Monthly Archives: September 2013

Using Group Policy settings to enable Remote Desktop

You must have administrator privileges to configure the Windows Group Policy Object (GPO). In order to enable Remote Desktop (Windows Server 2012 / 2008 R2 / 2008), the following GPO settings need to be configured:

  1. Click Start – All programs – Administrative Tools – Group Policy Management.
  2. Create or Edit Group Policy Objects
  3. Navigate to Computer Configuration > Policies > Administrative Templates> Network > Network Connections > Windows Firewall > Domain Profile.
  4. Double-click Windows Firewall: Allow inbound Remote Desktop exceptions.
  5. Set this setting to Enabled and add the IP addresses that can be used for connection.  Here you could use ‘ * ‘ for all the IP addresses, or specific subnets.
  6. Click OK. See the picture below.

Firewall_GPO_Setting_01

  1. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections.
  2. Double-click Allow users to connect remotely using Remote Desktop Service.
  3. Set this setting to Enabled, and then click OK. See the picture below.

Rdp_GPO_Users_02

  1. Close the Group Policy object and make sure it’s properly linked to the required domain locations.

In addition to GPO, we can use Group Policy Preferences (GPP) to enable Remote Desktop:

  1. Click Start – All programs – Administrative Tools – Group Policy Management.
  2. Create or Edit Group Policy Objects
  3. Expand Computer Configuration > Preferences > Windows Settings.
  4. Right click Registry > New > Registry Item.
  5. On the General Tab configure the following :

– Action: Update
– Hive: HKEY_LOCAL_MACHINE
– Key path: SYSTEM\CurrentControlSet\Control\Terminal Server
– Value name: fDenyTSConnections
– Value type: REG_DWORD
– Value date: 00000000 enable or 00000001 disable

6. Click Browse button and navigate HKLM > SYSTEM > CurrentControlSet > Control > Terminal Server; highlight fDenyTSConnection and click Select. Click OK. See the picture below.

Rdp_GPO_Preference_037. Close the Group Policy object and make sure it’s properly linked to the required domain locations.

Please note: In my scripts I use the following registry settings to enable/disable RDP:
System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
Value Name: AllowTSConnections, fDenyTSConnections, fAllowToGetHelp
Data Type: REG_DWORD (DWORD Value)If you want to enable Remote Assistance – add or change these DWORD values:
• AllowTSConnections set it to “1”
• fDenyTSConnections set it to “0”
• fAllowToGetHelp set it to “1”
One example of these registry settings you could see in my post about HTA application, which I named Remote Desktop Assistant (RDA) – http://www.alexcomputerbubble.com/category/hta.

 If you use a Remote Desktop Connection client for privileged access to the Windows machines, configure the GPO policy to prompt for (not to store) a password. For this setting do the following:

  1. Click Start – All programs – Administrative Tools – Group Policy Management.
  2. Create or Edit Group Policy Objects
  3. Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client > Do not allow passwords to be saved.
  4. Choose Enabled. See the picture below.

Rdp_GPO_Password_04

  1. Click OK. Close the Group Policy object.






Please note: Although the author has made every reasonable attempt to achieve complete accuracy of the content, he assumes no responsibility for errors or omissions. Also, you should use this information as you see fit, and at your own risk.