Share via

RDP granted by separate AD Groups

Jason Girard 21 Reputation points
2023-05-25T00:02:18.6833333+00:00

Greetings,

I set up RDP through group policy for my admins to gain access to some member servers. Standard RDP group policy and using the Remote Desktop Users group.

There is a need to grant another team RDP to a particular set of workstations segregated in a different OU. So, I set up a new separate group RDP policy for this OU, now I want to attach that group policy to an AD group that only allows RDP for a subset of users to this OU.

For example:

Member Server OU is granted to Admins.

Lectern OU is granted to Media.

I don't want Media to have access to RDP to Member Servers - Just the Lectern OU.

Is there a way to do that? I've been searching all over and I'm not finding much on how to attach an separate AD group other than the built in Remote desktop users group to a different RDP policy.

Thanks,

J

Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,776 Reputation points
    2023-05-25T12:37:40.9133333+00:00

    Hi,

    I'd be happy to help you out with your question. Sorry for the inconvenience caused.

    Please refer to following steps on how to do it:

    1. Open the Group Policy Management Console (GPMC).
    2. In the GPMC, navigate to the OU that contains the computers that you want to grant RDP access to.
    3. Right-click the OU and select New GPO (Link to Existing GPO).
    4. In the Select GPO to Link dialog box, select the GPO that contains the RDP policy that you want to use.
    5. Click OK.
    6. In the GPMC, right-click the GPO that you just linked and select Edit.
    7. In the Group Policy Editor, navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
    8. Double-click Allow log on through Terminal Services.
    9. In the Select Users, Computer, or Groups dialog box, type the name of the AD group that you want to add to the RDP policy.
    10. Click OK.
    11. Close the Group Policy Editor.

    The next time that the computers in the OU that you linked the GPO to start up, they will apply the new RDP policy. The users in the AD group that you added to the policy will now be able to RDP to the computers in the OU.

    Here are some additional things to keep in mind:

    • You can also use the Restricted Groups setting to remove users from an RDP policy.
    • If you want to add multiple AD groups to an RDP policy, you can separate the group names with commas.
    • You can also use the Restricted Groups setting to add users to other security groups. For example, you could add users to a group that has permission to access a specific file share.

    If you have any other questions or need assistance with anything, please don't hesitate to let me know. I'm here to help.

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.