Category Archives: GPO and GPP

Using Group Policy settings to enable Remote Desktop

You must have administrator privileges to configure the Windows Group Policy Object (GPO). In order to enable Remote Desktop (Windows Server 2012 / 2008 R2 / 2008), the following GPO settings need to be configured:

  1. Click Start – All programs – Administrative Tools – Group Policy Management.
  2. Create or Edit Group Policy Objects
  3. Navigate to Computer Configuration > Policies > Administrative Templates> Network > Network Connections > Windows Firewall > Domain Profile.
  4. Double-click Windows Firewall: Allow inbound Remote Desktop exceptions.
  5. Set this setting to Enabled and add the IP addresses that can be used for connection.  Here you could use ‘ * ‘ for all the IP addresses, or specific subnets.
  6. Click OK. See the picture below.

Firewall_GPO_Setting_01

  1. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections.
  2. Double-click Allow users to connect remotely using Remote Desktop Service.
  3. Set this setting to Enabled, and then click OK. See the picture below.

Rdp_GPO_Users_02

  1. Close the Group Policy object and make sure it’s properly linked to the required domain locations.

In addition to GPO, we can use Group Policy Preferences (GPP) to enable Remote Desktop:

  1. Click Start – All programs – Administrative Tools – Group Policy Management.
  2. Create or Edit Group Policy Objects
  3. Expand Computer Configuration > Preferences > Windows Settings.
  4. Right click Registry > New > Registry Item.
  5. On the General Tab configure the following :

– Action: Update
– Hive: HKEY_LOCAL_MACHINE
– Key path: SYSTEM\CurrentControlSet\Control\Terminal Server
– Value name: fDenyTSConnections
– Value type: REG_DWORD
– Value date: 00000000 enable or 00000001 disable

6. Click Browse button and navigate HKLM > SYSTEM > CurrentControlSet > Control > Terminal Server; highlight fDenyTSConnection and click Select. Click OK. See the picture below.

Rdp_GPO_Preference_037. Close the Group Policy object and make sure it’s properly linked to the required domain locations.

Please note: In my scripts I use the following registry settings to enable/disable RDP:
System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
Value Name: AllowTSConnections, fDenyTSConnections, fAllowToGetHelp
Data Type: REG_DWORD (DWORD Value)If you want to enable Remote Assistance – add or change these DWORD values:
• AllowTSConnections set it to “1”
• fDenyTSConnections set it to “0”
• fAllowToGetHelp set it to “1”
One example of these registry settings you could see in my post about HTA application, which I named Remote Desktop Assistant (RDA) – http://www.alexcomputerbubble.com/category/hta.

 If you use a Remote Desktop Connection client for privileged access to the Windows machines, configure the GPO policy to prompt for (not to store) a password. For this setting do the following:

  1. Click Start – All programs – Administrative Tools – Group Policy Management.
  2. Create or Edit Group Policy Objects
  3. Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client > Do not allow passwords to be saved.
  4. Choose Enabled. See the picture below.

Rdp_GPO_Password_04

  1. Click OK. Close the Group Policy object.






Please note: Although the author has made every reasonable attempt to achieve complete accuracy of the content, he assumes no responsibility for errors or omissions. Also, you should use this information as you see fit, and at your own risk.

Using Group Policy Preferences (GPP) to map user home drive

To map a drive based on user name by using group policy objects and preferences, you need to do the following:

  • Create a share to hold user’s home drives and set permissions (most network administrators are using share name such as Users$);
  • Create a security group to apply security filtering in GPO, so all users that are members of this group will be able to create home folder via GPO;
  • Create a new GPO and use GPP to create user’s folder (this is in addition to your existing GPO used to map home drives);
  • Add drive mappings for the user home drives in the existing GPO;
  • Assign link order for the two GPOs, with lower link order for home folder creation GPO and higher link order for home mapping GPO

In my example, I will use my existing GPO (named Login Script GPO) for mapping network drives as described in my blog where I was using GPPs to map network drives base on user’s group membership.

