Category Archives: RDP

Using Group Policy settings to enable Remote Desktop

You must have administrator privileges to configure the Windows Group Policy Object (GPO). In order to enable Remote Desktop (Windows Server 2012 / 2008 R2 / 2008), the following GPO settings need to be configured:

  1. Click Start – All programs – Administrative Tools – Group Policy Management.
  2. Create or Edit Group Policy Objects
  3. Navigate to Computer Configuration > Policies > Administrative Templates> Network > Network Connections > Windows Firewall > Domain Profile.
  4. Double-click Windows Firewall: Allow inbound Remote Desktop exceptions.
  5. Set this setting to Enabled and add the IP addresses that can be used for connection.  Here you could use ‘ * ‘ for all the IP addresses, or specific subnets.
  6. Click OK. See the picture below.

Firewall_GPO_Setting_01

  1. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections.
  2. Double-click Allow users to connect remotely using Remote Desktop Service.
  3. Set this setting to Enabled, and then click OK. See the picture below.

Rdp_GPO_Users_02

  1. Close the Group Policy object and make sure it’s properly linked to the required domain locations.

In addition to GPO, we can use Group Policy Preferences (GPP) to enable Remote Desktop:

  1. Click Start – All programs – Administrative Tools – Group Policy Management.
  2. Create or Edit Group Policy Objects
  3. Expand Computer Configuration > Preferences > Windows Settings.
  4. Right click Registry > New > Registry Item.
  5. On the General Tab configure the following :

– Action: Update
– Hive: HKEY_LOCAL_MACHINE
– Key path: SYSTEM\CurrentControlSet\Control\Terminal Server
– Value name: fDenyTSConnections
– Value type: REG_DWORD
– Value date: 00000000 enable or 00000001 disable

6. Click Browse button and navigate HKLM > SYSTEM > CurrentControlSet > Control > Terminal Server; highlight fDenyTSConnection and click Select. Click OK. See the picture below.

Rdp_GPO_Preference_037. Close the Group Policy object and make sure it’s properly linked to the required domain locations.

Please note: In my scripts I use the following registry settings to enable/disable RDP:
System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
Value Name: AllowTSConnections, fDenyTSConnections, fAllowToGetHelp
Data Type: REG_DWORD (DWORD Value)If you want to enable Remote Assistance – add or change these DWORD values:
• AllowTSConnections set it to “1”
• fDenyTSConnections set it to “0”
• fAllowToGetHelp set it to “1”
One example of these registry settings you could see in my post about HTA application, which I named Remote Desktop Assistant (RDA) – http://www.alexcomputerbubble.com/category/hta.

 If you use a Remote Desktop Connection client for privileged access to the Windows machines, configure the GPO policy to prompt for (not to store) a password. For this setting do the following:

  1. Click Start – All programs – Administrative Tools – Group Policy Management.
  2. Create or Edit Group Policy Objects
  3. Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client > Do not allow passwords to be saved.
  4. Choose Enabled. See the picture below.

Rdp_GPO_Password_04

  1. Click OK. Close the Group Policy object.






Please note: Although the author has made every reasonable attempt to achieve complete accuracy of the content, he assumes no responsibility for errors or omissions. Also, you should use this information as you see fit, and at your own risk.

Remote Desktop Connection File Settings

RDP settings are stored in a connection file with .rdp extension. This file contains user preferences for Remote Desktop connections. When you launch, the settings are applied during the RDP session. You can edit the settings in this file by right-click the file and then click Edit, or by editing the .rdp file directly, with a text editor. You can customize any number of .rdp files, including files for connecting to the same computer with different settings (for example: single or multi monitor enabled, different resolution, etc.).

The default connection file, Default.rdp, is stored as a hidden file in My Documents folder. Connection files that you create are also stored in My Documents, but they are not hidden.

If an RDP setting conflicts with a setting configured through Group Policy or RD Configuration, the settings in the RDP file settings always have lowest precedence.

An Example RDP File

I have provided a table with the complete RDP Connection File settings; this table contains additional information you can view/download in the download section. Note that all RDP settings follow this format:

NameOfSetting:DataType:Value

The name of setting is in the Setting column; the data type is either i (for integer) or s (for string).The value is the string or an integer representing the desired behaviour.

