{"id":2026,"date":"2017-01-20T22:22:42","date_gmt":"2017-01-20T22:22:42","guid":{"rendered":"http:\/\/microsoftgeek.com\/?p=2026"},"modified":"2018-09-06T23:18:38","modified_gmt":"2018-09-06T23:18:38","slug":"server-2012-gpo-to-setup-local-admin-and-rdp-access","status":"publish","type":"post","link":"https:\/\/microsoftgeek.com\/?p=2026","title":{"rendered":"Server 2012 : GPO to setup local admin and RDP access."},"content":{"rendered":"
\n

We are going to give access to a Group of people to RDP<\/em> to Workstations and have local administrators<\/em> rights.
\nIn order for RDP to work we also need to open firewall.<\/p>\n

While reading you might want to consider to split up this (monolithic) GPO and single Security Group\u00a0<\/em>into 2 Security Groups<\/em> and 3 smaller GPOs<\/em> :
\n(1)<\/strong> Local Admin Security Group + Give Local Admin rights GPO
\n(2)<\/strong> RDP access Security Group + Give RDP rights GPO
\n(3)<\/strong> Open RDP firewall ports.<\/p>\n

To accomplish this, we will be doing the following:<\/p>\n

    \n
  1. Create a new Security Group<\/em> containing the people who needs local admin<\/em> and rdp access<\/em><\/li>\n
  2. Create Group Policy to grant the RDP and local administrator rights to our group of people.<\/li>\n
  3. Enable Allow users to connect remotely by using Remote Desktop Services<\/em> in our GPO<\/li>\n
  4. Allow Inbound Remote Desktop exceptions GPO<\/li>\n
  5. Testing our new Security Group \/ GPO setup.<\/li>\n
  6. Verify Group membership<\/li>\n
  7. Verify RDP Settings<\/li>\n<\/ol>\n

