your Domain Controller.
On the Start Screen type: gpmc.msc. This will pull up the Group Policy Management Console.
Right click on your domain and select “Create a GPO in this domain, and Link it here…”. I am creating this GPO at the root of my domain to allow access to all servers and computers in my domain. This might not be exactly what you want to do, if your situation is different then select the OU you want this policy to apply to instead of your domain.
Name the GPO. I used “Enable RDP” to keep it simple. This will create a blank GPO and a link to it.
Right click the GPO or the Link and select “Edit…”
This will pull up a the Group Policy Editor.
We are only going to be modifying Computer Settings. We need to enable RDP, open the Firewall, and allow the security group members. Set the following:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow Log on through Remote Desktop Services.
Add Users or Group…
Browse and search for your Security Group. In my case it was SG – Remote Desktop users
Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups
Right Click in the blank area and select Add Group…
Browse and find “Remote Desktop Users”
Select OK
Double Click Remote Desktop Users
Select Add for “Members of this Group”
Browse and find your Security group.
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Inbound Remote Desktop exceptions: Enabled
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow user to connect remotely by using Remote Desktop Services: Enabled
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Do not allow local administrators to customize permissions: Enabled
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using NLA: Disabled
That should be it! Just wait for or force your computers to update Group Policy. Now any users that are a member of your security group can RDP to your computers.
- See more at: http://www.dannyeckes.com/server-2012-enable-remote-desktop-rdp-group-policy-gpo/#sthash.atFJJmdH.dpuf
Since my ESX lab is all virtual I don’t have any monitors connected to my servers. The best way to manage these servers is by connecting remotely. I want to be able to remote onto all my computers but limit which users can remote onto these machines. The best way to do this is through a group policy that sets this up on all machines.
My GPO will need to do the following:
Enable Remote Desktop Service
Open the Firewall to allow Remote Desktop
Disallow local admins from making changes
Only allow certain users to logon remotely.
CREATE A SECURITY GROUP
I want only members of a specific security group to use remote desktop. I need to create a group for these users to be a member of.Open up Active Directory Users and Computers
Create an Organizational Unit (OU) called “DOMAIN – Groups”
Under your Groups OU create another OU called “Security”. This is where we will hold all of our security groups.
Right click Security and select New > Group.
Give the group a name. I used “SG – Remote Desktop Users”.
CREATE THE GPO
Now that we have a security group, we need to enable RDP and allow only members of this group to connect to our systems.Log into your Domain Controller.
On the Start Screen type: gpmc.msc. This will pull up the Group Policy Management Console.
Right click on your domain and select “Create a GPO in this domain, and Link it here…”. I am creating this GPO at the root of my domain to allow access to all servers and computers in my domain. This might not be exactly what you want to do, if your situation is different then select the OU you want this policy to apply to instead of your domain.
Name the GPO. I used “Enable RDP” to keep it simple. This will create a blank GPO and a link to it.
Right click the GPO or the Link and select “Edit…”
This will pull up a the Group Policy Editor.
We are only going to be modifying Computer Settings. We need to enable RDP, open the Firewall, and allow the security group members. Set the following:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow Log on through Remote Desktop Services.
Add Users or Group…
Browse and search for your Security Group. In my case it was SG – Remote Desktop users
Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups
Right Click in the blank area and select Add Group…
Browse and find “Remote Desktop Users”
Select OK
Double Click Remote Desktop Users
Select Add for “Members of this Group”
Browse and find your Security group.
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Inbound Remote Desktop exceptions: Enabled
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow user to connect remotely by using Remote Desktop Services: Enabled
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Do not allow local administrators to customize permissions: Enabled
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using NLA: Disabled
That should be it! Just wait for or force your computers to update Group Policy. Now any users that are a member of your security group can RDP to your computers.
- See more at: http://www.dannyeckes.com/server-2012-enable-remote-desktop-rdp-group-policy-gpo/#sthash.atFJJmdH.dpuf
相关文章推荐
- xrdp: An open source remote desktop protocol(rdp) server.
- Configure custom SSL certificate for RDP on Windows Server 2012 in Remote Administration mode
- Server 2012 RDS ‘there are no Remote Desktop License Servers available to provide a license.’
- Enable remote access to MySQL database server
- Error when connecting to Windows Server 2003 using Remote Desktop
- How to Force Remote Group Policy Processing
- How to Enable Concurrent Sessions for Remote Desktop in Windows 7 RTM
- Windows Server 2012 配置 Remote Desktop Service VDI
- [loadFromRemoteSources]This release of the .NET Framework does not enable CAS policy by default
- Windows Server 2012 Web方式修改域用户密码-通过Remote Desktop Web实现
- Tree View works through VWD but not via local host or from a remote browser. /Server Error in '/' Application.
- VMware Horizon View 7: Setup Remote Access through Security Server [Part 5]
- [转]Missing MSS Settings in Security Options of Group Policy (GPO)
- How to enable BitLocker on Windows Server 2012 R2
- Logon: "You must be granted the Allow log on through the Terminal (or Remote Desktop) Services Right
- Remote Desktop Protocol(RDP)
- Tree View works through VWD but not via local host or from a remote browser. /Server Error in '/' Application.
- Allow Remote Desktop Services RDP and Ping ICMP windows 208 firewall
- Netscaler 10.5 VPX与XenApp XenDesktop 集成配置系列之三enable StoreFront Remote Access