Enable Remote Desktop Windows 10 from domain controller

What is Remote Desktop Group Policy

Almost all users who are interested in building safe connections between computers on the internet might have heard about RDP or VPN. RDP stands for the Remote Desktop Protocol. It is a network of communications protocol developed by Microsoft, to allow users to connect to another computer.

With RDP, one can connect to any computer that runs Windows. With RDP, you can connect to the remote PC, view the same display and interact as if you are working on that machine locally.

Some instances where you may need to use RDP include;

• When traveling or when on vacation and you need to access your work computer
• When you can’t go to your office due to certain reasons and you still need to fulfill your daily tasks
• When you are a system admin and you need to perform administrative duties on your PC such as computer troubleshooting, tune-up, ID protection setting, printer set-up, software installation, email setup, virus and spyware removal, among others.
• When you need to give a demo and you need to access data from a private device
• When you want to personalize your remote desktop on experiences such as resolution, connection setting, screen setting, toolbar, start menu, icons among others.

How to Enable Remote Desktop Remotely on Windows 10

The easiest way to enable Remote Desktop on the Windows operating system family is to use a Graphical User Interface (GUI). To do this, you need to;

Open the “System” control panel, go to “Remote Setting” and enable the “Allow remote connection to this computer” option in the Remote Desktop section.

However, performing the above process will need local access to the computer on which you want to enable the RD.

By default, remote desktop is disabled in both desktop versions of Windows and in Windows Server.

How to Enable Remote Desktop Remotely Using PowerShell

Suppose you want to remotely enable RDP on Windows Server 2012 R2/2016/2019. Here is the procedure to achieve the same;

1. On your computer, open the PowerShell console and run the following commands to connect to your remote server.Enter-PSSession -ComputerName server.domain.local -Credential domain\administrator.
2. You will have established a remote session with a computer and now you can execute PowerShell commands on it. To enable Remote Desktop, you need to change registry parameter fDenyTSConnections from 1 to 0 on the remote machine. Run the command;Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
3. When RDP is enabled this way (as opposed to GUI method) the rule that allows remote RDP connections is not enabled in the Windows Firewall rules.
4. To allow incoming RDP connections in Windows Firewall, run the command;Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
5. If for some reason the firewall rule is deleted, you can create it manually using the following commands.netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
6. In case you need to allow secure RDP authentication (NLA – Network Level Authentication) run the command;Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1
7. Now from your computer, you can check the TCP 3389 port on the remote host to see if it has become available. To do so, run the command below’Test-NetConnection 192.168.1.11 -CommonTCPPort RDP.
8. If successful, you should get results similar to what is shown below’

The above results mean RDP on the remote host is enables and you can establish a remote desktop connection using mstsc client.

How to Enable/Disable Remote Desktop Using Group Policy

You can enable or disable remote desktop using group policy. To do so, perform the following steps

1. Search gpedit.msc in the Start menu. In the program list, click gpedit.msc as shown below;
   
2. After Local Group Policy Editor opens, expand Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Connections.
3. On the right-side panel. Double-click on Allow users to connect remotely using Remote Desktop Services. See below;
   
4. Select Enabled and click Apply if you want to enable Remote Desktop. Select Disabled and click Apply if you need to disable it.

Now you will have enabled or disabled remote desktop using group policy

Network Level Authentication NLA on the remote RDP server

Network Level Authentication is a method used to enhance RD Session Host server security by requiring that a user be authenticated to RD session Host Server before a session can be created.

If you want to restrict who can access your PC, you can choose to allow access only with Network Level Authentication (NLA). NLA is an authentication tool used in RDP Server. When a user tries to establish a connection to a device that is NLA enabled, NLA will delegate the user’s credentials from the client-side Security Support Provider to the server for authentication, before creating a session.

The advantages of Network Level Authentication is;

• It requires fewer remote computer resources initially.
• It can provide better security by reducing the risk of denial of service attacks.

To configure Network Level Authentication for a connection, follow the steps below.

1. On the RD Session Host Server, open Remote Desktop Session Host Configuration. To do so, click Start>>Adminstrative Tools1>>Remote Desktop Services>> Remote Desktop Session Host Configuration.
2. Under Connections, right-click the name of the connection and then click Properties.
3. On the General tab, select Allow the connection only from computers running Remote Desktop with Network Level Authentication checkbox
4. Click OK

Note, under step 3, if the “Allow connections only from computers running a remote desktop with network-level authentication” checkbox is not enabled, the “Require user authentication for remote connections by using network-level authentication” Group Policy setting has to be enabled, and has been applied to the RD Session Host Server.

How to Enable Remote Desktop (RDP) Remotely?

Allow users to connect remotely by using Remote Desktop Services

You will also have to allow RDP in the Windows Firewall on the remote Windows 10 computer:

Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile

Allow inbound Remote Desktop connections via Group Policy

The only problem is that Group Policy is sluggish, and if you want to log in quickly to a remote machine, it is often not an option. By contrast, on a PowerShell console, you can essentially get the job done with a single command.

Enable Remote Desktop via PowerShell ^

However, there is a catch—actually, two. Windows Firewall might get in your way, and if PowerShell remoting is not enabled on the machine, things can get a bit tricky. I know of two methods to enable Remote Desktop remotely via PowerShell. Which method you use mostly depends on your Windows Firewall configuration.

Let's assume first that PowerShell remoting is enabled on the remote machine. If so, you can simply enable Remote Desktop by modifying a registry key on the remote machine:

We are using Invoke-Command to execute the Set-ItemProperty remotely, which changes the value fDenyTSConnections to 0.

Most likely, Windows Firewall blocks RDP on the remote machine. To open the Remote Desktop port, you can use this PowerShell command:

We are using PowerShell remoting again to execute Enable-NetFirewallRule remotely.

26 Replies

· · ·

Mace

OP

Denis Kelley

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

Try this. I have had to do this sometimes.

http://thebackroomtech.com/2007/05/18/how-to-enable-remote-desktop-on-a-windows-xp-machine-remotely/

0

· · ·

Mace

OP

Sosipater

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

If there is a user at the remote computer you can get connected using join.me and then enable it yourself.

0

· · ·

Serrano

OP

JPo1215 Apr 22, 2011 at 12:01 UTC

Use this script. Works wonders

http://community.spiceworks.com/scripts/show/302-enable-or-disable-rdp-remote-desktop-on-remote-system-vbs

0

· · ·

Mace

OP

Alex3031

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

I think you have all ready been pointed the right way, there are script that will enable RDP on a system as long as you have remote registry access. It looks like a couple of people have pointed you to scripts all ready.

0

· · ·

Jalapeno

OP

chip379811 Apr 22, 2011 at 12:30 UTC

trying the script but it says "make sure you type the right machine name" i have and doesn't work..tried IP, name and nothing

0

· · ·

Chipotle

OP

Kendall

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

did you run the script from your PC at home or the server that you are RDPed into?

0

· · ·

Jalapeno

OP

chip379811 Apr 22, 2011 at 12:54 UTC

Yea from remote location.

0

· · ·

Serrano

OP

Best Answer

Don7478 Apr 22, 2011 at 13:08 UTC

From the onsite computer run Regedit.

In Regedit:
File-->Connect Network Registry

In the 'Select Computer' dialogue make sure that the 'Look In' location is correct(should be your domain if applicable)type in the computer name or IP that you want to connect to then click Ok.

Now expand:
<computername>HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server

Once you've opened that key look for fDenyTSConnection

Set it to a value of 0 <--a zero

The computer will have to restart for the change to take effect.

1

· · ·

Serrano

OP

JPo1215 Apr 22, 2011 at 13:41 UTC

is it possible the computer is off or in sleep mode? Can you ping it?

0

· · ·

Jalapeno

OP

chip379811 Apr 22, 2011 at 14:50 UTC

yep it pings.

0

· · ·

Jalapeno

OP

chip379811 Apr 22, 2011 at 14:55 UTC

seems as there's no way i can get to this.

0

· · ·

Serrano

OP

Don7478 Apr 22, 2011 at 15:05 UTC

The registry edit didn't work? What were the results when you tried?
Were you able to get to it's registry?

0

· · ·

Jalapeno

OP

chip379811 Apr 22, 2011 at 15:17 UTC

I was able to type the IP and it took me to the enter username and password. I inserted the right username and password and nothing.

