donderdag 24 mei 2012

Add PC01 to the domain and allow remote desktop access by Group Policy

image

In my demo environment I like to use PC01 as a demo client PC.

First step is adding the PC01 to the demo.local domain. Of course the IP-Configuration must be set to make sure the PC01 can find the domain controller.

image

Adding the PC01 to the domain can be done by the same steps as in this blog about SQL01. [Blog]

After the PC01 is added to the domain I would like to be able to use Remote Desktop to connect to the PC01. However when I try to I will get the error:

image

It’s now a domain computer so I will not add users to the local group or change the local policy on the PC. Let’s use a Domain Policy to do this.

Login to you Domain Controller and click start and then type gpmc.msc and hit enter. The Group Policy Management console will start when you did it correct.

As you can see I created a Workstations OU in my Active Directory, I also moved the PC01 to this OU. All following steps will be based on this OU.

image

Right click the Workstations OU and select Create a GPO in the domain…….

image

Give the policy a name and click OK

image

Because we created the policy when we had the Workstations OU selected a link is created on the Workstations OU and the policy is created in the Group Policy Objects.

image

Right click the Policy and select Edit, the following screen will appear

image

Browse to the node as seen in the image and double click the Allow users to connect remotely using ………

image

Select enabled and click OK

image

Now the RDP access is enabled but we still not logon with RDP clients to the PC01. First we need to make sure that the users that you want to be able to do this are member of the local Remote Desktop Users group on the client.

This we will also do within the same GPO.

Still with the just created GPO open go to the Restricted Groups node as shown in the Image and click Add Group.

image

Click browse in the next windows and when the below window appears type remote, click Check Names and select the Remote Desktop Users group. Click OK.

image

And Click OK Again..

image

Click Add as shown below and then Browse to select the users/groups who you want to grant these rights..

image

In my case I created a group in AD that contains the users/groups that I want to be able to use the RDP rights to workstations. After selecting your users/groups click OK

image

And OK again

image

Close the GPO editor window. Go to the GPMC and show the settings of the just created GPO.

image

Seems to be okay, so are we finished? When trying to login true RDP with a user that is member of the GRANT_RemoteDesktopToWorkstations it still does not work..

Did you refresh your PC01? To make sure that the GPO’s are enforced? No?

Access the PC01 by the Virtual Management Console in my case Hyper-V and login with a account with administrative permissions….

Click the Windows start button, type CMD, right click CMD and select Run as Administrator

image 

Type GPUPDATE /FORCE and hit enter, or restart the PC01..

image

Succeeded!!!!

image

 

Hope you enjoy this blog! When you have comments, better solution and recommendation I like to hear from you.
Dynamic Intelligence | LinkedIn | Blog | Twitter

Geen opmerkingen: