Group Policy for Remote Desktop Users

Similar Messages

• Remote Desktop Service Manager - configure permissions for Remote Desktop Users to Send Message, Disconnect, Logoff

  Hello, dear colleagues.
  We are using Windows Server 2012 R2 as Remote Desktop Server. Also use Windows Server 2008 R2 with Remote Desktop Service Manager to control RDS user sessions (Send Message, Disconnect, Logoff, Query Info). 
  Send Message, Disconnect, Logoff options works only for users in Administrators group.
  I can't to configure permissions for Remote Desktop Users, specific user or AD group. 
  To set permissions I'm running RDS Host Configuration on Windows Server 2008 R2 and connect to Windows Server 2012 R2. Then double-click
  RDP-Tcp, Security tab, add specific user account , AD group or configure
  advanced permissions
  for Remote Desktop Users.  
  But, as I sad above, these options works only for users in Administrators group. How to make it work for Remote Desktop Users or specific user, AD group?
  Thanks.
  P.S. If move specific user from Remote Desktop Users group to Administrators group on
  Windows Server 2012 R2 - it works. 

  Hi,
  You can prevent administrators from changing the permissions for a connection by applying the
  Do not allow local administrators to customize permissions Group Policy setting. 
  This Group Policy setting is located in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
  Apart there is one command with which you can set the permission for that check the related
  article. Additionally checkthis
  thread for more detail.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• NISPOM Tool reports groups "Guests" and "Remote Desktop Users" have excessive privileges - remediation?

  Greetings,
   I'm running a security tool DISA provides and it's reporting that on my XP box the following:
   "This group has privileges associated with it that may allow anonymous access to the system."
  The group is:
  "Guests"
  I've already disabled the Guest account, however the account isn't the same thing as the group, so how does one go about limiting anonymous privileges associated with the group?

  Remove any group membership if Guest account is member of.
  You can also use restricted group policy to remove group membership on muliple computers at once.

• How I can disable Firefox from browsing Local drives of servers for remote desktop users in Windows Server 2008 R2 SP1??

  Hi ..
  Recently I came across a security hazard in firefox. it displays C and D rives content when "C:\" or "D:\" is typed in browser address bar. is there any workaround for restricting domain users to restrict this on firefox 12 ??
  Thanks

  Hiya,
  It could sound like that one indeed. There are a few options to go for, however it should be fairly easy to find out :)
  Create a test GPO and apply to a limited amount of users. GPUpdate and verify that the GPO has been applied using rsop.msc
  Then open the application to test and see if it has the desired effect. You might need to change more than one setting, depending on the application and desired behavior.

• Allow log on through Remote Desktop Services Group Policy for Domain Controllers

  Hello,
  We want to allow our Helpdesk Operators to be able to connect to Domain Controllers with the Remote Desktop Services. This is by default not allowed but according to many sites, it should be able to configure by using a Group Policy.
  We made a new Group Policy with the setting 'Allow log on through Remote Desktop Services' and 'Allow log on locally' (as an extra for testing) and applied Security Filtering to only use it for a specific Security Group. Our test user is a member of this
  security group and should be able to access the Domain Controllers now. However this isn't working.
  The error message we receive upon trying to connect:
  The connection was denied because the user account is not authorized for remote login.
  For troubleshooting, we also applied the Security Group for that setting in the Default Domain Controllers Policy but that doesn't seem to work either. We want to avoid customization on our Default Domain Controllers Policy but this was just a test case
  for solving our problem.
  What should we do to solve our problem?
  I hope to hear from you soon.
  Thanks in advance.

  Hi, I just found out what the problem was. This site helped me alot:
  http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx
  In my case, I had the group added to the Allow Logon Through Remote Desktop Services but was not added to the Builtin\Remote Desktop Users group. After knowing this I made some changes to our situation and are now using the builtin\Remote Desktop Users group
  rather than a new self made Security Group. I also added the Remote Desktop Users to the Allow Logon Through Remote Desktop Service in the Default Domain Controllers Policy as this is not done by default. By default only the Domain Administrators are able
  to logon through remote desktop services.
  You do not need the 'Log on Locally' permission within the Group Policies.
  In short:
  Add the desired users/groups to the 'Builtin\Remote Desktop Users' security group.
  Add the 'Builtin\Remote Desktop Users' security group to the 'Allow Logon Through Remote Desktop Services' within the 'Default Domain Controllers Policy'.
  Thank you anyway for the fast reply.
  Have a nice day!

• Can't change search options in Outlook 2007 on Windows Server 2008R2 Remote Desktop Users

  One of my users is trying to change search options in Outlook 2007.
  But he can't change the search options.
  He is working with Outlook 2007 on Remote Desktop Services 2008 r2.
  We doen't use cache mode on terminal server.
  Any sugesstion how we can enabling search options for remote desktop  users ?

  Hi Roel,
  Thank you for posting in Windows Server Forum.
  To customize Instant Search options by using Group Policy 
  - In Group Policy, load the Office Outlook 2007 template (Outlk12.adm).
  - To customize how results are displayed, under
  User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options\Preferences\Search Options, double-click the setting that you want to set. For example, double-click Turn off wordwheel.
  - Click Enabled. For hit highlighting color, choose a color from the Background Color drop-down list.
  - Click OK.
  More information.
  Configure Instant Search options in Outlook 2007
  http://technet.microsoft.com/en-in/library/cc178983(v=office.12).aspx
  In addition, perform below steps to edit the registry key and check.
  Step 1: Open the Registry Editor application.
  Step 2: In the Registry Editor, click the Edit menu and select Find. Type PreventIndexingOutlook in the search field and click Find Next.
  Step 3: Right click PreventIndexingOutlook and select Modify. Change its Value data to
  0 and click OK.
  Step 4: Search again by clicking the Edit menu and select Find. Type SetupCompletedSuccessfully in the search field and click Find Next. Locate this key.
  Step 5: Right click the SetupCompletedSuccessfully key and select Modify. Change its Value Data to 0 and click OK.
  Step 6: Restart your computer and you will now be able to perform advanced searches in Microsoft Outlook.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Configuring group policy for user profiles in Windows Server 2012 R2 Domain

  Requesting some experts advise on configuring group policy for user profiles.
  We will be building new Windows Server 2012 R2 Domain Controllers (Domain of 400 users).
  The settings which I am concerned:
  1. Folder Redirection: Desktop, Documents, Favorites.
  2. Quota for Folder Redirection - 1 GB per user.
  3. Map a networked drive - 1 GB per user.
  4. Roaming profile - (Will ignore if it does not suit our requirement). 
  The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
  FYI, E-mails hosted on MS Office365 and OST file size of few users more than 25GB. So, in case the user moves from one computer to other, the entire mailbox will be downloaded via internet. This consumes high bandwidth if more than 3-4 users shift per day.
  Thanks a lot for your valuable time and efforts.

  Hi,
  >>The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
  This depends on where our outlook data files are stored. If these data files are stored under
  drive:\Users\<username>\AppData\Local, then these files can’t be redirected, for folder redirection can’t redirect appdata local or locallow.
  However, regarding your question, we can refer to the following thread to find the solution.
  Roam outlook profiles without roaming profiles
  http://social.technet.microsoft.com/Forums/office/en-US/3908b8e0-8f44-4a34-8eb5-5a024df3463e/roam-outlook-profiles-without-roaming-profiles
  In addition, regarding how to configure folder redirection, the following article can be referred to for more information.
  Configuring Folder Redirection
  http://technet.microsoft.com/library/cc786749.aspx
  Hope it helps.
  Best regards,
  Frank Shen

• Windows 2008 R2 Standard Remote Desktop Users cannot Connect

  I have a windows 2008 R2 Standard Terminal Server and some users aren't able to connect even though they are in groups that are in Remote Desktop Users on the local computer.  I checked the local security policy setting "Allow log on through Remote
  Desktop Services" and I see that Remote Desktop Users is a member of this group.  Inside of Remote Desktop Users we have DOMAIN\Domain Users and DOMAIN\Terminal Users.  Most of our users are in both groups, but there are still some people that
  aren't able to connect via Remote Desktop to this computer.  There are no users in "Deny logon through Terminal Services."
  Thanks!

  Hi,
  Thank you for posting in Windows Server Forum.
  Is it happens to all users or any particular group of users?
  Please check by creating new user add them to “Remote Desktop Users” group and then see whether that test user can remote desktop to the server.
  It also might happens that you may be limited in number of users or some connection issue or may be firewall setting issue. Please go through beneath article for information.
  Remote Desktop disconnected or can’t connect to remote computer or to Remote Desktop server (Terminal Server) that is running Windows Server 2008 R2
  http://support.microsoft.com/kb/2477176
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• Remote desktop users lost overnight on windows server 2008 R2

  We set up a group in active directory to allow certain users access to this Virtual Machine.
  I am able to go into the the remote Users of the VM and add this group from active directory.
  Every Morning i have to re-add this group as it has gone at some point. There is nothing i can see that would cause this.
  Would anyone have any suggestions?
  Thank you,

  Hi,
  According to your description, it seems that the domain Users added in the remote desktop users group disappeared after the reboot, right? What are the operating systems of the clients and server?
  In addition, you can try to add domain users to the Remote Desktop Users Group via Group Policy to see if the issue persists. For more detailed information, please refer to the link below:
  How to add "Domain Users/Group" to Remote Desktop Users group on Servers using
  Group Policy ?
  Best regards,
  Susie

• My remote Desktop Users service is disabled

  Dear all,
  i need your help i have a windows server 2008 and when i restart i get my "allow users remote desktop" disabled and when i change it and then restart i get it disabled again i suspected there is a GPO that is doing that but when i run the gpresult i did
  not get any GPO changing the local group policy then i suspected that there is a start up script that is doing changes to the registry but still not
  i really what to know whats making this policy disabled
  thank you  

  Hi,
  Please try to use rsop.msc to see the following policy setting configured correctly:
  For details:
  Allow users to connect remotely using remote desktop Services
  ===========================================
  1.  Computer Configuration ->Policies ->Administrative Templates ->Windows Components ->remote desktop Services ->remote desktop Session Host ->Connections ->Allow users to connect remotely using Remote Desktop Services
  Restrict Group
  ==========
  1. Computer Configuration -> Policies -> Windows Settings -> Security Settings
  2. Right-click Restricted Groups, and then click Add Group.
  3. Click Browse, add Remote Desktop Users, click Ok.
  4. Add the members  what you want.
  Allow log on through Terminal Services(RDS on DC)
  ==========================
  Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Allow log on through Terminal Services
  Hope this helps!
  Best Regards
  Elytis Cheng
  Please remember to click “Mark as Answer” on the post that
  Elytis Cheng
  TechNet Community Support

• Maximum number of monitors used for remote desktop not working correctly

  My goal is to connect from my home to my work machine but limit the number of monitors used to 2.
  At work, I have a machine running Windows 7 Enterprise SP1 with dual monitors. My home machine is Windows 8.1 Pro and it has 3 monitors (on two video cards).
  I followed the instructions of the MSDN blog post about using multiple monitors for remote desktop but cannot get it to work right.
  Here's what I see when I modify the group policy setting "Limit maximum number of monitors" on the target (work) machine:
  Setting - Result:
  1 - 1
  2 - 1 (???)
  3 - 3
  It looks like I can't limit the number of monitors used to 2, I get either one or all. Am I missing something or is this by design?
  Max

  Hi Max,
  Support for multiple monitors is available when connecting from any Windows 7/8.1 computer, however, there are restrictions when connecting to a computer using multi-monitor mode. When connecting to Windows 7 computers, only computers that are running Windows
  7 Enterprise or Ultimate can be connected to in multi-monitor mode. When connecting to Windows 8.1, only computers that are running Windows 8.1 Professional or Enterprise can be connected to in multi-monitor mode.
  Karen Hu
  TechNet Community Support

• How to programmatically manage Remote Desktop Users?

  Hi,
  I want to know if it esists a method to programmatically set/get the Remote Desktop Users list, such as add/remove an user and so on.
  Thank you all in advance
  Best Regards
  Antonino

  Hi,
  first of all, I want to thank you for reply. But, what I'm looking for is to programmatically view the list of the users for the Remote Desktop Control. With Remote Desktop Control I mean the way I let some other users over the network to operate with my own desktop in Windows XP (that is what you find in system->properties->remote desktop->advanced...and so on).
  Antonino

• Can we implement site catalyst for Remote desktop app like MS dynamics NAV?