0

· · ·

Jalapeno

OP

chip379811 Apr 22, 2011 at 15:25 UTC

I was able to use the script just fine to my window servers by simply inserting the IP and it gave me the option to enable and disable, but the problem is i am trying to get to a desktop in the office it just doesn't work. I was able to get a ping from the adress.

0

· · ·

Serrano

OP

JPo1215 Apr 22, 2011 at 15:47 UTC

so the script works on the servers, you can ping the desktop which proves connectivity, you can run regedit on the desktop but cant authenticate...

do you have admin rights to the desktop?

0

· · ·

Jalapeno

OP

chip379811 Apr 22, 2011 at 15:51 UTC

I just found out the desktop is not on the domaincontroller, but can still ping..would that have something to do with it?

0

· · ·

Serrano

OP

Don7478 Apr 22, 2011 at 15:53 UTC

Most definitely wold change the permissions required.

0

· · ·

Datil

OP

Cazi Apr 22, 2011 at 16:27 UTC

If the desktop is not on the domain you would need to enter local admin credentials when connecting to the remote registry.

0

· · ·

Serrano

OP

JPo1215 Apr 22, 2011 at 16:34 UTC

ciprian3798 wrote:

I just found out the desktop is not on the domaincontroller, but can still ping..would that have something to do with it?

yes it does.

in that case:

Cazi wrote:

If the desktop is not on the domain you would need to enter local admin credentials when connecting to the remote registry.

+1

0

· · ·

Jalapeno

OP

chip379811 Apr 22, 2011 at 17:17 UTC

i tried and some reason username/password doesn't work.

0

· · ·

Mace

OP

Alex3031

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

ciprian3798 wrote:

i tried and some reason username/password doesn't work.

Might need tobe in the format of PCName\LocalUsername & Password.

0

· · ·

Serrano

OP

RjD Apr 23, 2011 at 14:48 UTC

I have also seen where strangely there were no users in the remote desktop group(including local and domain admins), never was too sure the how or why that one occured i just added them into the group and it worked fine afterwards. another thing is the firewalls may be causing blockages check those settings remotely as well for both port and program access

0

· · ·

Habanero

OP

CE Harden

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

I created this a long time age:

http://community.spiceworks.com/scripts/show/616-enable-remote-desktop-remotelyand you may like:

http://www.lazynetworkadmin.com/knowledgebase-mainmenu-6/2-windows/68-remote-assistance-take-control-without-permission

I make that one a few years back with help from another admin.

0

· · ·

Chipotle

OP

lt.son Apr 25, 2011 at 08:39 UTC

I use Remote Enabler.

It's quick and easy.

http://download.cnet.com/Remote-Desktop-Enabler/3000-2094_4-10572855.html

0

• prev
• 1
• 2
• next

This topic has been locked by an administrator and is no longer open for commenting.

To continue this discussion, please ask a new question.

Group Policy entry to allow remote administration to domain computers

I would like to configure the entries needed to create a GPO for my domain (Server 2012) that will allow me to do remote administration of the computers (Computer Management) from my own computer. So to put it another way, I want to be able to open Computer Management on my machine, and, while connected to the VPN, do a "connect to another computer" and be able configure devices and such. It seems I can do it with some computers and not others. So I want to create the GPO's necessary to have them all set up the same way. I am the domain admin.

Thanks.

Comment

Comment Show 0

Comment

5 |1600 characters needed characters left characters exceeded

▼

• Visible to all users
• Visible to the original poster & Microsoft
• Viewable by moderators
• Viewable by moderators and the original poster
• Advanced visibility

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT answered • Apr 26, '21 | FanFan-MSFT commented • May 4, '21

Hi,
When you can't do it with some computers, what's the error message?
Based on my understanding, you want to user to have rights to RDP to other computers and at the same time, you want the user to have the administrative permission, right?
If i misunderstand you, please feel to let me know.

If you want to assign the RDP permission to a user on all the computers in the domain, you can configure the policy as following:
Create a GPO and link it to the domain level.
Right click the GPO and select edit.
Navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Add the administrators and users you want to assign the RDP permission. This policy will overwrite the default settings.

