In my demo environment I like to use PC01 as a demo client PC.
First step is adding the PC01 to the demo.local domain. Of course the IP-Configuration must be set to make sure the PC01 can find the domain controller.
Adding the PC01 to the domain can be done by the same steps as in this blog about SQL01. [Blog]
After the PC01 is added to the domain I would like to be able to use Remote Desktop to connect to the PC01. However when I try to I will get the error:
It’s now a domain computer so I will not add users to the local group or change the local policy on the PC. Let’s use a Domain Policy to do this.
Login to you Domain Controller and click start and then type gpmc.msc and hit enter. The Group Policy Management console will start when you did it correct.
As you can see I created a Workstations OU in my Active Directory, I also moved the PC01 to this OU. All following steps will be based on this OU.
Right click the Workstations OU and select Create a GPO in the domain…….
Give the policy a name and click OK
Because we created the policy when we had the Workstations OU selected a link is created on the Workstations OU and the policy is created in the Group Policy Objects.
Right click the Policy and select Edit, the following screen will appear
Browse to the node as seen in the image and double click the Allow users to connect remotely using ………
Select enabled and click OK
Now the RDP access is enabled but we still not logon with RDP clients to the PC01. First we need to make sure that the users that you want to be able to do this are member of the local Remote Desktop Users group on the client.
This we will also do within the same GPO.
Still with the just created GPO open go to the Restricted Groups node as shown in the Image and click Add Group.
Click browse in the next windows and when the below window appears type remote, click Check Names and select the Remote Desktop Users group. Click OK.
And Click OK Again..
Click Add as shown below and then Browse to select the users/groups who you want to grant these rights..
In my case I created a group in AD that contains the users/groups that I want to be able to use the RDP rights to workstations. After selecting your users/groups click OK
And OK again
Close the GPO editor window. Go to the GPMC and show the settings of the just created GPO.
Seems to be okay, so are we finished? When trying to login true RDP with a user that is member of the GRANT_RemoteDesktopToWorkstations it still does not work..
Did you refresh your PC01? To make sure that the GPO’s are enforced? No?
Access the PC01 by the Virtual Management Console in my case Hyper-V and login with a account with administrative permissions….
Click the Windows start button, type CMD, right click CMD and select Run as Administrator
Type GPUPDATE /FORCE and hit enter, or restart the PC01..