The example provided here starts with full screen mode (2- remote session will appear full screen) and multi-monitor connection enabled (1 – enable true multiple monitor support); it will attempt to automatically start connecting to TEST-AFL-10 computer on launch; and so on…

screen mode id:i:2
use multimon:i:0
desktopwidth:i:1280
desktopheight:i:1024
session bpp:i:32
winposstr:s:0,1,222,47,1022,647
compression:i:1
keyboardhook:i:2
audiocapturemode:i:0
videoplaybackmode:i:1
connection type:i:7
networkautodetect:i:1
bandwidthautodetect:i:1
displayconnectionbar:i:1
enableworkspacereconnect:i:0
disable wallpaper:i:0
allow font smoothing:i:0
allow desktop composition:i:0
disable full window drag:i:1
disable menu anims:i:1
disable themes:i:0
disable cursor setting:i:0
bitmapcachepersistenable:i:1
full address:s:
audiomode:i:0
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:1
redirectclipboard:i:1
redirectposdevices:i:0
autoreconnection enabled:i:1
authentication level:i:2
prompt for credentials:i:0
negotiate security layer:i:1
remoteapplicationmode:i:0
alternate shell:s:
shell working directory:s:
gatewayhostname:s:
gatewayusagemethod:i:4
gatewaycredentialssource:i:4
gatewayprofileusagemethod:i:0
promptcredentialonce:i:0
use redirection server name:i:0
rdgiskdcproxy:i:0
kdcproxyname:s:
drivestoredirect:s:

As we can see, there are many different remote desktop related settings that can be configured. We do not need to configure or use all of them. In the script example that follows, I will use a PowerShell script to change the settings, and they will be saved to a file named as specified in the script’s ‘Path’ parameter. This way the settings for a particular connection will be stored in a RDP shortcut and ready for execution.

The following PowerShell script has four parameters: ComputerName, Path, UserName and Multimonitor. If you do not specify the last parameter, your RDP session will not be enabled for multi monitor support.

# PowerShell script: Create-RDPShortcut.ps1
# Script to create RDP shortcut with the name specified in the path parameter; user
# and multimonitor parameters are optional.
# Author: Alex Dujakovic, August 01, 2013
# EXAMPLE:
# Create-RDPShortcut.ps1 -ComputerName "TEST-AFL-10" -Path "C:\Test\TEST-AFL-10.rdp" `
#                        -UserName "Alex" -Multimonitor
#*************************************************************************************

[CmdletBinding()]
	Param
        (
            [parameter(Mandatory=$True)]
            [String[]]
            $ComputerName,

            [parameter(Mandatory=$True)]
            [String]
            $Path,

            [parameter(Mandatory=$False)]
            [String]
            $UserName,

            [parameter(Mandatory=$False)]
            [Switch]
            $Multimonitor

        )
$rdpFileSettings = @(
'screen mode id:i:2'
'use multimon:i:0'
'desktopwidth:i:1280'
'desktopheight:i:1024'
'session bpp:i:32'
'winposstr:s:0,1,222,47,1022,647'
'compression:i:1'
'keyboardhook:i:2'
'audiocapturemode:i:0'
'videoplaybackmode:i:1'
'connection type:i:7'
'networkautodetect:i:1'
'bandwidthautodetect:i:1'
'displayconnectionbar:i:1'
'username:s:'
'enableworkspacereconnect:i:0'
'disable wallpaper:i:0'
'allow font smoothing:i:0'
'allow desktop composition:i:0'
'disable full window drag:i:1'
'disable menu anims:i:1'
'disable themes:i:0'
'disable cursor setting:i:0'
'bitmapcachepersistenable:i:1'
'full address:s:'
'audiomode:i:0'
'redirectprinters:i:1'
'redirectcomports:i:0'
'redirectsmartcards:i:1'
'redirectclipboard:i:1'
'redirectposdevices:i:0'
'autoreconnection enabled:i:1'
'authentication level:i:2'
'prompt for credentials:i:0'
'negotiate security layer:i:1'
'remoteapplicationmode:i:0'
'alternate shell:s:'
'shell working directory:s:'
'gatewayhostname:s:'
'gatewayusagemethod:i:4'
'gatewaycredentialssource:i:4'
'gatewayprofileusagemethod:i:0'
'promptcredentialonce:i:0'
'use redirection server name:i:0'
'rdgiskdcproxy:i:0'
'kdcproxyname:s:'
'drivestoredirect:s:'
'server port:i:3389'
)

$rdpFileSettings = $rdpFileSettings| ForEach-Object {
    $newLine = $_.Split(":")
    If($newLine[0] -eq "full address"){
        "$($newLine[0]):$($newLine[1]):$($ComputerName)"
    }
    elseif($newLine[0] -eq "username"){
        "$($newLine[0]):$($newLine[1]):$($UserName)"
    }
    elseif($Multimonitor -and $newLine[0] -eq "use multimon"){
        "$($newLine[0]):$($newLine[1]):1"
    }
    else {
        "$($newLine[0]):$($newLine[1]):$($newLine[2])"
    }
}
$rdpFileSettings | Set-Content -Path $Path

The complete RDP Connection File settings and this PowerShell script could be downloaded in the download section.





Please note: Although the author has made every reasonable attempt to achieve complete accuracy of the content, he assumes no responsibility for errors or omissions. Also, you should use this information as you see fit, and at your own risk.