Navigate to Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Connections.
On the right-side panel. Double-click on Allow users to connect remotely using Remote Desktop Services.
Select Enabled and click Apply if you want to enable Remote Desktop.

To add the user to the local administrators group:
Open the GPO and navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups.
Right click and choose Add Group. If you want to add users to the local administrators group enter Administrators.
In the next window under “Members of this group:” click Add and choose the users to add to the local administrators group.
Note that any users that are currently in the local administrators group will be removed and replaced with the users you select here. If that is what you want, click OK and close the GPO.

For the delegation control, you can refer to the following link:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/delegating-administration-by-using-ou-objects

Best Regards,

4261.jpg (147.7 KiB)

4262.jpg (136.3 KiB)

Comment

Comment · Show 1

Comment

5 |1600 characters needed characters left characters exceeded

▼

• Visible to all users
• Visible to the original poster & Microsoft
• Viewable by moderators
• Viewable by moderators and the original poster
• Advanced visibility

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT · May 04, 2021 at 01:44 AM

Hi，
I am checking to see if the problem has been resolved.
If there's anything you'd like to know, don't hesitate to ask.

Best Regards,

0 Votes 0 ·

Enable Remote Desktop access for Domain user

Archived Forums

Directory Services

• Question

• 
  

  0

  Sign in to vote

  On a newly setup Windows 2019 Server Essentials domain, a user requires to RDP into their workstation.

  I have added the user to the Builtin Remote Desktop Users group but they are still unable to RDP into either the server or their workstation.

  If I add them to the Builtin Administrators group they can RDP into the server, but not their workstation.

  Any suggestions please?

  Thursday, May 16, 2019 4:05 AM

Answers

• 
  

  1

  Sign in to vote

  On a newly setup Windows 2019 Server Essentials domain, a user requires to RDP into their workstation.

  I have added the user to the Builtin Remote Desktop Users group but they are still unable to RDP into either the server or their workstation.

  If I add them to the Builtin Administrators group they can RDP into the server, but not their workstation.

  Any suggestions please?

  The user can add themselves into the local RDUsers group (it isn't locked-down to high-level privilege users).

  If you want to do this on their behalf, you can remotely add their domain account into the wkstn local RDUsers group by using any remoting method to add the user account into the localgroup.

  There is no AD group which performs the equivalent action. You *could* setup domain group policy settings to achieve this, but if it's a single user for a one-time setup, not worth the bother.

  some reference discussion:https://www.reddit.com/r/sysadmin/comments/595u28/active_directory_builtin_groups/

  https://social.technet.microsoft.com/Forums/ie/en-US/4513faf6-7ee1-496e-a7d5-d15c2a47d47d/allow-remote-desktop-for-a-domain-user?forum=winserver8gen

  In our enterprise, we just have a guide for users to follow and let them add themselves if they wish (if they can logon at the console of the machine, then they can grant themselves RD logon, but, they can't RD logon without having set it up beforehand)

  ---

  Don [doesn't work for MSFT, and they're probably glad about that ;]

  
  
  • Edited by DonPick Wednesday, May 29, 2019 7:11 AM
  • Marked as answer by Foiler-NZ Saturday, June 1, 2019 3:31 AM

  Wednesday, May 29, 2019 7:09 AM

• 
  

  0

  Sign in to vote

  Thanks Dave - but no, the user is a remote desktop user and is not a domain admin so that article is not relevant.

  • Marked as answer by Foiler-NZ Tuesday, June 11, 2019 10:18 AM

  Wednesday, May 29, 2019 4:04 AM

All replies

• 
  

  0

  Sign in to vote

  May need to also Allow Logon Locally for the user

  

  ---

  
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows Server] Datacenter Management
  
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.
  

  
  
  • Edited by Dave PatrickMVP Thursday, May 16, 2019 4:33 AM

  Thursday, May 16, 2019 4:27 AM

• 
  

  0

  Sign in to vote

  Ah yes "Allow Logon Locally" should fix it .. but for that object properties the Add User or Group button is greyed out, also the Remove button .. I have added Remote Desktop Users to the Local Security Policy (which previously only had Administrators in it), then ran gpupdate /force on the user's PC .. but still RDP is not allowed for the user.

