While doing my MCSE, I leared about Group Policies and then stumbled upon the less riskier option of the above mentioned problem. I tried it in my lab and it worked like a charm. Although not all the following steps are necessary but they are based on best practices.
1. Create a security group, which would contain all users for whom you want to give Remote Desktop for all your servers/computers.
2. Put the users inside that security group.
3. Open the Group Policy Management Console by typing the command gpmc.msc in Run. If you don't have GPMC, then download it for free from the internet and install it in your domain. Although you can work without GPMC as well, but it is basically criminal not to have GPMC if you want to work with Group Policies.
4. Create a group policy on the domain / OU level. If you are sure that all your computer are inside a single OU (usually the computers OU), then apply the policy on that OU, otherwise create the policy on the domain level. In the organization under discussion, they have servers spread all the over the OUs.
5. Make sure that you have selected the 'Enforced' option. This option would ensure that the group policy is inherited into child OUs upto the last level, even if inheritence is closed on a child OU or a Child OU has a conflicting Policy Setting.
6. Edit the policy and go in 'Computer Configuration > Windows Settings > Restricted Groups' and then add the group 'Remote Desktop Users'. Add the security Group you created in Step 1 as a member of this group. This would add this group in all the Built in group 'Remote Desktop Users' inside 'Local Users and Groups' of each computer. Please note that application of a group policy might take sometime. If you want to force update you can run the 'gpupdate /force' command on the Target Computer.
7. Now you need to enable Remote Desktop service/option on all the target computers. Staying within the same policy, go in Computer Configuration > Administrative Templates > Windows Components > Terminal Services. Find the option 'Allow Users to connect remotely using Terminal Services' and then Enable that option.
After this you are good to go. As soon as the group policy is applied on the computer, it would allow all the users in the security group you created in step 1 to start 'Remote Desktopping' to the computers. I tried in my lab and it worked like a charm.
I have written this thinking that you might have worked with AD and/or at least know what and where the group policies are. If you want further information, feel free to drop a line.
1 comment:
Thanks for the tut. I've been trying to figure out how to do this for about a week. Been considering buying remote desktop software to prevent issues like this. Does anyone have feedback? I've only heard good things from other sources.
Post a Comment