This post offers three tested ways to add domain user to Remote Desktop group. If you seek a simpler approach to granting users secure remote access permissions to a server, this post offers a superior solution.
Remote Desktop group is normally known as the Remote Desktop Users group. In Windows operating systems, the Remote Desktop Users group is an inherent feature that confers its members with the requisite permissions for initiating remote desktop sessions.
Typically, individuals in the Remote Desktop Users and Administrators groups can access remote desktops on both workstations and servers. However, on domain controllers, this privilege is restricted exclusively to members of the Administrators group.
Incorporating users into this group enables administrators to regulate remote system connections, fostering a heightened level of security within the remote access environment.
Using group-based access whenever feasible is advisable. This facilitates streamlined user access management, simplifying the process of adding or removing users from relevant groups as needed.
Prior to adding individual users to the Remote Desktop Users group, it's advisable to establish a security group to serve as a member. This approach enables the creation of multiple groups as required, enhancing the organization and efficiency of user access management.
Typically, two methods are employed. Follow the steps below to learn how to create a security group and include a domain user in the Remote Desktop group using either the Active Directory Users and Computers (ADUC) console or PowerShell.
To create the allow RDP Users group using ADUC console:
Step 1. Log in to the domain controller and launch the ADUC console. You can do this by opening the Run box using the "Windows" key + "R", and then typing "dsa.msc".
Step 2. Navigate to the desired Active Directory OU container, such as the Users OU.
Step 3. Click on the "New Group" button.
Step 4. In the "New Object - Group" window, input the group name, select the group scope, choose "Security" as the group type, and click "OK".
Step 5. Once the security group is established, proceed to add members (users and groups) to it, designating them as Remote Desktop Access users.
Step 6. After adding the intended members, click "OK" to confirm changes and close the group properties window.
To create the allow RDP Users group using PowerShell:
Step 1. Log in to the server and initiate an elevated PowerShell session.
Step 2. Execute the following command to create the security group named "Allow RDP Users" within the Users OU:
Now that you have created a security group successfully, you can add domain user to this group following the three tested ways below.
To add users to the Remote Desktop Users group using GPO:
Step 1. Begin by opening the Group Policy Management Console (GPMC) on the domain controller. You can do this by opening the Run box using the "Windows" key + "R", and then typing "gpmc.msc".
Step 2. Right-click on the domain and select "Create a GPO in this domain, and Link it here."
Note: Alternatively, you can create and link the new GPO in a specific OU.
Step 3. Enter "Remote Desktop Users Policy" as the policy name and click "OK".
Step 4. Right-click on the newly created policy and choose "Edit".
Step 5. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings.
Step 6. Right-click on "Restricted Groups" and select "Add Group".
Step 7. In the Add Group dialog box, type "Remote Desktop Users" and click "OK".
Note: Do not click Browse as "Remote Desktop Users" will not appear in Active Directory since it's a local group on each computer.
Step 8. The Remote Desktop Users Properties window will open. Under the "Members of this group" property, click "Add".
Step 9. Browse for the security group created earlier ("Allow RDP Users") and designate it as a member of the Remote Desktop Users group.
Note: You can also include domain users in the Remote Desktop Group.
Step 10. Click "OK" on the Remote Desktop Users Properties to save the changes.
Step 11. Close the Group Policy Editor and the Group Policy Management window.
Step 12. Finally, allow time for the group policy to replicate throughout the domain. Alternatively, you can force the group policy for Remote Desktop Users by executing "gpupdate /force".
To add users to the Remote Desktop Users group using PowerShell:
Step 1. Execute the following command:
Step 2. Next, utilize the following PowerShell command to verify the group membership:
Step 3. Upon inspection, you'll observe that your AAD account has been successfully added. Furthermore, navigating to Computer Management, you'll find it reflected in the user interface as well.
To add users to the Remote Desktop Users group using CMD:
Step 1. Begin by opening the Command Prompt as an administrator.
Step 2. Enter the following command and press Enter. Make sure to replace "UserName" with the desired user account you wish to add to the Remote Desktop Users group.
If you need to remove a user from the Remote Desktop Users group, execute the following command:
Incorporating a domain user into the Remote Desktop group enhances the security of the remote access environment. Nevertheless, ensuring secure remote desktop permissions doesn't need to be overly complex.
AnyViewer is a free remote desktop software that places a premium on security. It incorporates features like asymmetric ECC 256-bit end-to-end encryption to safeguard remote desktop connections. Devices logged into the same account enjoy unattended remote access. Rest assured, user logon is fortified by two-factor authentication, while remote sessions benefit from multiple security measures.
To boost remote work efficiency and bolster effective group management, AnyViewer has introduced the Join Team feature. This feature is instrumental in promoting seamless team collaboration. Its core objective is to empower super administrators to easily add sub-accounts and grant them administrative privileges. This facilitates remote management of multiple devices.
Furthermore, AnyViewer offers a Role Permission management feature. Within the account web page, administrators can establish sub-account role groups for employees at different levels and allocate specific permissions to each group. This functionality proves especially beneficial in situations requiring the restriction of sub-accounts under distinct roles to access and utilize only designated functions, thus mitigating the risk of unauthorized access and potential data breaches.
Note: Both Join Team and Role Permission features are exclusive to AnyViewer Enterprise Edition, please upgrade your account after registering.
How to securely access the remote server with AnyViewer:
Step 1. Begin by downloading and installing AnyViewer on your primary computer, and proceed to sign up for an account.
Step 2. Next, log in to the same account on the remote computer.
Step 3. On your primary computer, select the desired remote computer and click on "One-click control".
Step 4. You can now securely access the remote computer. To unlock additional remote management features of AnyViewer, consider upgrading your account.
In conclusion, adding a domain user to the Remote Desktop group can be efficiently achieved through various methods. This post detailed three tested ways: using Group Policy Object (GPO), PowerShell, and Command Prompt. Each method offers a reliable approach to manage remote access permissions securely.
For an even more streamlined and secure solution, consider using AnyViewer, which provides robust features such as encryption, two-factor authentication, and advanced role management. This ensures a secure and efficient remote access environment, enhancing overall productivity and security in remote work settings.