In addition to this GPO, I will create a new one and name it UserHomeDrive. By the end of the configuration process, the drive maps settings will be similar as shown in the picture below.

Note: user home drive is mapped to the letter Q:

Mapping a drive based on user name

To map a drive based on a user name your drive mapping location setting should look something like this: \\SERVER\SHARE\%LOGONUSER% and in my example the user’s home drive is mapped to \\TEST-DC-01\Users$\%Logonuser% as shown in the picture above.

When you use Active Directory Users and Computers (ADUC) to map a user drive, this tool will create the user’s directory and set permissions. Unlike ADUC, GPP will only map a drive to the share; it will not create the directory or set permissions. So, you will need to pre-create the user’s directories with appropriate ACLs. For this purpose you can use scrip such as PowerShell script or VBScript which could be shown in one of my next blogs.

Here we will use GPP to create user’s directory and set permissions. First we will need to create a new Group Policy Object and link it to the domain.

Create a new GPO and security group

  1. Create GPO, assign it to the FilstLocation OU and named it UserHomeDrive.
  2. Create a new Active Directory security group, something like ‘FirstLocationUsers’. Under Group Policy security filtering, remove Authenticated Users and add your new security group as shown in the picture below.

Create a share folder and set permissions

3.  Create a directory that will hold the home folders. In my example I named it ‘Users$’. Ensure that the Everyone is removed and that the Authenticated Users groups have Full Control share permission.

4.  To setup exclusive access, go to the directory location of your share. In the advanced NTFS security permissions, remove the inheritable permissions and clear the current ACL. You can then add the following ACL:

SYSTEM = Full Control
CREATOR OWNER = Full Control
LOCAL\Administrators = Full Control
For the Authenticated Users group the following has to be set up ONLY:
Traverse folder; Create folder; Write attributes; Write extended attributes; Read   permissions; Change permissions

These NTFS permissions will allow your users to create the folder via the GPO, but they will not be able to browse the share or view any folder other than their own.

5.  Then you can add a drive mapping preference item to your GPO, mapping the path \\TEST-DC-01\Users$\%Logonuser%.

6.   In the new GPO configure a new Folder under ‘User Configuration‘ –  ‘Preferences‘ –  ‘Windows Settings’ – ‘Folders’.

7.   On the General tab you should select under Action ‘Create’, and the Path should read \\TEST-DC-01\Users$\%Logonuser%. Do not enable any additional items under Attributes.

8.   In the Common tab, enable the ‘Run in logged-on user’s security context‘ option.

This will automatically create a folder for the user who are a member of your ‘FirstLocationUsers’ group with exclusive user access to this folder.

Map a drive to user’s folder

Now I will go back to my existing GPO (in my example this is Login Script GPO) for mapping network drives based on user’s group membership. I will repeat the steps as described in my previous blog, but this time I will map the drive letter Q to the following location \\TEST-DC-01\Users$\%Logonuser% .

For the Action you can select ‘Create’ or ‘Replace’, check the ‘Reconnect’ checkbox and click on the Common tab.

On the ‘Common’ tab check two check boxes: ‘Run in logged-on user’s security context (user policy option)’, then ‘Item-level targeting’. This will open Targeting Editor where you will make sure that the user is a member of the security group ‘FirstLocationUsers’.

Assign link order for the two GPOs

Finally, you have to make sure that GPOs precedence order is set up with lower link order for home folder creation GPO and higher link order for home mapping GPO. The link order regulates how policy object are being processed for the linked OU. Lower ranking policy object will be process before the higher ranking object. Here the ‘UserHomeDrive’ with the link order # 3 will be processed first, then the ‘Login Scrip GPO’ with the link order # 2 and so on. This order is necessary because we have to make sure that user’s home drive has to be created before the user’s home drive is mapped. ‘Default Domain Policy’ is processed last , so any policy settings in this policy object are final and will override those configured in policy objects with lower link order (unless inheritance blocking or enforcing is used).





Please note: Although the author has made every reasonable attempt to achieve complete accuracy of the content, he assumes no responsibility for errors or omissions. Also, you should use this information as you see fit, and at your own risk.