Context and Requirement:
You have few Junior Admins or few developers and they need to log on to the servers for some monitoring or whatever activity and you wouldn't want them to have Local Administrator privileges. If it is only one or two servers, it's really easy to grant user/s to log on to the servers through remote desktop connection, for that you need to simply add the desired user IDs in Local Remote Desktop Users built-in group on each individual Servers.
Now, say, you need to allow a set of people to log on to the servers remotely through Remote Desktop Connection on bunch of Servers, how would you do that ? In this scenario, group policy comes in handy.
Prerequisites:
You need to have minimum permissions to Read/Edit/Modify GPOs.
Access to GPMC from any member server or from a DC or from a Workstation with RSAT installed.
Move desired server computer objects to a designated OU.
Create a Domain Security Group and add desired user IDs.
Details:
We can use Restricted Groups to add "Domain Users/Group" to Remote Desktop Users group on Servers using Group Policy.
Open up GPMC (You may create a new GPO or edit and update an existing GPO)
In this article, I am going to edit an existing GPO
Group Policy Management Editor will open up. Navigate to Computer Configuration / Policies / Windows Settings /Security Settings / Restricted Groups.
Right Click on Restricted Groups, click on Add Group
Click on Browse
Add the Group (group which contains the users you would like to allow them to log on to the servers remotely).
Click OK twice, you will see Restricted Groups properties which contains 2 different Settings viz : Members of this group: and This group is a member of:
Click on Add... (This group is a member of:) and click on Browse
Here, in select Groups properties, click on Locations and select Local Computer and click on OK.
Type Remote Desktop Users in object names field and click on check Names, Click on OK 3 Times.
You should see the following screen
Close the Group Policy Management Editor and refresh the Policy which you had edited just before.
Make sure, the GPO is linked to the appropriate OU where your Server Computer Objects reside.
During next Group Policy refresh, the Group (Remote Server Users) will be added in the Remote Desktop Users Local group on the servers and then members who are part of that group will be able to log on to the the designated servers.
- End of the article -