Ask the Expert

Specifying users with Remote Desktop permissions through Group Policy

Is it possible to specify users or groups that have Remote Desktop permissions through Group Policy in AD?

You can prevent users or groups from using Remote Desktop by removing their ability to do a network logon on the machines in question. That is, you can create a GPO specifically for an OU that prevents users from connecting. To prevent users or groups from using a network connection of any type, use the "Windows Settings/Security Settings/Local Policies/User Rights Assignments/Deny access to this computer from the network" policy. Add the groups you wish to deny access to. Remember, however, that they also will not be able to access file shares (a good thing on a desktop or server that is not a file server, a bad thing for a domain controller or file server). To specifically deny remote desktop access, use the "Windows Settings/Security Settings/Local Policies/User Rights Assignments/Deny Log on through Terminal Services." Add the groups you wish to deny.

Group Policy Administrative Templates can be used to control Remote Assistance options (Remote Assistance uses the Remote Desktop). Computer Administrative Templates control solicited and offered Remote Assistance (can you do it, hours, method). The setting "Remote Assistance/Offer Remote Assistance Properties" also allows you to specify which Windows group's members are allowed to offer remote assistance without an invitation.

This was first published in November 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: