How to enforce RD via GPO?
I was facing a little situation this week. We do have Terminal Servers (TS) with TS licensing server (TSLS) and it works fine, all the settings have been configured properly to let users I have to access it from outside and so on.
But I wanted to enable it for users to access Windows XP boxes (WinXP) , their WinXP from another location (the gateway). And I thought enabling RD and allow access to their Desktop would be less tricky.
First I created a GPO with 2 things:
1. Allow Users to connect remotely using TS from Computer>Adm template>Windows Components/Terminal Services>
2. Set the permisson to the right groups for log on from Computer>Windows settings>Local Policies>User Rights Assignment
But no this did not too much and gave me a nice error message when trying to log on when login with authorized usres: you do not have access to logon this session.
This meant that users can do TS on the WinXPs but cannot logon.
So if you want to avoid this little embarrassment please follow those steps (III being my mistake)
I. Locate the OU contains the Windows XP computers, create a group policy
object.
II. Configure the Remote Desktop policy setting:
1. In the group policy object, click to expand Computer Configuration,
click to expand Administrative Templates, click to expand Windows
Components, and then click to expand Terminal Services.
2. Double-click the “Allow users to connect remotely using Terminal
Services” policy.
3. Set the policy to Enable, and then click OK.
III. Moreover, if you want to specify a group of users who can RDP to the
Windows XP workstations, you can follow the steps below:
1. In Active Directory Users and Computers, create a Global group
containing the users.
2. Locate the OU contains the Windows XP computers, open the related Group
policy object.
3. Right-click Restricted Groups (under Computer Configuration\Windows
Settings\Security Settings\Restricted Groups), and then click Add Group.
4. Type “Remote Desktop Users” and click ADD, click OK. (Note: do not click
Browse to browse the group. )
5. Right-click the Remote Desktop Users group, and then click Properties.
6. To the right side of the Members of this Group box, click ADD, and then
click Browse.
7. Locate the group that you created, and then add it. After you do so,
close the group policy.
8. On the domain controller, at a command prompt, type “gpupdate /force”,
and then press ENTER to refresh the policy.
Note: The original users in the Remote Desktop Users group on the Windows
XP clients will be overrided. Again, this is another simple option that screws things up. Always.
kempozone said:
Im sure many of you are like me and one of the first things you do in the morning is head here and check out the new post. Along with seeing the new posts, I’m also always checking out the blog roll rss feed and watching them grow, or shrink sometimes. In one of my past …but all in all excellent site. Keep it up!