How to enable Remote Desktop via Group Policy

This one had me stumped, but it’ll teach me to search the internet properly before blundering through. Even if you allow the Windows Firewall to accept Remote Desktop Connections you still need to enable Terminal Services elsewhere in the GP hierarchy. D’oh!

Here’s what you need to enable Remote Desktop remotely:

Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Allow Remote Desktop Exception

Computer Configuration > Administrative Templates > Windows Components > Terminal Services > Allow users to connect remotely using Terminal Services

Enable both of those options and you’ll be Remote Desktop-ing into PCs by the next day :) (or rather, until your Domain clients refresh their Group Policy settings ;))

36 thoughts on “How to enable Remote Desktop via Group Policy

  1. James

    Many thanks for this! Turned you up in Google – straight to the point.

    Saved me a bunch of legwork. Cheers!

  2. Peter

    Just like James said. Straight to the point and I REALLY like that. As soon as the server reboots after some updates, then I’ll be changing the terminal connection settings. Thanks again.
    Peter

  3. Sean

    Perfect, this one was exactly what I needed! now I can try and put that hair back in that I pulled out!

  4. Clay

    Thanks!
    However, you actually don’t need the windows firewall exception. That’s for workstations to receive requests for remote help, not for allowing you remote in. At least that’s how I read the Group Policy definition and remote desktop is working for me with only the second setting.

  5. Grant Miller

    And for the edit, Clay. No point in opening your workstations up further than necessary. Who the he11 uses remote assistance anyway?

  6. Sem

    In 2k8 R2 you should just need to replace Terminal Services with Remote Desktop Services as it has been re-branded.

  7. Pablo Montero

    This is not working for me. I am using Windows 7 workstations on a Windows 2003 server domain recently installed from scratch. I followed Phil’s suggestions and I am still unable to log on to any workstation remotely.

    Has anyone been unable to make this work even after applying the suggested changes to the group policy?

    Thanks,

    Pablo.

  8. Wayne

    Hi Pablo:

    I use the same setup, a Windows 2003 Domain with Windows 7 Enterprise workstations, and I was able to get this to work.

    Although, while administering my group policy via the Group Policy Management console from a Windows 7 Enterprise workstation I have the following hierarchy for the Terminal Service (Remote Desktop Settings).

    Open the policy associated with the OU the machines are located in
    Windows Firewall Setting:
    Note: Depending on which “location” you assigned your network connections you may want to do this below for both “Domain Profile” and the “Standard Profile”.

    Computer Configuration -> Policies -> Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Allow Remote Desktop Exception
    Note: Don’t forget to add your subnet to the above entry as well, if you are unsure what your subnet is (scary) enter “localsubnet”.

    Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections -> Allow users to connect remotely using Remote Desktop Services = Enabled

  9. Andy

    I successfully connect to the computer but when logging in with user, i get the following message:

    The local policy of this system does not permit you to log on interactively.

    Anyone know what setting I need to change? Hopefully via group policy. :-)

  10. Phil Wiffen Post author

    Andy: to log on remotely via RDP, you need to be in the Local Administrator’s group on the PC you’re RDPing to. Either that, or change what types of user you’ll let log in remotely.

  11. John

    Hey thanks a lot mate!
    First hit in Google and saved me a lot of time!
    Setting up the GPOs right now, will tell ya how it works tomorrow.

  12. Doug reynolds

    Hey, i had remote desktop enabled on my server ’08 domain, and remote desktop worked great for my windows xp. Fast forward, i start adding win7 pro machines, and alas, you can’t rdp to them (xp machines are fine). I add them above firewall except to the group policy, and now i cant even remote desktop into the server.. what gives?

  13. Ivan Radisson

    For those creating this GPO on a Windows Server 2008:

    The second option is under:

    Computer Configuration > Policies > Administrative Templates > Windows Components > Terminal Services > Connections > Allow users to connect remotely using Terminal Services

    Regards.

  14. Justin

    Ivan,
    You were close but the correct path to get to the 2nd option on a W2K box is:

    Computer Configuration > Policies > Administrative Templates > Windows Components > Terminal Services > Terminal Server > Connections > Allow users to connect remotely using Terminal Services

  15. bob

    None of these actually work.

    The only way I found to get GP to allow specific users to remote to given systems was the restricted groups option under user rights assignment.

    It adds those users to the remote users group on the target machines. The other settings read as though they should work but seem to serve no purpose.

  16. Phil Wiffen Post author

    Interesting Bob! By default, users in the Domain Administrators group, and users in the Local Admin group should be allowed RD access (that’s how it works here). Do you have a different use-case?

  17. Alex

    In R2: Computer configuration / Policies / Administrative Templates / Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections ||
    Allow users to connect remotely using Remote Desktop Services: Enabled

    or click Pete’s link for screenies

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>