How to enable Remote Desktop on to Domain Controllers for non admins

Copper Contributor


 Our cyber team needs remote desktop access to our domain controllers for read purposes. They're part of the built-in "remote desktop users" group, but that doesn't give them RDP access. I thought this group was designed specifically for RDP access to DCs as it's not available for selection within group policy preferences. When I try to login as a member of the remote desktop services group I get an error on the DCs:

"To sign in remotely, you need the rights to sign in through Remote Desktop Services. By default, members of the Administrators group have this"


It seems that the built-in "remote desktop users" does nothing by default (?)


I'm planning on adding the remote desktop users group to a domain controller GPO with the setting "Allow log on through Remote Desktop Services". Is this the best way to provide RDP access to the cyber security team?


Also, will using this GPO impact any other settings such as "Allow logon locally"?






2 Replies

Hi HungryMoo,

I advice:
- only allowing domain administrators logging in to domain controllers
- prevent using Remote Desktop to interactively manage domain controllers
- never using the Remote Desktop Users group (in general: never use built-in groups)

- implementing a secure administrative "jump server" architecture

Thanks Mathieu,
"never using the Remote Desktop Users group (in general: never use built-in groups)" - the group is empty by default. The obvious question being, if they're never intended for use, why have them in the first place?