  Thursday, May 16, 2019 6:47 AM

• 
  

  0

  Sign in to vote

  but for that object properties the Add User or Group button is greyed out,

  May need to run using elevated credentials.

  
  

  ---

  
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows Server] Datacenter Management
  
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.
  

  Thursday, May 16, 2019 12:36 PM

• 
  

  0

  Sign in to vote

  None of this is helping so far unfortunately.

  Running the Policy Editor as Administrator - option to add is still greyed out.

  Even though I have added this user to the Administrators group, he still cannot remote desktop into his own computer, but can RDP into the Domain Controller.

  Thursday, May 16, 2019 8:25 PM

• 
  

  0

  Sign in to vote

  Also try fromGroup Policy Management Console

  ---

  
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows Server] Datacenter Management
  
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.
  

  Thursday, May 16, 2019 8:53 PM

• 
  

  0

  Sign in to vote

  Hello,
  Thank you for posting in our TechNet forum.
  
  According to my knowledge,Essentials in 2019 is not the same as in 2016. If we use want to use RDP, please understand roles and features included in Windows Server 2019 Essentials.We strongly recommend that we use Windows Server 2016 Essentials. Because the 2019 version of Essentials is basically a limited version, some of the features on 2016 were gone on 2019.
  
  And fromWindows Server 2019 Essentials-end of an era, we can see: Remote Web Access feature is gone inWindows Server 2019 Essentials.

  
  

  
  
  
  If we still want to use server 2019 essentials, we can only enable VPN on server 2019 essentials, and then end users connect to VPN successfully, and finally remotely connect to their own clients.
  The best way is to downgrade to Windows server 2016 essentials.
  
  

  Similar case:
  Server 2016 Essentials Upgrade to Server 2019
  
  
  Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.
  
  
  
  

  Best Regards,
  Daisy Zhou

  ---

  Please remember to mark the replies as answers if they help.
  If you have feedback for TechNet Subscriber Support, contact .
  

  • Edited by Daisy ZhouMicrosoft contingent staff Friday, May 17, 2019 8:13 AM

  Friday, May 17, 2019 8:10 AM

• 
  

  0

  Sign in to vote

  Hi,
  If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?
  

  
  

  
  
  
  Best Regards,
  Daisy Zhou

  ---

  Please remember to mark the replies as answers if they help.
  If you have feedback for TechNet Subscriber Support, contact .

  
  
  • Edited by Daisy ZhouMicrosoft contingent staff Monday, May 20, 2019 2:08 AM

  Monday, May 20, 2019 2:08 AM

• 
  

  0

  Sign in to vote

  Issue is not resolved.

  Below are screenshots the three policies I have adjusted, and on workstations have run gpudate /force

  On one workstation the remote access works, on another it doesn't. Both W10.

  For a while I couldn't even log into a workstation locally unless I added the user on that PC as a locally approved remote user. Not sure which of the policy settings has corrected that.

  I would like to know which policy or policies on the DC that I can work with to absolutely apply settings to all the workstations .. Domain Controllers Policy? Domain Policy? Local Computer Policy?

  
  

  Tuesday, May 21, 2019 9:42 PM

• 
  

  0

  Sign in to vote

  can't seem to upload my screenshots sorry ..

  on both the Domain Controllers Policy and Domain Policy I have added Remote Desktop Users to both the Log on locally and logon through RDP .. and there are no disallows anywhere.

  Tuesday, May 21, 2019 9:48 PM

• 
  

  0

  Sign in to vote

  On problem pc logged on as problem user you can try running rsop.msc to see what's being applied.

  Might also try building a new one as a test both before and after domain join.

  ---

  
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows Server] Datacenter Management
  
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.
  

  Tuesday, May 21, 2019 9:53 PM

• 
  

  0

  Sign in to vote

  Hi,
  1. Would you please provide the operating system version of this Windows 2019 Server Essentials?
  Open command prompt, type winver and click Enter.
  
  2. Would you please provide Windows features related to Remote Desktop Services?
  Open PowerShell, type get-windowsfeature and click Enter.
  
  

  
  
  

  Best Regards,
  Daisy Zhou

  ---

  Please remember to mark the replies as answers if they help.
  If you have feedback for TechNet Subscriber Support, contact .

