Home Windows How to Add User to Remote Desktop Group?
Windows

How to Add User to Remote Desktop Group?

written by Cyril Kardashevsky

One of the most critical tasks for administrators is to manage user access to resources, including remote desktop access. Controlling remote desktop access to servers contributes to a more secure environment.

By default, members of the built-in groups Remote Desktop Users and Administrators are allowed to access the remote desktop on workstations and servers. But for domain controllers, only the Administrators group has remote desktop access permissions.

In this blog post, we will discuss how to add Active Directory users to the remote desktop users group using Group Policy Object (GPO) and PowerShell.

Create a Security Group for RDP Users

It is good practice to use group-based access whenever possible. This allows for easier user access management by adding or removing users from the appropriate group.

So instead of adding specific users to the Remote Desktop Users group, let’s first create a security group that will be added as a member. This way, you can create multiple groups if needed and organize user access more efficiently.

OPTION 1: Using the Active Directory Users and Computers Console

  1. Log in to the domain controller and open the Active Directory Users and Computers (ADUC) console.
    group policy allow remote desktop specific users
  2. Navigate to the Active Directory OU container where you want to create the new security group. In this example, we’ll select the Users OU.
  3. Click the New Group button.
  4. On the New Object > Group window, type the group name, select the group scope, select Security as the group type, and click OK.
    add domain user to remote desktop group
  5. Once the security group is created, you can add the members (users and groups) to it. These members are the intended Remote Desktop Access users.
    gpo remote desktop users
  6. After adding users and groups as members, click OK to save the changes and close the group properties window.
    gpo add user to remote desktop group

Option 2: Using PowerShell

To create the Allow RDP Users group using PowerShell:

  1. Log in to the server and open an elevated PowerShell session.
  2. Run the following command to create the security group. This command creates the security group named Allow RDP Users inside the Users OU: 
    New-ADGroup -Name 'Allow RDP Users' -GroupScope Universal 

Get-ADGroup -Identity 'Allow RDP Users'

    add group to remote desktop users gpo

  3. Lastly, let’s add a user to the group: 
    Add-ADGroupMember -Identity 'Allow RDP Users' -Members grant.gabriel 

Get-ADGroupMember -Identity 'Allow RDP Users'

    group policy remote desktop users

Add Users to the Remote Desktop Users Group using GPO

Group Policy Object (GPO) is a powerful tool that allows administrators to manage settings for multiple users and computers in an organization. One of the settings that can be controlled using GPO is the remote desktop users group membership.

We’ll configure the Remote Desktop Users policy item in this example using the GUI.

  1. Open the Group Policy Management Console (GPMC) on the domain controller.
    gpmc.msc
    remote desktop users gpo
  2. Right-click the domain and click Create a GPO in this domain, and Link it here.
    Note. You can also create and link the new GPO in a specific OU.
    add user to remote desktop group
  3. Type Remote Desktop Users Policy as the policy name and click OK.
    add users to remote desktop users group
  4. Right-click the new policy and click Edit.
    how to add user to remote desktop group
  5. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings.
  6. Right-click on Restricted Groups and click Add Group.
    group policy allow remote desktop users
  7. On the Add Group dialog box, type Remote Desktop Users and click OK.
    Note. Do not click Browse. You will not see the Remote Desktop Users in the Active Directory because it is a local group on each computer.
    add a user to remote desktop group
  8. The Remote Desktop Users Properties window opens. Under the Members of this group property, click Add.
  9. Browse for the security group you created earlier (Allow RDP Users) and save it as a member of the Remote Desktop Users group.
    add user in remote desktop groupNote. You can also add domain users to the Remote Desktop Group.
  10. Click OK on the Remote Desktop Users Properties to save the changes.
    add users to remote desktop users group gpo
  11. Close the Group Policy Editor and the Group Policy Management window.
    remote desktop users security group
  12. Finally, wait for the group policy replication throughout the domain. You can also force the group policy Remote Desktop Users by running gpupdate /force.
  13. Let’s check on one of the computers if the Allow RDP Users group is now a local Remote Desktop Users group member. In this example, we are entering a remote PowerShell session on PC1: 
    Enter-PSSession -ComputerName PC1
  14. Next, list the Remote Desktop Users group members on PC1 using the Get-LocalGroupMember cmdlet: 
    Get-LocalGroupMember -Group 'Remote Desktop Users'

    remote desktop users domain security group

That’s it! You’ve created the Remote Desktop Users group policy.

At this point, all Allow RDP Users security group members can RDP into the computers in the domain. If a user who isn’t a Remote Desktop Users group member tries to RDP, they will get a message like the one below.

add user to rdp group

So an administrator has to add the user as a member of the Remote Desktop Users through the Allow RDP Users security group.

Add Users to the Remote Desktop Users Group using PowerShell

You can also add users to Remote Desktop Users using PowerShell using the Add-LocalGroupMember cmdlet.

Note. A GPO configured for Remote Desktop Users will automatically overwrite the Remote Desktop Users’ group membership every time the computer updates the group policy. Only use this method if the RDP access is needed temporarily or if no GPO is configured for Remote Desktop Users.

Run the command below to add a user to the Remote Desktop Group locally on a computer.

Add-LocalGroupMember -Group 'Remote Desktop Users' -Member 'DOMAIN\USERNAME'

To add a user to the Remote Desktop Group locally on a remote computer, you can use PowerShell remoting with Enter-PSSession.

Enter-PSSession -ComputerName <remote_computer> 
Add-LocalGroupMember -Group 'Remote Desktop Users' -Member 'DOMAIN\USERNAME'

remote desktop users group policy

Or you can also run the Invoke-Command cmdlet to run the Add-LocalGroupMember command remotely.

Invoke-Command -ComputerName PC1 -ScriptBlock { 
Add-LocalGroupMember -Group 'Remote Desktop Users' -Member 'DOMAIN\USERNAME' 
}

remote desktop security group policy

Conclusion

Managing user access is an important task for system administrators, and adding Active Directory users to the remote desktop users group is just one aspect of this task. By using GPO and PowerShell, administrators can easily manage user access to remote desktops.

By following best practices and regularly reviewing access, administrators can ensure their environments are secure and only authorized users have access.

kardashevsky cyril

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.