  Can we implement site catalyst for Remote desktop app like MS dynamics NAV?
  please throw some insight

  Hi,
  Thank you for posting in Windows Server Forum.
  Does this happens for this particular application?
  For a test you can publish Notepad\WordPad as RemoteApp and check whether facing same issue. Please check the result and let us know. If it’s working normally then might seems there is some configuration issue with MS Dynamics App. 
  Does this happens for all user or specific users?
  Which version of RDP Client you are using for client system?
  Try to install RDP 8.1 for better feature.
  Update for RemoteApp and Desktop Connections feature is available for Windows
  http://support.microsoft.com/kb/2830477
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• Updates for Remote Desktop via App Store Software Update

  Hello, and Happy Thanksgiving. On a computer running Mavericks, I installed Apple Remote Desktop 3.5 from the disk (not from the App Store.) On it's first startup, I was greeted with the message "The Remote Desktop Administrator software must be upgraded on this computer." I downloaded and installed the 3.7 update manually from http://support.apple.com/kb/dl1565. However, I view this as a "Band-Aid", and not a fix. How would I recieve future updates for Remote Desktop from Software Update within the Mac App Store?

  Hi ya.. just to let everyone know Apple UK Senior Tech support are aware of this error message that we are all getting as from today and are on the case....

• I have a time capsule connected directly to fiber connection. I have connected a windows server directly to TC and configured it for remote desktop connection. From my interanet I can access srvr but not from my home. What config I need on TC?

  I have a time capsule directly connected to fibre optic point out. All pcs and macs are connected wirelessly to the internet. I have connected a windows server pc to TC. When configured for Remote desktop connection, I can access windows server from within interanet but don't know how to access it from internet. I guess I need to change some settings in TC to get some ip adress for the remote desktop connection from my home. Anyone who can help me out? Appreciate it.
  Narmin

  I am a little lost now.. I have read again your title and your first post.. and they seem inconsistent.
  In the title you state.
  From my interanet I can access srvr but not from my home.
  Interanet is not a word I know.. I assumed intranet...are you talking about internet or intranet? And just to be clear say WAN or LAN.. !! Is your home part of the interanet??
  In the first post you state,
  I can access windows server from within interanet but don't know how to access it from internet.
  Now this is more normal.. the issue is not in the home at all, it is accessible from there but fails from internet. If this is correct, then you can do a few obvious things to determine where the problem is.
  But first I need to know are you actually testing from a different internet connection to your home lan.. you are not just trying the public IP from inside the LAN as that will fail due to the TC not doing NAT Loopback.
  I am also assuming the TC is the only router in the network, and has the public IP on the WAN interface.
  And I am also assuming you have turned on the ping responder and you can actually ping your public ip from the internet and get a response. This helps no end in figuring out where there are issues. Strange but I have no idea if there is a ping responder in the TC WAN so you might need to forward that as well. Also if you have a dynamic public ip address are you using dyndns or no-ip or some other service to connect.
  1. Test bypassing the TC.. plug the internet connection straight into the windows server,, and test if you have access. If yes, the TC is the problem.. if not, your setup on the windows server is wrong.. look at firewall in particular.
  2. Assuming from test 1 the TC is the problem, Post the screen shots of the port forwarding setup for us to look at.. that is by far the easiest way to check it out.
  There are lots of references to port forwarding in the TC.. eg
  http://must-know-mac.blogspot.com/2008/07/how-to-port-forward-time-capsule.html
  The things that generally go wrong are firewall on the computer that is accepting the port.
  The ISP doesn't allow connections on a particular port. (not likely in your case)
  The router is behind another router.. double NAT will kill any port forward.
  Upnp has already allocated a port.. not an issue as TC doesn't use upnp although a reboot of everything after you set port forwards is well worth it.. amazing how things don't stick properly without a reboot.
  IP on the receiving device is not static and so changes.
  Not enough or right type of ports are opened. This is always messier than it looks as one port is often not enough for two way communications.