On the domain controller, open the group policy management tool.
Create a new group policy.
Enter a name for the new group policy.
In our example, the new GPO was named: MY-GPO.
On the Group Policy Management screen, expand the folder named Group Policy Objects.
Right-click your new Group Policy Object and select the Edit option.
On the group policy editor screen, expand the Computer configuration folder and locate the following item.
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections
Access the Connections option.
Enable the option named Allow users to connect remotely by using Remote Desktop Services.
Optionally, access the security folder to enable the Network-level authentication.
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
Enable the option named Require user authentication for remote connections by using Network-level authentication.
To save the group policy configuration, you need to close the Group Policy editor.
Congratulations! You have finished the GPO creation.
JimRyan-3168 asked • Apr 25, '21 | FanFan-MSFT commented • May 4, '21
I would like to configure the entries needed to create a GPO for my domain (Server 2012) that will allow me to do remote administration of the computers (Computer Management) from my own computer. So to put it another way, I want to be able to open Computer Management on my machine, and, while connected to the VPN, do a "connect to another computer" and be able configure devices and such. It seems I can do it with some computers and not others. So I want to create the GPO's necessary to have them all set up the same way. I am the domain admin.
Thanks.
windows-group-policyComment
Hi,
Does the GPO applied successfully? Please use gpresult /h report.html to have a verify. If everything is ok, then it's no need to worry about. "Allow Remote Assistance connections to this computer" checkbox is not associated with "Offer remote assistance" policy, it's associated with Solicited Remote Assistance policy.
Reference: How to configure a computer to receive Remote Assistance offers in Windows Server 2003 and in Windows XP
//support.microsoft.com/kb/301527
How to use the "Offer Remote Assistance" policy setting//support.microsoft.com/kb/308013
Remote Assistance Overview//technet.microsoft.com/en-us/library/cc753881(WS.10).aspx
Regards,
Cicely
Now head over to Group Policy Management. There are two ways you can approach this portion. You can either add this policy into your Default Domain Policy so it applies to everybody on the domain or just create a new GPO and set it wherever you'd like. I'll leave that decision up to you.
To set this policy, open up your GPO and navigate to Computer Configuration > Administrative Templates > System > Remote Assistance. In this directory you will find a policy called "Configure Offer Remote Assistance, which is the policy we want to open up and edit.
Set this policy to ENABLED and then in the options, choose "Allow helpers to remotely control the computer" and then choose your security group from the first step.
Click OK and exit out of the GPO.
Picture this: you just setup a remote site and now you find yourself having to support servers (or users) you can’t physically get to. Since walking to their desk is not an option, you need to figure out How to enable Remote Desktop via Group Policy so it gets applied to machines at that site. Today, that’s exactly what I’m going to show you how to do.
Enable Remote Desktop via Group Policy
The biggest problem you could be potentially faced with, is actual permissions to modify any GPOs. I’m going to assume you have the permissions so we’ll just continue on with a bullet list that’s easy peasy for you to understand.
- Open up Group Policy Management Console (GPMC).
- Create a New Group Policy Object and name it Enable Remote Desktop.
- Navigate to: Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security -> Inbound Rules and Create a New Rule. Screenshot below.
- Select Port in the New Inbound Rule Wizard.
- Ensure TCP and Specific Local Port : 3389
- Allow the Connection and only select Domain and Private Profiles.
- Name this rule – Inbound Rule for RDP Port 3389
Now that we have added the local ports, we’ll need to enable the Remote Desktop Session Host policies.
- Go to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections
- Allow users to connect remotely by using Remote Desktop Services to Enable.
- Now we’re going to enable Network Level Authentication. This is highly recommended and has many security advantages. However, that’s out of the scope of this article so I won’t go in to the details now.
- Go to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security
- Set Require user authentication for remote connections by using Network Level Authentication to Enable.
- Last but certainly not least, we need to apply the newly created GPO to an Organizational Unit so it actually works.
- Close out of GPMC. There aren’t any more settings to configure.
Enable Remote Desktop using Group Policy (GPO) Video Demo
Last but certainly not least be sure to check out our YouTube Channel for awesome How-To’s and other Sysadmin related content.