Requirements for Configuring Group Policy for Terminal Services
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This step-by-step guide assumes you understand the basic concepts of Group Policy and using Group Policy Management Console.
Before running the scenarios presented in this document, you must follow these steps in order:
Prepare your environment.
Enable users to connect remotely to a terminal server.
Centrally enable Remote Desktop using Group Policy.
Grant access to your terminal servers with the Remote Desktop Users Group.
Note
It is assumed the firewall on the terminal server is off. If you have configured a firewall on your terminal server, you must allow inbound Remote Desktop exceptions through the firewall on the terminal server.
Prepare your environment
You must have at least one Active Directory domain. You must have Group Policy Management Console (GPMC) installed on an administration computer. The administration computer should contain all the tools for administrating the domain-based operations.
In your domain, create a separate organizational unit (OU) for terminal servers. Move all terminal servers into that OU. Do not move any users or other computers into that OU.
It is assumed that you understand the basics of creating, managing, and administering Group Policy Active Directory domains. See Implementing Common Desktop Management Scenarios with the Group Policy Management Console for more information about creating, managing, and administering Group Policy Active Directory domains.
Enable users to connect remotely to a terminal server
To enable users to connect remotely to a terminal server, you must ensure that:
Remote Desktop is enabled on the terminal server.
Users have the appropriate rights and permissions to log on remotely to the server.
Note
To perform these two tasks, you must be logged on as a member of the Administrators group. These properties are configured on a per-server basis. You can use Group Policy to manage these properties centrally.
Centrally enable Remote Desktop using Group Policy
It is recommended as a best practice to centrally enable Remote Desktop for all your terminal servers. Group Policy will allow you to centrally configure all your terminal servers instead of configuring the properties for each terminal server.
To centrally enable Remote Desktop using Group Policy
To open Group Policy Management Console (GPMC), click Start, click Run, and then type GPMC.msc.
Create and link a GPO to the terminal server OU.
Right-click the GPO linked to the terminal server OU, and then click Edit.
In Computer Configuration\Administrative Templates\Windows Components\ Terminal Services, double-click the Allow users to connect remotely using Terminal Services policy setting.
Click Enabled.
Click OK.
Important
When you enable Remote Desktop on a computer, you enable the capability for other users and groups to log on remotely to the computer. However, you must also decide which users and groups should be able to log on remotely, and then manually add them to the Remote Desktop Users group. Domain administrators automatically have the ability to log on remotely to the terminal server. Do not add domain administrators to the Remote Desktop Users group. You should thoroughly test any changes you make to Group Policy settings before applying them to users or computers.
Note
If the Allow users to connect remotely using Terminal Services policy setting is set to "Not Configured," the Enable Remote Desktop on this computer policy setting (on the Remote tab of the System Properties dialog box) on the target computers takes precedence. Otherwise, the Allow users to connect remotely using Terminal Services policy setting takes precedence.
Grant access to your terminal servers with the Remote Desktop Users group
The Remote Desktop Users group is one of the built-in users groups available when you install one of the Microsoft Windows Server 2003 operating systems. When you enable Remote Desktop, members of the Remote Desktop Users group and domain administrators are automatically able to log on remotely to a terminal server.
By default, the Remote Desktop Users group is not populated. Therefore, you must decide which users and groups should have access to log on remotely to a terminal server, and then add them to this group. Instead of populating the Remote Desktop Users group on a per-server basis, as a best practice it is recommended to centrally grant access to users via the Remote Desktop Users group for all your terminal servers using Group Policy. This approach will allow all domain administrators to be able to indirectly add their users to the Remote Desktop Users group for all terminal servers using a domain group.
Note
This procedure does not show you how to restrict access to the Remote Desktop Users group. Do not add domain administrators to the domain group configured as a member of the Remote Desktop Users group. By default, domain administrators have remote access rights to any terminal server.
To add a domain group to the Remote Desktop Users group via Group Policy
To open Group Policy Management Console, click Start, click Run, and then type GPMC.msc.
Create and link a GPO named Restricted Groups to the terminal server OU.
Right-click the Restricted Groups GPO linked to the terminal server OU, and then click Edit.
You can configure the Restricted Groups setting in the following location in Group Policy Object Editor:
Computer Configuration\Windows Settings\Security Settings\Restricted Groups\
Right-click Restricted Groups and then click Add Group.
Click Browse, click Locations, select the locations you want to browse, and then click OK.
Type Remote Desktop Users in the Enter the object names to select text box and then click Check Names. Or, click Advanced, and then click Find Now to list all available groups.
Click the Remote Desktop Users group and then click OK.
Click OK in the Add Groups dialog box to close it. The Remote Desktop Users Properties dialog box is then displayed.
Click Add in the Members of this group section of the dialog box.
Click Browse.
Type the name of the domain group in the Select Users or Groups dialog box. Click Check Names, and then click OK to close this dialog box.
Click OK to close this dialog box to finish adding the domain group to the Remote Desktop Users group.