  Wednesday, May 22, 2019 9:02 AM

• 
  

  0

  Sign in to vote

  Running rsop.msc on the PC which does allow remote access, the Remote Access and Local login permissions appear to come from the Domain Policy.

  However, running rsop.msc on the PC which does not allow remote access the result is:

  "The RSop snap-in was unable to generate the computer's data due to insufficient permissions. The snap-in will continue to start but only the user's data will be displayed".

  Wednesday, May 22, 2019 10:54 AM

• 
  

  0

  Sign in to vote

  Hi,
  If we want to get computer configuration, we can logon the machine with administrator account.
  
  

  Best Regards,
  Daisy Zhou

  ---

  Please remember to mark the replies as answers if they help.
  If you have feedback for TechNet Subscriber Support, contact .

  Thursday, May 23, 2019 3:26 AM

• 
  

  0

  Sign in to vote

  Hi,
  I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
  

  Thanks for your time and have a nice day!
  
  
  

  Best Regards,
  Daisy Zhou

  ---

  Please remember to mark the replies as answers if they help.
  If you have feedback for TechNet Subscriber Support, contact .

  Monday, May 27, 2019 1:12 AM

• 
  

  0

  Sign in to vote

  Hi Daisy, thanks for followup .. the lack of remote access to some PCs still persists. The only reliable cure for this is to add specific users to: Computer Properties - Remote settings - Select Users
  

  Does anyone know why running rsop.msc on the PCs which do not allow remote access the result is:

  "The RSop snap-in was unable to generate the computer's data due to insufficient permissions. The snap-in will continue to start but only the user's data will be displayed".

  Tuesday, May 28, 2019 11:18 AM

• 
  

  0

  Sign in to vote

  Maybe this one helps.

  https://support.microsoft.com/en-us/help/932460/error-message-when-a-domain-administrator-or-a-local-administrator-use

  ---

  
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows Server] Datacenter Management
  
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.
  

  Tuesday, May 28, 2019 12:26 PM

• 
  

  0

  Sign in to vote

  Thanks Dave - but no, the user is a remote desktop user and is not a domain admin so that article is not relevant.

  • Marked as answer by Foiler-NZ Tuesday, June 11, 2019 10:18 AM

  Wednesday, May 29, 2019 4:04 AM

• 
  

  1

  Sign in to vote

  On a newly setup Windows 2019 Server Essentials domain, a user requires to RDP into their workstation.

  I have added the user to the Builtin Remote Desktop Users group but they are still unable to RDP into either the server or their workstation.

  If I add them to the Builtin Administrators group they can RDP into the server, but not their workstation.

  Any suggestions please?

  The user can add themselves into the local RDUsers group (it isn't locked-down to high-level privilege users).

  If you want to do this on their behalf, you can remotely add their domain account into the wkstn local RDUsers group by using any remoting method to add the user account into the localgroup.

  There is no AD group which performs the equivalent action. You *could* setup domain group policy settings to achieve this, but if it's a single user for a one-time setup, not worth the bother.

  some reference discussion:https://www.reddit.com/r/sysadmin/comments/595u28/active_directory_builtin_groups/

  https://social.technet.microsoft.com/Forums/ie/en-US/4513faf6-7ee1-496e-a7d5-d15c2a47d47d/allow-remote-desktop-for-a-domain-user?forum=winserver8gen

  In our enterprise, we just have a guide for users to follow and let them add themselves if they wish (if they can logon at the console of the machine, then they can grant themselves RD logon, but, they can't RD logon without having set it up beforehand)

  ---

  Don [doesn't work for MSFT, and they're probably glad about that ;]

  
  
  • Edited by DonPick Wednesday, May 29, 2019 7:11 AM
  • Marked as answer by Foiler-NZ Saturday, June 1, 2019 3:31 AM

  Wednesday, May 29, 2019 7:09 AM

• 
  

  0

  Sign in to vote

  Hi,
  Would you please tell me how things are going on your side. If you have any questions or concerns, please don't hesitate to let us know.
  
  
  
  

  Best Regards,
  Daisy Zhou

  ---

  Please remember to mark the replies as answers if they help.
  If you have feedback for TechNet Subscriber Support, contact .

  Friday, May 31, 2019 7:22 AM