Server 2012 : GPO to setup local admin and RDP access.

We are going to give access to a Group of people to RDP to Workstations and have local administrators rights.
In order for RDP to work we also need to open firewall.

While reading you might want to consider to split up this (monolithic) GPO and single Security Group into 2 Security Groups and 3 smaller GPOs :
(1) Local Admin Security Group + Give Local Admin rights GPO
(2) RDP access Security Group + Give RDP rights GPO
(3) Open RDP firewall ports.

To accomplish this, we will be doing the following:

  1. Create a new Security Group containing the people who needs local admin and rdp access
  2. Create Group Policy to grant the RDP and local administrator rights to our group of people.
  3. Enable Allow users to connect remotely by using Remote Desktop Services in our GPO
  4. Allow Inbound Remote Desktop exceptions GPO
  5. Testing our new Security Group / GPO setup.
  6. Verify Group membership
  7. Verify RDP Settings

 

  1. Create new Security Group named Local Administrators
    On your DC open Active Directory Users and Computers (dsa.msc)
    01-SecurityGroup

    • Give it a name – Note the Group Scope and Group Type.
      02-SecurityGroup
    • Right-click the new Group and select properties. Go to the Members tab and click Add…
      03-SecurityGroup
    • Add the Names or Groups you wish to add. You can browse using the Advanced… button. Click OK and OK when done.
      04-SecurityGroup
  2. Create a new Group Policy named Local Administrators.
    • Open the Group Policy Management (gpmc.msc)
      Browse to the OU where you want the GPO to be placed, right-click it and choose Create a GPO in this domain, and Link it here…
      Note: you can’t link it to the default Computers container. So either create a new OU for your computers, or link the GPO in the root of the domain, just be aware of security risks regarding hitting your servers with these permissions as well.
      05-GPO
    • Name it Local Administrators and click
      06-GPO
    • Right-click your new GPO and select Edit
      07-GPO
    • Browse through:
      Computer Configuration - Policies - Windows Settings - Security Settings - Restricted Groups
      Right-click the Restricted Groups folder and click Add Group…, click Browse … enter the name of the Security Group we created in step 1: Local Administrators, and click Chek Names, then OK and OK.
      Note: We have now added the Group from step 1 to the Restricted Groups.
      08-GPO 09-GPO
    • Right-click the Group and select Properties
      09-2-GPO
    • Next to the This Group is member of: click Add…
      10-GPO
    • Click Browse in the small Group Membership window, enter Remote Desktop Users and Administrators and Check Names, OK and OK.
      Note: Members of this Group should be specified directly in the Security Group from step 1 and not here.
      11-GPO
    • Review the membership you just configured and click OK.
      12-GPO
  3. Enable Allow users to connect remotely by using Remote Desktop Services in our GPO
    • If not open, open Group Policy Management (gpmc.msc), browse to and right-click your GPO and select Edit
    • Navigato to: Computer Configuration - Policies - Administrative Templates - Windows Components - Remote Desktop Services - Remote Desktop Session Host - Connections. Set: Allow users to connect remotely by using Remote Desktop Services Enabled
      18-rdp
    • Select Enabled and Apply/OK
    • Prevent Local Administrators from making changes to our new setting: Computer Configuration - Policies - Administrative Templates - Windows Components - Remote Desktop Services - Remote Desktop Session Host - Security. Do not allow local administrators to customize permissions: Enabled Note: this is to prevent local admin turning off our other RDP GPO settings.
      20-rdp Set it to Enabled and Apply/OK
    • Enable Require user authentication for remote connections by using Network Level Authentication Computer Configuration - Policies - Administrative Templates - Windows Components - Remote Desktop Services - Remote Desktop Session Host - Security. Set Require user authentication for remote connections by usining Network Level Authenticaion Enabled Be sure your environment meets this requirment.
      22-rdp
  4. Allow Inbound Remote Desktop exceptions GPO
    Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\ Edit: Windows Firewall: Allow Inbound Remote Desktop exceptions: Enabled 25-firewalljpg
  5. Testing our new Security Group / GPO setup.
    Either restart you PC or type gpupdate /force in cmd or similar
  6. Verify Group membership
    Open Local Users and Groups (lusrmgr.msc) go to Groups, right-click Administrators and choose Properties
    13-local
  7. Verify out Local Administrators Group we created in step 1 is listed in Members
    14-local

Verify RDP settings:

  1. Open the Control Panel – System and Security – System (SystemPropertiesRemote.exe) and click Remote Settings.
  2. Enter credentials for one of our now-enabled Local Admininistrators in the UAC popup and click Yes
    15local
  3. Verify the settings and click Select Users…
    Note: Notice the greyed out settings which is due to our GPO
    24-rdp
  4. Notice our Local Administrators Group and how it says TEST\morten already has access (via the Group, so no need to add myself Again).
    17-local
Category: Active Directory 101, Group Policy 101, Windows Server 2012 /R2