     <\/p>\n

      \n
    1. Create new Security G<\/em>roup named Local\u00a0Administrators<\/em><\/strong>
      \nOn your DC open Active Directory Users and Computers (dsa.msc<\/code>)
      \n\"01-SecurityGroup\"<\/p>\n
        \n
      • Give it a name \u2013 Note the Group Scope<\/em> and Group Type<\/em>.
        \n\"02-SecurityGroup\"<\/li>\n
      • Right-click the new Group and select properties. Go to the Members tab and click Add\u2026
        \n\"03-SecurityGroup\"<\/li>\n
      • Add the Names<\/em> or Groups<\/em> you wish to add. You can browse using the Advanced\u2026<\/em> button. Click OK and OK<\/em>\u00a0when done.
        \n\"04-SecurityGroup\"<\/li>\n<\/ul>\n<\/li>\n
      • Create a new Group Policy<\/em> named Local Administrators<\/em><\/strong>.\n
          \n
        • Open the Group Policy Management<\/em> (gpmc.msc<\/code>)
          \nBrowse to the OU<\/em> where you want the GPO to\u00a0be placed, right-click it and choose Create a GPO in this domain, and Link it here\u2026
          \n<\/em>Note<\/strong>: you can\u2019t link it to the default Computers<\/em> container. So either create a new OU<\/em> for your computers, or link the GPO in the root of the domain, just be aware of security risks regarding hitting your servers with these permissions as well.
          \n\"05-GPO\"<\/li>\n
        • Name it Local Administrators<\/em> and click
          \n\"06-GPO\"<\/li>\n
        • Right-click<\/em> your new GPO<\/em> and select Edit<\/em>
          \n\"07-GPO\"<\/li>\n
        • Browse through:
          \nComputer Configuration - Policies - Windows Settings - Security Settings - Restricted Groups<\/code>
          \nRight-click the Restricted Groups<\/em> folder and click Add Group\u2026<\/em>, click Browse \u2026<\/em> enter the name of the Security Group<\/em> we created in step 1: Local Administrators<\/em>,\u00a0and click Chek Names<\/em>, then OK<\/em> and OK<\/em>.
          \nNote<\/strong>: We have now added the Group<\/em> from step 1 to the Restricted Groups<\/em>.
          \n\"08-GPO\" \"09-GPO\"<\/li>\n
        • Right-click the Group and select Properties
          \n\"09-2-GPO\"<\/li>\n
        • Next to the This Group is member of<\/em>: click Add\u2026<\/em>
          \n\"10-GPO\"<\/li>\n
        • Click Browse<\/em> in the small Group Membership<\/em> window, enter\u00a0Remote Desktop Users<\/em> and Administrators\u00a0<\/em>and Check Names<\/em>, OK and OK.
          \nNote<\/strong>: Members of this Group<\/em> should be specified directly in the Security Group<\/em> from step 1 and not here.
          \n\"11-GPO\"<\/li>\n
        • Review the membership you just configured and click OK.
          \n\"12-GPO\"<\/li>\n<\/ul>\n<\/li>\n
        • Enable<\/strong> Allow users to connect remotely by using Remote Desktop Services<\/em> in our GPO\n
            \n
          • If not open, open Group Policy Management (gpmc.msc), browse to and right-click your GPO and select Edit<\/li>\n
          • Navigato to: Computer Configuration - Policies - Administrative Templates - Windows Components - Remote Desktop Services - Remote Desktop Session Host - Connections<\/code>. Set: Allow users to connect remotely by using Remote Desktop Services Enabled
            \n<\/strong><\/em>\"18-rdp\"<\/li>\n
          • Select Enabled<\/em> and Apply\/OK<\/em><\/li>\n
          • Prevent Local Administrators<\/strong> from making changes to our new setting: Computer Configuration - Policies - Administrative Templates - Windows Components - Remote Desktop Services - Remote Desktop Session Host - Security<\/code>. Do not allow local administrators to customize permissions: Enabled<\/strong> <\/em>Note: this is to prevent local admin turning off our other RDP GPO settings.
            \n\"20-rdp\" Set it to Enabled<\/em> and Apply\/OK<\/li>\n
          • Enable Require user authentication for remote connections by using Network Level Authentication Computer Configuration - Policies - Administrative Templates - Windows Components - Remote Desktop Services - Remote Desktop Session Host - Security<\/code>. Set Require user authentication\u00a0for remote connections by usining Network Level Authenticaion\u00a0Enabled<\/strong><\/em> Be sure your environment meets this requirment.
            \n\"22-rdp\"<\/li>\n<\/ul>\n<\/li>\n
          • Allow Inbound Remote Desktop exceptions GPO<\/strong>
            \nComputer Configuration\\Administrative Templates\\Network\\Network Connections\\Windows Firewall\\Domain Profile<\/code>\\ Edit: Windows Firewall: Allow Inbound Remote Desktop exceptions<\/em>: Enabled<\/strong> \"25-firewalljpg\"<\/li>\n
          • Testing our new Security Group \/ GPO setup.<\/strong>
            \nEither restart you PC or type gpupdate \/force<\/code> in cmd<\/em> or similar<\/li>\n
          • Verify Group membership
            \n<\/strong>Open Local Users and Groups<\/em> (lusrmgr.msc<\/code>) go to Groups, right-click Administrators and choose Properties
            \n\"13-local\"<\/li>\n
          • Verify out Local Administrators Group we created in step 1 is listed in\u00a0Members
            \n\"14-local\"<\/li>\n<\/ol>\n

            Verify RDP settings:<\/h4>\n
              \n
            1. Open the Control Panel \u2013 System and Security \u2013 System (SystemPropertiesRemote.exe) and click Remote Settings.<\/li>\n
            2. Enter credentials for one of our now-enabled Local Admininistrators<\/em> in the UAC<\/em> popup and click Yes
              \n\"15local\"<\/li>\n
            3. Verify the settings and click Select Users\u2026
              \n<\/em>Note<\/strong>: Notice the greyed out settings which is due to our\u00a0GPO
              \n\"24-rdp\"<\/strong><\/em><\/li>\n
            4. Notice our Local Administrators Group and how it says<\/em> TEST\\morten already has access (via the Group, so no need to add myself Again).
              \n\"17-local\"<\/li>\n<\/ol>\n<\/div>\n
              <\/div>\n","protected":false},"excerpt":{"rendered":"

              We are going to give access to a Group of people to RDP to Workstations and have local administrators rights. In order for RDP to work we also need to open firewall. While reading you might want to consider to split up this (monolithic) GPO and single Security Group\u00a0into 2 Security Groups and 3 smaller […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[42,55,48],"tags":[],"class_list":["post-2026","post","type-post","status-publish","format-standard","hentry","category-ad","category-gpo-group-policy","category-microsoft-windows-server-2012"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/2026","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2026"}],"version-history":[{"count":1,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/2026\/revisions"}],"predecessor-version":[{"id":2027,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/2026\/revisions\/2027"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2026"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2026"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2026"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}